OK, this is a bigger problem than it may sound or look. If you are one of those many who do not use a secure (encrypted) session (SSL, that is) to not only authenticate to but read and write your emails on Gmail, you are in trouble. At the time of writing, I suspect Mike Perry, a security researcher and reverse engineer who has been complaining about cookie hijacking and SSL sessions over at defcon.org and elsewhere, may have already released a tool to the public at large that will make taking over anyone’s unencrypted Gmail session as easy as stealing a candy from a baby — maybe even easier.
On the upside, on the bottom of the settings page of your Gmail account, Gmail folks have made it possible for users to switch Gmail to always use a secure session (which is commonly known in geek circles as “over HTTPS”). If you have not done that, definitely waste no time and get on and over with.
If you are one of those who log into their Gmail account in the morning, and keep logged in throughout the day, it would be less convenient but well worth it, if you have not already turned off the ‘always use https’ setting on Gmail, to access the Gmail page by manually typing the following address: https://mail.google.com/ Before Gmail got around to realising how big a problem this all is, using the manual link I have mentioned was, I believe (but I may just be wrong), the only way to keep your entire Gmail session encrypted. Otherwise, before, Gmail would only use an encrypted session during authentication (which is common and until now was sufficient in terms of providing reasonable security), and settle back to a normal, non-encrypted session for the rest of the email reading/writing operations (which, simply, means that anyone sniffing your network, while not in a position to make heads nor tales of what went on when you logged into your Gmail, could easily read all your emails). This was of course done to cater to the users at large that have a slow Internet connection, because clearly having an SSL or encrypted session poses a burden on Internet bandwidth.
However, now, we do have a big problem, and it is worse than someone eavesdropping on your emails. It is all too technical to explain, but, let’s just say (and I am being way way over-simplistic with this), anyone with malicious intent or coming off a bad day can fool your non-encrypted Gmail session into sending them all the information they need to take over your Gmail account. If that doesn’t scare you, hats off to you.
As a general rule, whenever authenticating to any website, please always, always try to use the secure authentication mechanism provided by the website (almost all sane websites that require any sort of authentication provide it). Most security-conscious websites will go one step further and automatically switch your session to an encrypted one. The easiest way to spot that is to look at the address bar and ensure that instead of “http://”, you have “https://” (note the ‘s’ there). Additionally, browsers also display a coloured lock icon somewhere on the status bar indicating that the session is encrypted. If a website is not courteous enough to automatically do that, chances are good that it may provide a link to the effect of ‘use secure login’ that will take you over a secure channel for you to safely authenticate with the website. If it does not, well, that is just too bad.
Have fun, and be safe.