How Secure is RTM?
mmclark says:
After reading with some concern about the sidejacking of GMail during last year's Blackhat conference (see http://blogs.zdnet.com/Ou/?p=651), I found that the issue mentioned could be addressed by running GMail over SSL.
Well, it turns out that that doesn't always work. Even SSL GMail can be compromised because in certain cases GMail will fall back to plain HTTP if HTTPS fails (see http://blogs.zdnet.com/security/?p=842).
Has RTM been reviewed for sidejacking vulnerabilities? If I only access RTM via SSL, is there an guarantee that *all* traffic between the browser and the server will be encrypted?
Thanks!
Well, it turns out that that doesn't always work. Even SSL GMail can be compromised because in certain cases GMail will fall back to plain HTTP if HTTPS fails (see http://blogs.zdnet.com/security/?p=842).
Has RTM been reviewed for sidejacking vulnerabilities? If I only access RTM via SSL, is there an guarantee that *all* traffic between the browser and the server will be encrypted?
Thanks!
emily (Remember The Milk) says:
When accessing RTM via the HTTPS URL, all data sent between the browser and the server is encrypted (RTM does not "fall back" to HTTP if used with HTTPS). However, images are not encrypted, nor is the JavaScript for Google Maps (required for the Locations feature -- this code isn't available via SSL). Hope this helps.
emily (Remember The Milk) says:
Just an update -- we've been able to make a change to how RTM loads.
While the JavaScript for Google Maps still isn't available via SSL, Google recently made it possible to load Maps dynamically. It will now only be loaded by RTM if you go to the 'Locations' screen (so you can avoid that screen if you don't wish to have code loaded via HTTP).
Images are now also encrypted (so that browsers shouldn't warn about unencrypted items). Hope this helps.
While the JavaScript for Google Maps still isn't available via SSL, Google recently made it possible to load Maps dynamically. It will now only be loaded by RTM if you go to the 'Locations' screen (so you can avoid that screen if you don't wish to have code loaded via HTTP).
Images are now also encrypted (so that browsers shouldn't warn about unencrypted items). Hope this helps.
emily (Remember The Milk) says:
Further update -- it looks like IE is still warning about nonsecure items (but you can safely click 'No' in the dialog where it asks if you want to display the nonsecure items). We're checking into this.