On Sun, May 2, 2010 at 4:10 AM, Gaurav Paliwal <[email protected]> wrote: >> >> I forgot to ask Alok if he uses https option in gmail. In fact, I took >> https for granted in Alok's preferences. >>
Few points. 1. Gmail (as Gaurav pointed out) by default uses https and NOT http. This change was brought a few months back? 2. It is unlikely that anything inside IIT was compromised. If it was from within IIT, the attacker was probably smart enough to access his gmail account via proxy. 3. The content of the email that was sent out can hint on whether it was from within IIT or not. 4. Alok could have accessed his gmail account from a compromised machine which had spyware collecting usernames/passwords. 5. If you talk about general email (gmail) security, a nice attack vector could be potentially attacking all those linkedin kind services where people willingly divulge their passwords (and hope they are not being recorded). 6. Hosting your email account at a third-party IMHO does not make it particularly safe. For example, GoDaddy, a popular domain name hosting service was recently compromised (google for the news). In the past, I have also been a victim of such attacks on registered domains (that was a hosting domain though). 7. I don't understand what is so strange about not finding lots of encryption standards to choose from in gmail settings. It would be strange if all other "free" email services offered it and gmail did not. You probably have too high an expectation from google. 8. @Mohit, can you explain why DoS may somehow deregulation at the databases and how/if they would reveal passwords? (I don't understand what you are trying to say there :P) 9. https is also prone to vulnerabilities and if you browse for news in the past 6 months, I am sure I read something about that. Just my 2 cents. SB -- l...@iitd - http://tinyurl.com/ycueutm
