Now I'm not expert, and nothing is completely foolproof... but like 7LM rightly points out isnt SSL supposed to encrypt the data making it pretty difficult to get that password?
This got me thinking, because stuff like bank logins etc use SSL to protect against these types of incidents..
So just what is it that the hacker was doing in that program that allowed him to get into those email accounts.
Looking again at the vid.. it would appear the hacker is getting into gmail accounts?
But gmail login is surely https right??? So whats happening?
So armed with tiny bit of googling and this is what comes up.... (it wasnt hard to find)
The gmail login uses is SSL, but after that its not... this is what I found.
http://www.webmonkey.com/blog/Why_You_Should_Turn_Gmail_s_SSL_Feature_On_NowRead the bit about the interaction between gmail and your browser and what happens next
I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.
and this is what happens with SSL
SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.
Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?
It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive.
Yep... its true... Ive just checked.. by default gmail doesnt use https when your view your mail.
If I log in to my gmail accountt it starts off using https... but once you have logged in, then gmail switches to straight forward http.
So this is how the hacker is then able to view their emails and do anything from that point onwards because youre on the same lan and with the same external IP.
If youve any personal details such as financial details or passwords in those mails then youre stuffed.
Solution.Make sure your gmail account is set to "Always use https" by ticking the relevant radio button from the gmail general settings.
Ive just done this and the next time I logged in its now using https for everything.
------------
Why didnt Watchdog mention https/SSL in any shape or form...
... or even how to make sure its switched on permanently for gmail.
Surely that would be a public service?
So just why didnt watchdog tell users this... or does it then not make as much interesting journalism?