Wow.... At least that hacker had a good intention on doing that. I never thought google would be so naive with their security, I thought G-mail had top notch security but I keep reading these exploits.

I hope Yahoo isn't vulnerable to this. :s

Thanks Bobby, my father uses this for his emails, I have passed this information on to him.

Yay for HWA

I use SSL on any site where it's available (including HWA). A good Fx extension to help with this is Redirector:
https://addons.mozilla.org/en-US/firefox/addon/5064

It's not needed for Gmail (if you've set up your account right), but for something like HWA, you can have it redirect the regex:

^http://(www\.)?hardwareanalysis\.com(.*)
to
https://www.hardwareanalysis.com$2

In most cases (when pre-load link checking is disabled, and you're not using XPaths or trying to do a POST request), it will redirect you before ever even loading the non-SSL version.

Here's another tip for the Firefoxians of the world ... (I think you can do something similar with Opera, for IE I have no idea) ...

Gmail by default uses RC4 128-bit for its SSL. If you'd like to bump that to 256-bit AES, head on over to about:config, filter rc4, and set all the security booleans to false.

Go back to Gmail (might have to restart Fx) --> Page Info ... woo hoo, AES. It also then uses TLSv1 as opposed to SSLv3. That's nice.
edit: actually, I think even with RC4 it's using TLSv1, but I haven't checked.

The drawback here is that it disables RC4-based SSL on all sites. On any sites that support RC4 and AES, this is a good thing -- if RC4 is given higher priority by the server, you get moved up to AES. Otherwise you'll get moved to something like Triple DES (certainly slower than RC4, you can make up your own mind as to whether or not it's more secure).

Or, if the site only supports RC4, you won't be able to connect at all. I haven't ran into any of those (of the sites I use) so far. Check your banking site, though. It seems a lot of banks still use RC4, and only RC4. My bank luckily defaults to AES.

McFly said:
AES is very outdated and quite insecure!!! Why do you insist on spouting on about it!

Uh... wrong? 256-bit encryption is ridiculous secure. Layer it with other methods, and you're almost impenetrable.

I think maybe you're thinking of DES? Otherwise I have no idea what you're talking about ...

Well now ...

I noted long ago that Google would display my email address on non-SSL pages, such as simple searches, when logged in to Gmail. That always bugged me, since I don't even want my email address being leaked over an insecure connection when I didn't mean for it to.

So I made a teeny Greasemonkey script to set the offending cookie to a null value as 'secure' on any SSL-enabled Google page load:
--> http://userscripts.org/scripts/show/33643

Since the cookie doesn't replace itself (at least as far as I could tell), just by logging in over SSL you'll disable it make it 'secure'. Then the normal Google search pages won't even see you as logged in at all.

That's the only cookie that I could find that doesn't spec the secure tag and would be sent over an insecure connection (mail.google.com has some, but as long as you have Gmail set up right, mail.google.com won't even attempt a non-SSL connection anyway). In any case, I'm sure the people using Gmail at free Wi-Fi hotspots with "HTTPS-only" connections wouldn't be too pleased that even their addresses are being leaked.

If anybody knows of any Firefox extension that would let me automatically set a specific cookie by domain+name to append secure value, I'd love to hear it. Or even just to block a specific cookie. EDIT/UPDATE: my script will now do this for whatever site you need.

If you want to see this in action without that script, you can install the "Add n Edit Cookies," extension, find the SID cookie for google.com and set it to send for "encrypted connections only" : http://img518.imageshack.us/img518/2121/googlesidov0.jpg

Roger,
There are several different iterations of AES and SHA.
In its 256 bit or better derivative AES is still a very viable, and in most all cases, more secure than SSL 128 derivatives.

Unless you've gone beyond the standards supported by the NSA and other security industry best practices; in which case you should post why AES doesn't work, I would like to suggest that you stop spouting on about it.