SWEET: Meebo.com's SSL Site Encrypts Chats Too.

If you haven’t been to meebo.com, you probably haven’t needed to chat from a location that restricts chat program installs ;) Meebo.com is super slick; with nothing more than a browser, you can access your favorite chat network. The unencrypted meebo.com site does encrypt your password but stops there. By accessing Meebo.com via HTTPS, it appears that your entire session will be encrypted.

To test this, I killed all of my network connections, opened up IE (Firefox extensions make too many calls) and connected to the secure meebo.com. After chatting for some time, only the following two entries appeared in netstat -n.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    xx.xxx.x.x:3336        65.19.140.10:443       ESTABLISHED
  TCP    xx.xxx.x.x:3337        65.19.140.10:443       ESTABLISHED

There are only connections to the HTTP SSL port, 443, and no connections to regular HTTP on port 80. Oh, and speaking of secure, here is a GreaseMonkey script that ensures that Gmail uses a secure connection. I think, however, that there must be some kind of hidden frame that encrypts all Gmail connections, even when you initally connect via HTTP and not HTTPS. It just doesn’t seem right that Google would send all that info unencrypted. Let me test…

OK, I don’t know if this is any true indicator, but it seems that Gmail actually does not encrypt in its AJAX calls when you hit the page in plain ol HTTP.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    xx.xxx.x.x:3590        216.239.63.189:80      ESTABLISHED
  TCP    xx.xxx.x.x:3592        216.239.63.189:80      ESTABLISHED
  TCP    xx.xxx.x.x:3605        216.239.63.83:80       ESTABLISHED
  TCP    xx.xxx.x.x:3606        216.239.63.83:80       ESTABLISHED

That’s nuts. If you don’t use Firefox or if you don’t want to use the GreaseMonkey extension, just make sure you check your Google mail by hitting https://mail.google.com/mail directly. Note: Hitting https://gmail.com will redirect you to an unsecured address.

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain RealCajunRecipes.com in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Security
2 comments on “SWEET: Meebo.com's SSL Site Encrypts Chats Too.
  1. Frederic says:

    The problem I have with this page is just that using meebo.com is not end to end encrypted, you’re just encrypted to the meebo servers, and then it’s plain text through AIM servers, and on to your friends… if they also use meebo, then you’re encrypted to meebo.com -> plaintext -> AIM -> plaintext -> meebo.com ->encrypted -> friends. If meebo chooses to implement some encryption that works within the text, it’s possible, but loads more processing on them, to remove the plaintext through aim link, it could work with adiumx, or gaim’s or trillians, if all of those have open spec’s but it probably would just work if both participants use meebo.

  2. Pachai_kili says:

    Hi,
    Could you please let me know how i can access Meebo.com bypassing the Block that has been applied to it…
    i tried with https with firefox… yet i am not able to connect to it… when i try with https, i get a Msg :
    “The connection was reset.

    The connection to the server was reset while the page was loading.”

    how can i bypass this… i even tried with yet i am not able to get to the site.

    can you help me out here, Please!
    thanks,
    pachai kili

Leave a Reply

Your email address will not be published. Required fields are marked *

*