Gmail: time to bail?
December 25, 2007 4:11 PM Subscribe
I love Gmail, but with all the security and privacy concerns, I'm thinking of bailing. Whereto next?
I literally use gmail for everything, from business to personal e-mails. I use it in the library, on my desktop, and on my eee pc. I like how I can pretty much use it anywhere and it has a lot of nice features. However, I've been worried by recent stories about hacking, poor security features...and about privacy issues in general. I'd like something mobile, but with more sophisticated security features.
Is there are way to use Gmail more securely? Are there programs that can be used with Gmail, but that add more security? If I bail...what hosts are best?
I literally use gmail for everything, from business to personal e-mails. I use it in the library, on my desktop, and on my eee pc. I like how I can pretty much use it anywhere and it has a lot of nice features. However, I've been worried by recent stories about hacking, poor security features...and about privacy issues in general. I'd like something mobile, but with more sophisticated security features.
Is there are way to use Gmail more securely? Are there programs that can be used with Gmail, but that add more security? If I bail...what hosts are best?
Response by poster: yep, I currently use https:, firefox, Noscript...I guess I should cease using it at the library
posted by melissam at 4:24 PM on December 25, 2007
posted by melissam at 4:24 PM on December 25, 2007
Best answer: Melissa,
The article you link to was a result of what's called a cross-site scripting attack. (XSS). It features a site pinging through a request to hit Google's servers from an already-authenticated session in order to retrieve information or post data to GMail; in that specific case, Forwarding Filters.
That's a bit of a nightmare and pretty convoluted, but they're supposed to have fixed that.
I have to say that I know a few developers at Google. They rely on GMail as their internal email. They have thousands of companies now using GMail through Google Apps for your Domain as their primary.
Short of bringing your email offline, they really are still probably the best solution you'll find.
Windows Live mail isn't graceful and attractive, though they may be less susceptible to XSS' by lack of features.
If you're using Noscript and the https: version, you should significantly reduce your chance of getting hit with any XSS vulnerabilities. Plus, they've seriously locked it down from what I've heard. (The same article mentions the fix.)
I'm keeping my mail through GMail, but you can be sure I checked my Filters after having read that piece.
posted by disillusioned at 4:38 PM on December 25, 2007
The article you link to was a result of what's called a cross-site scripting attack. (XSS). It features a site pinging through a request to hit Google's servers from an already-authenticated session in order to retrieve information or post data to GMail; in that specific case, Forwarding Filters.
That's a bit of a nightmare and pretty convoluted, but they're supposed to have fixed that.
I have to say that I know a few developers at Google. They rely on GMail as their internal email. They have thousands of companies now using GMail through Google Apps for your Domain as their primary.
Short of bringing your email offline, they really are still probably the best solution you'll find.
Windows Live mail isn't graceful and attractive, though they may be less susceptible to XSS' by lack of features.
If you're using Noscript and the https: version, you should significantly reduce your chance of getting hit with any XSS vulnerabilities. Plus, they've seriously locked it down from what I've heard. (The same article mentions the fix.)
I'm keeping my mail through GMail, but you can be sure I checked my Filters after having read that piece.
posted by disillusioned at 4:38 PM on December 25, 2007
The most secure thing would be to stop using webmail altogether. Using HTTP/HTML to get your mail introduces all sorts of vectors for attack that wouldn't be possible using secure IMAP. Failing that, Gmail will probably be as safe as any other webmail provider. Other web sites may have fewer widely-known security issues, but probably also have fewer people looking for them.
posted by grouse at 5:03 PM on December 25, 2007
posted by grouse at 5:03 PM on December 25, 2007
The linked article is talking about a CSRF attack, not an XSS attack.
posted by null terminated at 5:06 PM on December 25, 2007
posted by null terminated at 5:06 PM on December 25, 2007
Using an email program such as Outlook or Thunderbird to download your messages through POP3 can also tighten things up. Thunderbird also has a very nice threading feature you can tweak to your own taste. (Plenty of other tweaks available, that's just one of my favorites.)
posted by IronLizard at 5:09 PM on December 25, 2007
posted by IronLizard at 5:09 PM on December 25, 2007
Response by poster: is there a portable e-mail client (a la portable thunderbird) that I can use on both linux and windows?
posted by melissam at 5:39 PM on December 25, 2007
posted by melissam at 5:39 PM on December 25, 2007
You can use any IMAP client to read and organize your Gmail. This is nicer than using POP since there will still just be one copy of each message, stored safely at Google, and one set of folders to maintain.
posted by nicwolff at 5:45 PM on December 25, 2007
posted by nicwolff at 5:45 PM on December 25, 2007
Best answer: I do use portable thunderbird on linux and windows. It means that you have to have wine installed on the linux machine. I don't know if it's possible to make a linux binary that's very portable and will play nice with using the same data files as the windows version.
posted by a robot made out of meat at 6:22 PM on December 25, 2007
posted by a robot made out of meat at 6:22 PM on December 25, 2007
If you're truly worried, change your Gmail password to something long and bizarre, and get to it using Portable Thunderbird with IMAP instead of the web client.
