Gmail is not Secure!!! How to be secured??

These are snapshots of group discussion that I borrowed from one Nepalese Hacker’s google group. These people are talking about how and why GMAIL is not secure and How to use Gmail than conventional way, to ensure your privacy and security. If you care about your privacy and security, read this else it’s your choice.

Surmandal : Recently, I saw that gmail session is not encrypted. First i hit the gmail.com then enter the username and password. during this stage it is https but after login to mailbox page it is http only. that means whole session is not encrypted. what do you think?? but hitting https://mail.google.com remains https.

Surmandal : I am using wireshark .(root) but i got only garbage data. anyway the whole session should be ssl’zed.

bibstha : Um, well if u need security there is always https://mail.google.com which encrypts whole session, from login to logout as u’ve mentioned. But that aside, https isn’t always flexible IMO, and its slow as well. Thats why i think http://mail.google.com is there. Depending upon how paranoid u are about ur security.

nepbabu : I think Bibek bro. IMHO, SSL’izing is not about being paranoid or over-paranoid. It’s about ensuring that your traffic is encrypted so that no MITM can occur easily. This has serious privacy implications and you do not want some middle person sniffing for plaintext in your network. hoina? It _used_ to be about being paranoid but those days are long gone. Criminals & would-be criminals would forfeit much from this [and don’t forget about s[cp]ammers as well].

My mail client [mutt] only encrypts the login credentials with AES. However, I wish it could have encrypted the whole session [I am thinking of starting to use the SSL’ized version of Gmail webmail with my other account since POP protocol doesn’t maintain state afaik].

Surmandal : Now I just capture the contain from gmail. now onwards i am gonna use htps://mail.gmail.com

bibstha : Sorry my bad, now that i realize the importance, i should start using https as well

nepbabu : Nah.. no need to be sorry. It’s just that regular folks think the same. I believe it’s of utmost important that every folk out there using computer should protect their privacy. Btw is that a surcasm bibek?

nepbabu : Correction: Since, apparently the version of POP3 I am using is over TCP and over a link that supports SSL (from the server<->client), my connection with Yahoo! POP3 server is encrypted. Previously, I said the possibility of encryption only for login credential but it was not so. The whole POP session is crypted. I discussed this with fellow colleagues at #security@freenode as well as with my own findings and little discussion with sh00nya. Also, he reckons that it’s the same with Gmail.

So folks, either https://mail.google.com OR pop3 over SSL should do for all your privacy need at least for Gmail & Yahoo!

Buahahaha!

———————–
src: http://groups.google.com/group/NepSecure/browse_thread/thread/948957746785dd56?hl=en

Related posts:

1. “Wordpress Notification emails not being sent / received ” issue solved
2. Google reveals all confidential data