Gmail security? Well at least start with customizegoogle

I’ve been looking around certain Gmail topics, including how to wipe out everything from your Inbox (I will talk about that in my next post) and one of the things I was interested in was ’security’.

If you are a gmail user and you are a firefox user, then consider taking a look at customizegoogle.com

I’m not affiliated with that site by any means, and I dislike the fact that it looks more commercial than good, but the reality is that along with their promises of being spyware-free, it really does a good job when it comes to protecting your communication with gmail.

Included with that firefox plugin are lots of other features, such as disabling google ads while you search @ google or while you’re inside gmail. But the one I care the most is a feature that forces SSL everytime you surf your mail @ gmail.

Why do you need that? Simple. Head your browser to www.gmail.com - you will find that you are automatically redirected to the SECURE version, yes. However, the point of that is for protecting your username and password while logging in (otherwise it would be sent in plaintext through the network)

The problem starts right after you have logged in. You will notice that you’re no longer in a secure version under SSL but rather back to the standard http:// protocol. You can switch back to the secure version manually, that is, by modifying the Url and adding that extra ’s’ after http, making it https:// - However once is ok, twice.. fine, but three times, or every single time you log into gmail remembering to switch back to the secure version is a freaking pain in the behind. Not to mention that once you’ve realized you are in the insecure version, your e-mail headers (that e-mail list with extracts from the e-mails you received) have already been sent plaintext to you.

If you add to that my other post where I mention FireGPG and GPG4Win (http://www.penetrationtests.com/blog/2008/05/07/it-looks-like-the-gpgfirefoxwindowsgmail-puzzle-is-solved/) then you have plenty of security added to the default gmail package.

Check it out, it’s worth it!

Good luck.

 

Posted in Hardening, Tools on 05/29/2008 07:15 am by Consultant
 

It looks like the gpg+firefox+windows+gmail puzzle is solved

This is a quick post but I don’t want to forget this! The guys over at voipsec.eu mention these 2 useful links:

http://getfiregpg.org/

FireGPG is a Firefox extension under MPL which brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.”

http://www.gpg4win.org/

“Gpg4win is a installer package for Windows (2000/XP/2003/Vista) with computer programs and handbooks for EMail and file encryption. Both relevant cryptography standards are supported, OpenPGP and S/MIME (the latter is in progress and currently works with GnuPG2 and Claws Mail).”

I’ll try these out sometime soon.

Posted in Tools on 05/07/2008 07:36 am by Consultant
 

A look at our security related traffic

Hey, so today I wanted to take a look at the traffic both the blog and the pentest directory project are receiving and, as you may have already noticed, since I’m using Google Analytics for keeping track of traffic stats I found some interesting data that I wanted to share with you.

I’m analyzing 7,167 unique surfers, ranging from January 1st 2008 to yesterday, April 26th 2008.

Most of them, 2.687 connected using IPs from the US. 623 came from the UK and in third place is India, with 417. We then have several more different countries.

From the ~7100 surfers, the 63.61% (4559) used FireFox as a browser, and in second place with 29.15% comes Internet Explorer. 245 used Opera, 114 Safari, 109 Mozilla, 18 Konqueror, 9 Camino, 7 Mozilla compatible Agent, 9 Avant Go.

So most of them use Firefox, that’s nice. And take a look at the following:

82.41% used Microsoft Windows, that’s 5,906 users! Then comes Linux with 831, Macintosh with 370. We have 18 iPhone users! 3 used the iPod, and a couple more.

And moving on to the Adobe/Macromedia Flash plugin version installed:

28.92% (2,073) had 9.0.r115  - 26.58% had 9.0 - and so on with decreasing versions.. we get to a point where:

76 users had version 6.0 installed! and several different old versions of 9.0 including r28, r45, r47, etc.

I would say - interesting. Nothing new yeah but interesting. Let’s update the Flash plugin.

And then you wonder why google analytics takes so much time to load.. 

Cheers

Posted in Uncategorized on 04/27/2008 04:36 pm by Consultant
 
   
  • © 2009 penetrationtests.com