But seriously, email is insecure by design. If you care about the security of your email, and you're exchanging non-encrypted mails, you don't really care about the security of your email.
posted by flabdablet at 12:37 AM on December 26, 2007
But seriously, email is insecure by design. If you care about the security of your email, and you're exchanging non-encrypted mails, you don't really care about the security of your email.
posted by flabdablet at 12:37 AM on December 26, 2007
(While what happened to that guy was pretty terrible, it should also be noted that two security "failures" occurred--one was the scripting attack and the other was his NIC releasing his domain purely by email. My NIC, and I imagine a lot of others, would have said "here's how to do it, please log into your account and do it there." Maybe I'm all wet on this.)
posted by maxwelton at 2:07 AM on December 26, 2007
posted by maxwelton at 2:07 AM on December 26, 2007
robot, I quite regularly set people up with dual boot Ubuntu/Windows boxes that share a Thunderbird profile between the Windows and Linux installations of Thunderbird. Also, because Linux has no Registry, pretty much all Linux apps are inherently portable. So it seems to me that doing this without Wine should actually be easier than doing it with.
posted by flabdablet at 3:02 AM on December 26, 2007
posted by flabdablet at 3:02 AM on December 26, 2007
(While what happened to that guy was pretty terrible, it should also be noted that two security "failures" occurred--one was the scripting attack and the other was his NIC releasing his domain purely by email. My NIC, and I imagine a lot of others, would have said "here's how to do it, please log into your account and do it there." Maybe I'm all wet on this.)
And to elaborate on the scripting attack: It doesn't quite say so, but obviously he clicked a link to that malicious website via an email in his inbox. For extra safety, treat links in unknown sender mails the same way you'd treat attachments: Don't touch them. For all of that guy's moaning and groaning about the horrible hole found in Gmail, remember, he still had to actively assist the attacker.
posted by poppo at 5:07 AM on December 26, 2007
And to elaborate on the scripting attack: It doesn't quite say so, but obviously he clicked a link to that malicious website via an email in his inbox. For extra safety, treat links in unknown sender mails the same way you'd treat attachments: Don't touch them. For all of that guy's moaning and groaning about the horrible hole found in Gmail, remember, he still had to actively assist the attacker.
posted by poppo at 5:07 AM on December 26, 2007
flab: if there exists a linux thunderbird that someone has bothered to make suitable, that'd be great to see. My understanding is that the install is designed to put files/links in a large-ish number of places. Mine claims to have files in (paring down to mostly unique ones)
/usr/lib/mozilla-thunderbird
/usr/sbin
/usr/share
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/mozilla-thunderbird
/usr/share/mozilla-thunderbird
/usr/share/doc/mozilla-thunderbird
/usr/share/applications
/usr/share/pixmaps
/usr/share/pixmaps/mozilla-thunderbird.xpm
/usr/share/menu/mozilla-thunderbird
/usr/share/man/man1/mozilla-thunderbird.1.gz
/usr/bin/mozilla-thunderbird
/etc/mozilla-thunderbird
/var/lib/mozilla-thunderbird
I have no idea how much of that is necessary.
posted by a robot made out of meat at 8:54 AM on December 26, 2007
/usr/lib/mozilla-thunderbird
/usr/sbin
/usr/share
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/mozilla-thunderbird
/usr/share/mozilla-thunderbird
/usr/share/doc/mozilla-thunderbird
/usr/share/applications
/usr/share/pixmaps
/usr/share/pixmaps/mozilla-thunderbird.xpm
/usr/share/menu/mozilla-thunderbird
/usr/share/man/man1/mozilla-thunderbird.1.gz
/usr/bin/mozilla-thunderbird
/etc/mozilla-thunderbird
/var/lib/mozilla-thunderbird
I have no idea how much of that is necessary.
posted by a robot made out of meat at 8:54 AM on December 26, 2007
« Older How do I get Vista and XBOX360 to work over... | Independent camera stores - Canon 40d, lenses - in... Newer »
This thread is closed to new comments.
posted by rancidchickn at 4:16 PM on December 25, 2007