On Sun, May 2, 2010 at 10:43 PM, Sharad Birmiwal <[email protected]> wrote: > On Sun, May 2, 2010 at 4:10 AM, Gaurav Paliwal > <[email protected]> wrote: >>> >>> I forgot to ask Alok if he uses https option in gmail. In fact, I took >>> https for granted in Alok's preferences. >>> > > Few points. > > 1. Gmail (as Gaurav pointed out) by default uses https and NOT http. > This change was brought a few months back? > > 2. It is unlikely that anything inside IIT was compromised. If it was > from within IIT, the attacker was probably smart enough to access his > gmail account via proxy. > > 3. The content of the email that was sent out can hint on whether it > was from within IIT or not. > > 4. Alok could have accessed his gmail account from a compromised > machine which had spyware collecting usernames/passwords. > > 5. If you talk about general email (gmail) security, a nice attack > vector could be potentially attacking all those linkedin kind services > where people willingly divulge their passwords (and hope they are not > being recorded). > > 6. Hosting your email account at a third-party IMHO does not make it > particularly safe. For example, GoDaddy, a popular domain name hosting > service was recently compromised (google for the news). In the past, I > have also been a victim of such attacks on registered domains (that > was a hosting domain though). > > 7. I don't understand what is so strange about not finding lots of > encryption standards to choose from in gmail settings. It would be > strange if all other "free" email services offered it and gmail did > not. You probably have too high an expectation from google.
To add to that, those who make so much fuss about encryption standards, upgrade your web browsers. In TLS, your client sends what encryption methods it supports to the server. > > 8. @Mohit, can you explain why DoS may somehow deregulation at the > databases and how/if they would reveal passwords? (I don't understand > what you are trying to say there :P) > > 9. https is also prone to vulnerabilities and if you browse for news > in the past 6 months, I am sure I read something about that. > > Just my 2 cents. > > > SB > > -- > l...@iitd - http://tinyurl.com/ycueutm > Some more points: 1. About the compromised squid box: @Mohit: Think at least twice before making such claims. If I design a system, not any jerkhead can break into it. Assuming that HTTPS is unbreakable (which isn't the case in all scenarios), any tinkering with the web traffic will get notified on the client side. 2. About Kerberos set up for emails: Implementing a Kerberos system in place of the cookies and session based systems, IMHO will make things less secure. How do you make sure that every machine from which you are trying to access a ticket, has a proper keytab ? Kerberos works perfectly for small networks, but I haven't encountered any publically available web technology that uses Kerberos. Definitely, it needs brainstorming, but with the current infrastructure in place, it is impossible to change the entire system. 3. Password security vs. Session security: You do not need the password to send emails from somebody's email accounts, etc. Imagine a house with strong locks on the door, but an open window right next to the door. Just opening up any email might let somebody have access to your session (though it is a lot harder given that google people are smart enough). Cheers Nitesh Mor -- l...@iitd - http://tinyurl.com/ycueutm
