RE: Offical secrets act
I'm sure they'll be sent through the post unencrypted well before then.
Posts by Dan Hardiker
9 publicly visible posts • joined 13 Jun 2007
InPhase finally to phase in holographic disk
Apple's Time Machine now works as advertised
Paranoid partners to get GPS snooper
Thursday 6th March 2008 22:49 GMT 
You're already doomed
If you have to resort to this, then you're in a failed relationship. Even if you find out your other half isn't getting their end away elsewhere, you have serious trust issues which need resolving.
Taking a different tact: most of the readers of El Reg are against the powers that be monitoring us, so unless we're hypocrites, we're hardly going to condone the covert surveillance of our loved ones by those that are supposed to trust them!
Samsung secures 2007 most inappropriate ad title
Canadian Taser death caught on camera
SexSearch.com gets off on user's underage romp
Crypto boffins break car cypher
Flash: Public Wi-Fi even more insecure than previously thought
Friday 3rd August 2007 12:19 GMT
Not just Google -- any session based site
There are many sites out there (I would list any where credentials are handed over SSL and then passed back through unencrypted channels) where this attack vector would exist ... and it's certainly not new. This has been around for many, many years.
Personally I use more than the session id for authentication where I can on repeat requests (specifically the remote IP address), but with the more prevalent use of NAT in large offices and on open WIFI networks (and the potential harder angle of spoofing) this has become less effective. Roll on IPv6!
I have been a long time advocate for anything where you need to login (and want to ensure your account is safe) being executed over SSL for the entirety of the visit.
Biting the hand that feeds IT
