"A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the hacking tool, is planning to release it in two weeks."
The solution is to set Permanent SSL in Gmail
- Sign in to Gmail.
- Click Settings at the top of any Gmail page.
- Set 'Browser Connection' to 'Always use https.'
- Click Save Changes.
- Reload Gmail.
Mobile/Firefox Users: I will make the immediate assumption that enabling permanent SSL will break all mobile access/apps and Firefox plugins. Edit: Palm T|X browser works, Palm TREO browser works, Gmail manager in FF3 works.
This is especially important for anyone using unsecured WiFi networks or anyone residing in buildings with unsecured networks. Although you may not know it, your wifi connection may jump on unsecured networks without your knowing. This has happened to me many times. This will put you at risk.
While you're at it, update that password. And throw in a few weird characters and numbers. Something like 'W@rri0rF0rum" goes a long way.
EDIT: Palm T|X works, Palm TREO works, Gmail manager in FF3 works.