I have noticed several media articles recommending that users use https to protect their gmail sessions from Robert Graham's "Sidejacking" attackers. It turns out that independent of Mr. Graham's work, I have also been investigating these types of attacks as they pertained to users' safety while they use the Tor network. As I presented in my Black Hat and DefCon talks on Securing the Tor Network, it turns out that using https for accessing mail.google.com is not sufficient to protect you from many "Sidejacking" attacks. The 'GX' authentication cookie for mail.google.com is set to be transmitted for any type of connection (http or https). This is the only cookie one needs to authenticate to gmail. This "Any type of connection" property allows an attacker execute a cross site request forgery attack to inject spoofed 'http://mail.google.com' content elements or meta-refresh tags into ANY WEB PAGE loaded by a user. Repeat: the user does NOT have to be using gmail at the time, they just need to have a valid 'GX' authentication cookie from a prior login, and then visit ANY WEBSITE. Upon fetching/executing these injected elements, the browser will transmit the 'GX' cookie in the clear for the load of the spoofed element. Arp spoofing, DHCP spoofing, DNS spoofing, and TCP race-based attacks (such as AirPwn) are all valid vectors for inserting these content elements. The ONLY way to be safe is to clear your google cookies immediately after using gmail, or to mash the logout button. Obviously, being a privacy advocate, I would prefer everyone did the former :) Many other sites also have this same problem. In fact, I just purchased an item from a site that failed to enforce that its cookies are transmitted for "Encrypted Sessions Only". The FireFox addon CookieCuller is a nice easy way to inspect this property of cookies. You should check your banks :) Security is a hobby of mine - unfortunately I have neither the interest nor the time to produce a proof of concept of this attack. Quite frankly, I'd rather spend my free time helping to improve the Tor network, rather than releasing attacks that may compromise its users or the general public. My reluctance to release does not stem from any particular moral opposition to full disclosure. If google and other sites continue to ignore this issue, I may be motivated to make a release. It is very likely "bad guys" will beat me to it anyway, because this attack is relatively simple with the right MITM tools. You can verify the validity of this attack by logging in to https://mail.google.com. You will remain in https://mail.google.com after the login is complete. Now, use CookieCuller to blow away all but the 'GX' cookie. After this, close your gmail tab, and then visit http://mail.google.com. You will still be authenticated. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpsEExNVtbXi.pgp
Description: PGP signature