Hi, Apparently only Gmail has this feature, Google Apps site owners do not have this option in their settings tab - so they are still vulnerable to attack.
On Tuesday 12 August 2008 02:37:24 coderman wrote: > On Mon, Aug 11, 2008 at 4:03 AM, Sandro Gauci <[EMAIL PROTECTED]> wrote: > > Say hello to a new security tool called "Surf Jack" which demonstrates > > a security flaw found in various public sites. The proof of concept > > tool allows testers to steal session cookies on HTTP and HTTPS sites > > that do not set the Cookie secure flag. > > note: Gmail now supports an account option to enforce the secure only > bit on session cookies and keeps your entire gmail session on SSL. > this makes attacks like this and Mike Perry's active side jacking > impossible, as the session cookie is no longer sent in the clear when > http:// non-SSL links are injected into browser content. > > to enable this feature: > - at top of page select "Settings" > - scroll to bottom of section for "Browser connection:" preference > - select "Always use https" > > this will pass the Secure / secureonly option when settings the GX=... > session cookie used to identify your authenticated session. this > cookie will then never be sent over plain-text connections, protecting > you from passive / active side jacking attacks. > > be sure to use a somewhat modern browser that supports secure only > cookies. you can also verify correct operation with the "Live HTTP > Headers" plugin for Firefox. > > hopefully ongoing attention and improved tools demonstrating the need > for continuous SSL / secureonly session management will be adopted by > all web developers and sites. (i'm not holding my breath...) > > best regards, > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Noam Rathaus CTO [EMAIL PROTECTED] http://www.beyondsecurity.com "Know that you are safe." Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
