Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Secure Gmail Notifier using hidden preference setting Apps
I was shocked to discover that the Gmail Notifier, as distributed by Google, defaults to sending your Gmail password over the network in clear text every time it checks your inbox for new mail. This is incredibly insecure, especially since Google has plenty of smart people who now how to secure internet communication. They have the capability to enable secure communication as proven by the ability to access Gmail entirely over HTTPS (by using https://mail.google.com as the entry point). As it turns out, there is an easy "hack" for Mac users to switch Gmail notifier to HTTPS as well:

Pull down the Notifier menu (either Calendar or Gmail), hold down Command and Option, and click Preferences on the menu. You'll see a hidden settings editor. Enter SecureAlways in the Key field (upper and lower case must be entered as shown) and 1 in the Value field, then click Set. Quit Notifier and start it up again. From now on, all connections with both Gmail & Gcal will be https. Thanks to this comment on the O'Reilly blogs for this trick!
    •    
  • Currently 2.88 / 5
  You rated: 1 / 5 (8 votes cast)
 
[86,343 views]  

Secure Gmail Notifier using hidden preference setting | 13 comments | Create New Account
Click here to return to the 'Secure Gmail Notifier using hidden preference setting' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Secure Gmail Notifier using hidden preference setting
Authored by: unforeseen:X11 on Jul 09, '07 09:31:56AM

Sometimes I really wonder what Google is thinking. Thank you for sharing!

---
this is not the sig you`re looking for.



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Jul 09, '07 12:55:09PM

Actually the writeup isn't correct. If you look at the traffic, they use https for the login, and use some token in the http request for authorization after the fact (same a what reading gmail via http does). The pref just move this later traffic over https (just like using https for gmail reading does).



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: brucio on Jul 09, '07 10:34:48AM

Excellent hint! Thanks!



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: fcote on Jul 09, '07 11:25:38AM

Great tip, Thanks!



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Jul 09, '07 12:57:16PM

Actually the writeup isn't correct. If you look at the traffic, they use https for the login, and use some token in the http request for authorization after the fact (same a what reading gmail via http does). The pref just move this later traffic over https (just like using https for gmail reading does).



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: UberFu on Jul 09, '07 04:09:30PM
Well - not sure about the Notifier [never used it]

BUT - I dug thru the Gmail Widget [which I use constantly] and the initial request goes out to http://www.google.com/mail - but a little farther down the code - it uses 2 https calls for authentication_

I went and switched the intital request to https [didn't break it] and loks like it's rather secure - for web security_

[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: tobyvoss on Jul 10, '07 01:56:49AM
the very obvious alternatives to the way given in this hint are:
1. in Terminal, type defaults write com.google.GmailNotifier SecureAlways -string 1
2. in Property List Editor, open the file ~/Library/Preferences/com.google.GmailNotifier.plist and add a new child named SecureAlways of class String and value 1 under Root

[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: delepster on Jul 10, '07 05:35:36AM

Wow, thanks for the tip!



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: derherr on Jul 10, '07 07:14:26AM
As a Firefox user, I prefer the Gmail Manager extension. https://addons.mozilla.org/en-US/firefox/addon/1320 (link pops)

In the Preferences, there is an explicit option "Use secured connection when checking this account" (among other handy features). Check it out.

[ Reply to This | # ]

Secure Gmail Notifier using hidden preference setting
Authored by: thomasbosboom on Jul 13, '07 05:06:51AM

This is my submission, apparently my name didn't come through. Too bad ;-)
Anyway, the lessen is it can be reveiling to run Wireshark on your mac for a while and then search for your passwords in the capture. This should reveil any insecure communication.
It turned out I also misconfigured iCal so that it was sending my server pass in the clear everytime I updated my calendar... oops!





[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: osxpounder on Jul 13, '07 09:08:51AM

Thomas, how do you secure iCal so it doesn't send your info in cleartext?



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: creeeatura on Jul 29, '07 11:04:41AM

is it possible to hack Gmail notifier (the one working on Panther, not Google notifier) to force it use SSL?
I've modified the .plist adding the SecureAlways / value 1 tags, but it seems it doesn't work.



[ Reply to This | # ]
Secure Gmail Notifier using hidden preference setting
Authored by: tvl on Oct 29, '07 02:51:22PM

With 1.9.100 or later of notifier, it does all traffic over https.



[ Reply to This | # ]