Point and Click Gmail Hacking at Black Hat:
Gmail username and password authentication takes place over HTTPS, but then you get a session cookie and the rest of your session takes place over unencrypted HTTP. Robert Graham’s demo at Black Hat showed that by sniffing the cookie over an open network, the Gmail session can be hijacked.
Gmail supports HTTPS, but the only way to get it is to specify ‘https:’ in the URL when you load the site. Google should redirect all HTTP Gmail traffic to HTTPS by default.
I use Mailplane to read my mail (I have forwarded my Mac.com email over there and no longer use Mail.app) and I have it confgured to use https. But even before then, I had a Greasemonkey script re-writing the URL to use https.
/me looks in vain for the script
Looks like it didn’t survive one of the many rebuilds I’ve had to do lately. Well, you could easily make one from Pilgrim’s guide to GreaseMonkey. It’s worth doing.
[update] Here it is.
