«
»

Gmail Dashboard Not Secure

gmail.gifWhile listening to the most current Security Now (Episode #65: Why is Security So Difficult?), I was intrigued by a discussion between Leo Laporte and Steve Gibson about how some online web mail apps — such as Gmail, hotmail, etc. — have users log into the system securely, but then once you are in, the session is no longer secure while you read, transfer and compose mail.

So I tested my gmail.com account, and sure enough I can log into https://mail.google.com securely and stay secure during my session, but when I log into http://mail.google.com, my session is briefly secure during login, but not secure after login.

These days, I use Google’s own Gmail Dashboard to check my Gmail account. However when I do this, the session is not secure! For some unknown reason (probably just an oversight by the developer), Google did not make the Gmail Dashboard client secure. But do not worry. You can secure the dashboard client with a little sleuthing and all you need is a text editor that can read a javascript file.

Step 1: Open the Widget directory at ~/Library/Widgets
Find the one named Gmail.wdgt, and right click on it to Show Package Contents.

Step 2: Inside the Scripts directory, you will find a file named GmailInteraction.js
Open this in a javascript text editor, like Dashcode, TacoHTML Edit, or even TextEdit.

Step 3: At the top of the document, you will find:
// The base URL to open.
// TODO (bonneau): Internationalize URL.
Gmail.gmailUrl = “http://mail.google.com/mail”;

Simply change the http to https, and save the document. You can also close all of the Package Contents windows that you opened to unclutter the Desktop.

Step 4: Go to the Dashboard. Find your Gmail dashboard and, while holding down the Command key, click the “X” to close it. Now reload the Gmail dashboard by clicking on the “+” sign in the bottom left corner to bring up your installed dashboard apps. Find Gmail, and drag it to a location on your Dashboard. Now enter your Gmail handle and password, and go to your Inbox.

You should now be able to sustain security during your Gmail sessions. And just in time for the holidays!

UPDATE: The Google Toolbar for Firefox (and possibly others) also has this problem, however I do not have a fix for it at this time. Contact Google to ask them to secure the Gmail functionality in the Google Toolbar for Firefox.

technorati tags:, , , , ,

Blogged with Flock

This entry was posted on Tuesday, November 14, 2006 at 1:43 am and is filed under Apple, Design, Technology . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

2 Responses to “Gmail Dashboard Not Secure”

  1. How to Get Six Pack Fast Says:
    Wednesday, April 15, 2009 at 8:05 am

    This topic is quite trendy on the Internet right now. What do you pay the most attention to when choosing what to write about?

    Reply
  2. Scott Says:
    Sunday, April 19, 2009 at 7:29 pm

    Thanks! I’ve made the change. Google still, as of its most recent Gmail Dashboard update of Dec 2007, has not changed the base url to be secure.

    Reply

Leave a Reply