Gmail username and password authentication takes place over HTTPS, but then you get a session cookie and the rest of your session takes place over unencrypted HTTP. Robert Graham’s demo at Black Hat showed that by sniffing the cookie over an open network, the Gmail session can be hijacked.
Gmail supports HTTPS, but the only way to get it is to specificy ‘https:’ in the URL when you load the site. Google should redirect all HTTP Gmail traffic to HTTPS by default.
★ Friday, 3 August 2007