Is your Gmail session encrypted? No? You’re in trouble!

OK, this is a bigger problem than it may sound or look. If you are one of those many who do not use a secure (encrypted) session (SSL, that is) to not only authenticate to but read and write your emails on Gmail, you are in trouble. At the time of writing, I suspect Mike Perry, a security researcher and reverse engineer who has been complaining about cookie hijacking and SSL sessions over at defcon.org and elsewhere, may have already released a tool to the public at large that will make taking over anyone’s unencrypted Gmail session as easy as stealing a candy from a baby — maybe even easier.

On the upside, on the bottom of the settings page of your Gmail account, Gmail folks have made it possible for users to switch Gmail to always use a secure session (which is commonly known in geek circles as “over HTTPS”). If you have not done that, definitely waste no time and get on and over with.

If you are one of those who log into their Gmail account in the morning, and keep logged in throughout the day, it would be less convenient but well worth it, if you have not already turned off the ‘always use https’ setting on Gmail, to access the Gmail page by manually typing the following address: https://mail.google.com/ Before Gmail got around to realising how big a problem this all is, using the manual link I have mentioned was, I believe (but I may just be wrong), the only way to keep your entire Gmail session encrypted. Otherwise, before, Gmail would only use an encrypted session during authentication (which is common and until now was sufficient in terms of providing reasonable security), and settle back to a normal, non-encrypted session for the rest of the email reading/writing operations (which, simply, means that anyone sniffing your network, while not in a position to make heads nor tales of what went on when you logged into your Gmail, could easily read all your emails). This was of course done to cater to the users at large that have a slow Internet connection, because clearly having an SSL or encrypted session poses a burden on Internet bandwidth.

However, now, we do have a big problem, and it is worse than someone eavesdropping on your emails. It is all too technical to explain, but, let’s just say (and I am being way way over-simplistic with this), anyone with malicious intent or coming off a bad day can fool your non-encrypted Gmail session into sending them all the information they need to take over your Gmail account. If that doesn’t scare you, hats off to you.

As a general rule, whenever authenticating to any website, please always, always try to use the secure authentication mechanism provided by the website (almost all sane websites that require any sort of authentication provide it). Most security-conscious websites will go one step further and automatically switch your session to an encrypted one. The easiest way to spot that is to look at the address bar and ensure that instead of “http://”, you have “https://” (note the ‘s’ there). Additionally, browsers also display a coloured lock icon somewhere on the status bar indicating that the session is encrypted. If a website is not courteous enough to automatically do that, chances are good that it may provide a link to the effect of ‘use secure login’ that will take you over a secure channel for you to safely authenticate with the website. If it does not, well, that is just too bad.

Have fun, and be safe.

Advertisements

Independence Day

On the eve of Pakistan’s 61st Independence Day, it rained thoroughly throughout the city — perhaps throughout the country. I walked out late in the morning over the wet asphalt on a road that was rebuilt a few months ago to the spot where one of our cars was parked. Dad is in the habit of leaving the windows slightly open for ventilation purposes in the car, and whenever it rains, we always tend to forget about that, subsequently ending up having to ride in a car with wet seats. It was more than drizzling as I slowly paced my way up to the car. The look down the lane during downpour is as breathtakingly enchanting as any one can imagine. There is not a single house along either sides of the lane that is not host to a lush and lively collection of greenery. In rain, it almost looks like a still picture artistically capturing a beautiful landscape. The pitch dark velvet worn by the asphalt as a result of being drenched in rain water, the aromas of wet sand, dripping flowers, and drenched trees permeating from all corners through the lane paint a reflection that one may be willing to believe can only be that of heaven. Yesterday, as I stood outside my home, I was a lucky guest to that heavenly peek.

The rain picked itself up, and with it, so did my pace towards the car. As the rain drops trickled down my body, I looked up to face the sky straight, standing next to the car. I felt something. It was a feeling I had never felt. Ever. The fact that I had a running fever at the same time I was getting drenched certainly reinforced the feeling. I could almost sense, feel, that the rain falling down relentlessly, the clouds coughing up in shrill sounds, everything around me, they were all mourning — grieving a big loss. Amidst me, I could see heaven. But every element of it seemed without hope, every element of it looked despairing, grief-stricken, as if it was not in the least enjoying the rain, or the chilling weather, but suffering from great sorrow. I shook my head, and with a shock, and as a deep sense of despair overwhelmed me, I realised what it was. I cranked shut the windows, made sure the doors were locked properly, and, giving a passing look through sorrowful eyes down that lane, I quickly trod over rain water back into my house.

Today is Pakistan’s 61st Independence Day. As before, many have chosen to sleep the day off. I wish I could. I look at the few green flags wound high on the roofs of the houses and being thrown about by slight whiffs of wind. I look, and I feel depressed. Thoroughly. Local TV channels all over the place push hard to give off a vibrant sense, feeling, of what they would like to proudly call Independence Day celebrations. To me, it is more melancholic than looking at almost idle flags hanging outside like dismal prisoners on death row waiting to be hanged. I wish I could sleep the day off. I mourned the Independence Day yesterday, alone, out under a crying sky. I was lucky to have been given that moment.

On Pakistan’s 59th Independence Day, I portrayed a less gloomy picture. I need not compare nor contrast how far forward or backwards we have come since then. In the least bit, as a Pakistani — proud, happy, sad, or grieved –, it is your responsibility to know. If you don’t, today is the day to sit down and reflect in all earnestness.

Happy Independence Day!

Benchmarking Apache web server(s)

If you are not a systems administrator, you likely may never need to benchmark individual servers on which your applications are running. But if you are, odds are good that you already identify with the importance of knowing which parts of a system under your control are under-performing, causing bottlenecks, and plainly not coping up with the load.

I am going to make a passing mention only of two tools that can be used to benchmark Apache web servers. In comparison to other servers, ensuring that web servers are able to sufficiently handle the load they are sweating under is not only an old-running but an overly important issue to tackle. To that end, for Apache web servers, the following two tools can be used to implement extensive testing plans to measure up a whole slew of factors:

ab is easier to use, but less flexible and with fewer features. Apache JMeter, in contrast, packs buckets full of features than can be used to test an Apache web server in various conceivable manners.