http://blogs.zdnet.com/security/?p=842
"Even with SSL enabled, Gmail sessions can still be hijacked by Graham's Hamster and Ferret (or less easily with Wireshark and Mozilla's cookie editor)." [...] "Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail's JavaScript code will fall back to non-encrypted http mode if https isn't available. This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won't be able to connect to anything. At that point in time Gmail's JavaScripts will attempt to communicate via unencrypted http mode and it's game over if someone is capturing the data." Che bel "buco"! ________________________________________________________ http://www.sikurezza.org - Italian Security Mailing List
