SWEET: Meebo.com's SSL Site Encrypts Chats Too.

If you haven’t been to meebo.com, you probably haven’t needed to chat from a location that restricts chat program installs ;) Meebo.com is super slick; with nothing more than a browser, you can access your favorite chat network. The unencrypted meebo.com site does encrypt your password but stops there. By accessing Meebo.com via HTTPS, it appears that your entire session will be encrypted.

To test this, I killed all of my network connections, opened up IE (Firefox extensions make too many calls) and connected to the secure meebo.com. After chatting for some time, only the following two entries appeared in netstat -n.

Active Connections

Proto Local Address Foreign Address State
TCP xx.xxx.x.x:3336 ESTABLISHED
TCP xx.xxx.x.x:3337 ESTABLISHED

There are only connections to the HTTP SSL port, 443, and no connections to regular HTTP on port 80. Oh, and speaking of secure, here is a GreaseMonkey script that ensures that Gmail uses a secure connection. I think, however, that there must be some kind of hidden frame that encrypts all Gmail connections, even when you initally connect via HTTP and not HTTPS. It just doesn’t seem right that Google would send all that info unencrypted. Let me test…

OK, I don’t know if this is any true indicator, but it seems that Gmail actually does not encrypt in its AJAX calls when you hit the page in plain ol HTTP.

Active Connections

Proto Local Address Foreign Address State
TCP xx.xxx.x.x:3590 ESTABLISHED
TCP xx.xxx.x.x:3592 ESTABLISHED
TCP xx.xxx.x.x:3605 ESTABLISHED
TCP xx.xxx.x.x:3606 ESTABLISHED

That’s nuts. If you don’t use Firefox or if you don’t want to use the GreaseMonkey extension, just make sure you check your Google mail by hitting https://mail.google.com/mail directly. Note: Hitting https://gmail.com will redirect you to an unsecured address.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security