writes: "The Register is reporting on a simple hack that disables SSL session protection for users logged into their Google accounts. This behavior could be easily exploited by malicious persons to take control of user sessions at wireless hotspots. From the article:
Google was the only free service known to encrypt the session-ID if the user went through the trouble of putting an HTTPS in the address for Gmail and other Google services that support SSL. Visit this Google Calendar address instead of this one and no one would be able to make heads or tails of the session-ID, the thinking went."
But Graham says Google SSL will automatically revert to plain-vanilla HTML if the site believes there are connection problems. This means an attacker at a hotspot can cause Google to lower its shield simply by sending a reset packet to either the Google server or to the victim's PC.