I've blogged before on how Gmail has an advantage over Yahoo Mail -- and most other Web-based e-mail services -- because you can choose to run a totally secure session (by entering the URL https://gmail.com instead of plain ol' http://gmail.com) and feel safe when reading and writing e-mail over public WiFi connections.

Seems it isn't so. According the Zero Day blog at ZDNet, somebody monitoring the radio traffic of your wireless connection can figure out your password through the use of unencrypted cookies with a technique called "sidejacking":

Sidejacking is a term (Robert) Graham uses to describe his session hijacking hack that can compromise nearly all Web 2.0 applications that rely on saved cookie information to seamlessly log people back in to an account without the need to reenter the password. By listening to and storing radio signals from the airwaves with any laptop, an attacker can harvest cookies from multiple users and go in to their Web 2.0 application. Even though the password wasn’t actually cracked or stolen, possession of the cookies acts as a temporary key to gain access to Web 2.0 applications such as Gmail, Hotmail, and Yahoo. The attacker can even find out what books you ordered on Amazon, where you live from Google maps, acquire digital certificates with your email account in the subject line, and much more.

Gmail in SSL https mode was thought to be safe because it encrypted everything, but it turns out that Gmail’s JavaScript code will fall back to non-encrypted http mode if https isn’t available. This is actually a very common scenario anytime a laptop connects to a hotspot before the user signs in where the laptop will attempt to connect to Gmail if the application is opened but it won’t be able to connect to anything. At that point in time Gmail’s JavaScripts will attempt to communicate via unencrypted http mode and it’s game over if someone is capturing the data.

What’s really sad is the fact that Google Gmail is one of the “better” Web 2.0 applications out there and it still can’t get security right even when a user actually chooses to use SSL mode. Other applications like Microsoft’s MSN/Hotmail and Yahoo don’t even have SSL modes. The fact that they use SSL mode for first time authentication and sign-in is irrelevant because they all drop down to unencrypted mode right after the user authenticates.

I don't use my DSL Extreme Web mail as often as I should. It has a secure connection the whole time, and it's primitive enough -- I hope -- not to have these same vulnerabilities. Fastmail.fm, on which I also have a free account, will also do a secure session if you choose "secure login" when signing on.

I'm far from a security expert, but it seems to me that we'd be in better shape if we had the option of running a Web browser in secure-server mode all the time.

Posted by Steven Rosenberg at 1:45 PM | Permalink | Comments (0)

Let's get to it: I have one Web site that I work on infrequently that requires Internet Explorer, but since I barely have to do anything on it, I am free to use IE, or not.

And I waited at least a year to "upgrade" my IE6 to IE7 on the XP box at work. Yeah, it's an upgrade because now IE has tabbed browsing -- a feature Firefox has had for years, and which IE probably would've never added had FF not had it first.

I like IE6 because it was a fast program -- it opened fast and did the rest of its thing fast. And I could use it as an FTP client.

Now that I have IE7, sure there is tabbed browsing, and it looks a little better, but it's way slower than Firefox, and I pretty much only fire up IE for ONE Web site because it's at the top of my IE favorites and the bottom of my FF favorites.

IE loads more slowly, the favorites come up slower -- basically it gets beat by FF in performance by every measure. (I'm running a 3 GHz Pentium 4 with 512 MB of RAM.)

And I can run Firefox in Windows, Linux, BSD and Mac OS X ... and I do (though I'm partial to the Mozilla-derived Epiphany in the GNOME desktop, as well as the Seamonkey browser/e-mail client/HTML editor suite -- also based on Mozilla).

Truth be told, if it really bothered me, I'd try to roll the box back to IE6, if that indeed can be done. Since IE7 installs over your IE6, I think it might be a problem to "go back."

Note: While I can't get the same FTP functionality out of IE7, I have a Windows workaround: Open up My Computer from the Start menu, and type your FTP address in the search bar. The window functions pretty much like IE6 -- it's the same "Explorer"-like interface Windows uses to let you examine your own files, and it does FTP just like IE6. Thanks, Microsoft!

I used to think IE was the best browser for OS X, too -- that final version of IE5 for the Mac was a masterful, innovative application, and I'm sorry Microsoft abandoned it. Safari doesn't have enough critical mass to cut it -- many Web sites don't look so hot in it -- so Firefox is pretty much the browser of record for the Mac, too.

And Mozilla is making hand-over-fist money by getting a cut of the Google searches made through the browser. All it means is more money that Microsoft isn't making.

Hope you're happy, Microsoft!

Posted by Steven Rosenberg at 12:00 PM | Permalink | Comments (0)

I think we're getting to that point. We all worry about accessing e-mail over Web portals (or via POP and IMAP servers) that are not encrypted and secure. Or we should be.

And using the Seamonkey browser in Puppy 3.01, I'm constantly being warned about information being exchanged that's not secure.

I appreciate the warning. I even started using my DSL Extreme mail account more often because not only is the Web-portal login secure, but the whole session is as well. And I also have encryption turned on when I access the mail server via IMAP.

And most people won't think of entering personal and financial information when banking or buying stuff online unless they see the "https://" before the address.

So why are we doing so much other stuff without the "s"?

I don't know what the particulars are, but I think we're at the point with the Internet where every single damn thing ought to be encrypted and secure.

Posted by Steven Rosenberg at 6:00 PM | Permalink | Comments (0)

Rumour has it that Apple Inc. is planning on introducing a cheaper, smaller version of the iPhone later this year. The rumour gained momentum last Thursday when it was made public that Apple Inc. filed a patent application last November describing "a multifunctional handheld device with a circular touch pad displaying illuminated symbols that could change depending on the mode in use," which Apple enthusiasts are interpreting as an "iPhone Nano."

Posted by Armando Hernandez at 12:18 PM | Permalink | Comments (0)

The beta version of RealPlayer 11 is out and it's free.

Among the new features, RealPlayer 11 allows users to burn videos
to CDs in the VCD format. (You will need to buy the $29.99 RealPlayer Plus to burn to DVDs).

RealPlayer 11 is also capable of recognizing video content protected by DRM (digital rights management) and blocking it from being recorded.

RealNetworks is also planning additional features - such as allowing video content to be downloaded to iPods and other portable devices.

Posted by Armando Hernandez at 12:11 PM | Permalink | Comments (0)