I’ve just been reading this: TG Daily – Point and click Gmail hacking at Black Hat (thanks for passing that on Al)
Basically, if you aren’t logging into GMail using SSL then someone can grab your cookie and replay it. Well, that is pretty obvious if you are familiar with how all that kind of thing works and of course, I only log into GMail using SSL in fact, Google enforces this. Oh… actually, now I look it doesn’t enforce it at all…
If you enter the url mail.google.com it automatically redirects you to https://mail.google.com and all is well. But if you log in and then close your browser, re-open it and enter it again it takes you straight to http://mail.google.com presumably passing the unencrypted cookie along the way.
Opening up your e-mail is not good, especially when you consider the alarming wealth of sites that still send password reminders as plain text which are all sitting in your mail archive along with those that send your full credit card number when you get an order confirmation.
GMail works perfectly well if you add the all important little ‘s’ into any of its URLs so why don’t they just enforce it and save us the bother?