Chances are that if you use Gmail or Gmail for your domain, you are also a devout user of Google Notifier to let you know when your inbox needs your attention. Also, chances are that if you read this blog you have been on your neighbor’s Wi-Fi an insecure Wi-Fi network a few times before.
Unfortunately, Google Notifier transmits your account password over the network in clear text, making you an easy target on those insecure networks that might be patrolled by mischievous script kiddies. Mac OS X Hints details a simple workaround to enable secure authentication over HTTPS.
Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You’ll see a hidden settings editor. Enter SecureAlways in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again.
Source: Mac OS X Hints
Tweet This
Stumble This
{ 3 trackbacks }
{ 19 comments… read them below or add one }
Great tip, I wasn’t even aware that Google Notifier transmitted your account password in clear text.
More from author
Thanks for the tip; I put it to use immediately. I am, after all, typing this from an insecure wi-fi connection in a coffeeshop.
More from author
Don’t forget about the Gmail Secure Greasemonkey script so that all Gmail sessions in Firefox use HTTPS.
More from author
Any word on how to do this for the Windows notifier?
More from author
I never understood why google doesn’t make it’s default communications secure (HTTPS). That is one of the main reasons why people hesitate, especially corporations, to use online service to hold sensitive information. I always https://gmail.com when I check my email.
More from author
Paul–Great tip. Thanks! What about the third party greader notifier for mac? Should we be concerned about that?
More from author
Great tip, Paul! Thanks for sharing… :)
More from author
notifier is anti 4hww.
More from author
Thanks for the quick tip. I am sure every coffee shop surfer appreciates this quick tip.
More from author
No hotspots for me, I only use my Verizon EVDO card. Then I just leave Gmail open all the time, in https. It’s the one tab in Firefox that is rarely ever closed. :)
More from author
One would expect Google to be a bit more aware of these things… of course not. Good tip Paul. Thanks.
More from author
Is there any reason Google doesn’t secure the transport link by default? It seems like common sense to use encryption when something’s sending a password across the ‘net.
More from author
What a neat little tip. Cheers Paul.
Thanks for reading Mac OS X Hints, so we don’t have to!
More from author
@drew moser – I don’t think that would be possible with the third party greader notifier since it was made by an individual, not Google and likely doesn’t have the same coding convention of this little tip.
More from author
Great tip! I’ve stumbled upon another very useful Gmail tip to prevent spam messages….
http://www.security-hacks.com/2007/07/13/combat-spam-with-gmail-aliases
check it out!
I just installed gmail notifier on both my Mac and PC.
I did some sniffing and never saw the password cross the wire in cleartext. An SSL session using a Thawte certificate is setup and it appears that the password is only sent using SSL.
Sorry, but I think this post is incorrect in asserting that the password is sent cleartext by default.
More from author
Tony what were you using for the sniffing? Ethereal? Regardless, when writing this post I didn’t take a look for myself and trusted the folks at http://www.macosxhints.com/article.php?story=200707030100345
They seem to think it does.
More from author
Paul Stamatiou,
I used both ethereal and tcpdump. In both cases (windows and mac) I was able to see the SSL handshake prior to authentication. The cookie was provided after authentication was then transmitted cleartext, but the password itself was transmitted over SSL.
More from author
Good tip, thanks.
More from author