Play It Safe, Secure Google Notifier
Chances are that if you use Gmail or Gmail for your domain, you are also a devout user of Google Notifier to let you know when your inbox needs your attention. Also, chances are that if you read this blog you have been on your neighbor’s Wi-Fi an insecure Wi-Fi network a few times before.
Unfortunately, Google Notifier transmits your account password over the network in clear text, making you an easy target on those insecure networks that might be patrolled by mischievous script kiddies. Mac OS X Hints details a simple workaround to enable secure authentication over HTTPS.
Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You’ll see a hidden settings editor. Enter SecureAlways in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again.
Source: Mac OS X Hints
Great tip, I wasn’t even aware that Google Notifier transmitted your account password in clear text.
Thanks for the tip; I put it to use immediately. I am, after all, typing this from an insecure wi-fi connection in a coffeeshop.
Don’t forget about the Gmail Secure Greasemonkey script so that all Gmail sessions in Firefox use HTTPS.
Any word on how to do this for the Windows notifier?
I never understood why google doesn’t make it’s default communications secure (HTTPS). That is one of the main reasons why people hesitate, especially corporations, to use online service to hold sensitive information. I always https://gmail.com when I check my email.
Paul–Great tip. Thanks! What about the third party greader notifier for mac? Should we be concerned about that?
Great tip, Paul! Thanks for sharing… :)
notifier is anti 4hww.
Thanks for the quick tip. I am sure every coffee shop surfer appreciates this quick tip.
No hotspots for me, I only use my Verizon EVDO card. Then I just leave Gmail open all the time, in https. It’s the one tab in Firefox that is rarely ever closed. :)
One would expect Google to be a bit more aware of these things… of course not. Good tip Paul. Thanks.
Is there any reason Google doesn’t secure the transport link by default? It seems like common sense to use encryption when something’s sending a password across the ‘net.
What a neat little tip. Cheers Paul.
Thanks for reading Mac OS X Hints, so we don’t have to!
@drew moser - I don’t think that would be possible with the third party greader notifier since it was made by an individual, not Google and likely doesn’t have the same coding convention of this little tip.
Great tip! I’ve stumbled upon another very useful Gmail tip to prevent spam messages….
http://www.security-hacks.com/2007/07/13/combat-spam-with-gmail-aliases
check it out!
I just installed gmail notifier on both my Mac and PC.
I did some sniffing and never saw the password cross the wire in cleartext. An SSL session using a Thawte certificate is setup and it appears that the password is only sent using SSL.
Sorry, but I think this post is incorrect in asserting that the password is sent cleartext by default.
Tony what were you using for the sniffing? Ethereal? Regardless, when writing this post I didn’t take a look for myself and trusted the folks at http://www.macosxhints.com/article.php?story=200707030100345
They seem to think it does.
Paul Stamatiou,
I used both ethereal and tcpdump. In both cases (windows and mac) I was able to see the SSL handshake prior to authentication. The cookie was provided after authentication was then transmitted cleartext, but the password itself was transmitted over SSL.
Good tip, thanks.