With the recent announcement at Defcon, Gmail users will soon be the target of session hijacking. The reason for this is that Gmail by default does not encrypt any traffic (except logins). This allows anyone on the local network to sniff for session ids passed between gmail and the user when you check your email. With this session id, a hijacker can act authenticate themselves as you without the need for your username and password.
This has always been an issue for non-encrypted traffic, but it was announced at defcon that a tool has been released that automates this hack. This was enough reason for Google to release an option to turn on SSL. The problem here is that you still have to manually turn it on.
To turn on SSL go to “Settings” and at the bottom you’ll see an option called “Browser Connection.” Choose the option “Always use https.” Yay now we’re protected from session hijacking!
The problem I next noticed was that gmail notifier stopped working! After doing some investigating, I found that you had to do some hex editing with gnotify.exe to get it to use SSL.
Before we do anything, close and make a backup copy of gnotify.exe just in case anything happens. By default you can find this executable in C:\Program Files\Google\Gmail Notifier. For hex editing I used an old favorite hex editor called “Hex Workshop” for Windows. After you download/install it, open up gnotify.exe in Hex Workshop. On the left you’ll see a bunch of hexidecimal characters and on the right you’ll see the ASCII equivalent.
To make the replaecment, we need to first find the area we want to modify. To find the area, hit CTRL-F and let’s do a search for the string we want to modify: “http://”. Under the “Type” drop-down choose “Text String.” When you find “http://mail.google.com/mail/” go ahead and add a “s” after “http.” You’ll see that whenever you type, it will overwrite whatever was in that field before. Go ahead and type out the replaced characters until you end up with “https://mail.google.com/mail/”.
Go ahead and save the modified executable and open it back up. If it fails, you can always use the backup you made! Otherwise, you should know have access to gmail over an encrypted connection!
I’m sure I’ll be writing a part II to this when I get home and my gmail notifier isn’t working there either.