[ale] firefox question

Jay Loden ale at jayloden.com
Mon Aug 6 15:03:22 EDT 2007



Greg Freemyer wrote:
> As David said (and I just verified at 1pm):
> 
> If you enter: http://gmail.com you get redirected to a secure page for
> login, but back to a normal http page for normal usage.
> 
> It is on the normal usage page that the newly released hack works.
> 
> OTOH, if you initially enter https://gmail.com, then you stay in
> encrypted pages for the duration of your session and as I understand
> it the new hack fails.
> 
> Thus my desire to blacklist http://mail.google.com for all of our
> corporate PCs, etc.
> 
> Greg

I found this whole thing interesting since I don't think this is a security flaw
as much as a conscious design decision Google made to allow access via either
HTTP or HTTPS. It's been known since the very first beta days that you could log
in via both, and Gmail's own help docs even say so. The login information is
always carried over SSL, but as noted, if you log in from an HTTP link, you'll
end up with a plain HTTP session once logged in.

Anyway, that being said, as far as redirecting Firefox, I would suggest either
doing this at the firewall/web proxy level. Otherwise, the only way to force
firefox to redirect would be via Greasemonkey and this user script:
http://diveintogreasemonkey.org/casestudy/gmailsecure.html which is probably
overkill and also unwieldy to install if you have a large number of computers to
lock down.

-Jay



More information about the Ale mailing list