Uhhhhhh...I wonder how many other mail providers or programs/suites this
vulnerability applies to.  I just got a new e-mail account and it does
the
full-time https thing.  Considering that my internet connection goes
over our 802.11b system in the clear, the thought of those session ID's
and
passwords going in the clear worries me, especially with the number of
people I see getting DHCP leases (but not past the captive portal) on
our system!
And those are just the ones dumb enough to be seen...

Mike

On Mon, 4 Feb 2008 21:18:23 -0800, "Kristian Erik Hermansen"
<kristian.hermansen@gmail.com> said:
> On Feb 4, 2008 9:00 PM, Micah DesJardins <micahdj@gmail.com> wrote:
> > If you use
> >
> > https://mail.google.com
> >
> > instead of http://mail.google.com it remains encrypted after you log in.
> 
> This is not necessarily true.  There have been attacks in which Google
> session ids can be compromised if for a time HTTPS is disrupted.
> Google then attempts to utilize the non-https session and exposed the
> id, which can then be used to log into the account without a user/pass
> combo...
> -- 
> Kristian Erik Hermansen
> "Know something about everything and everything about something."
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss