SWEET: Meebo.com's SSL Site Encrypts Chats Too.

If you haven’t been to meebo.com, you probably haven’t needed to chat from a location that restricts chat program installs ;) Meebo.com is super slick; with nothing more than a browser, you can access your favorite chat network. The unencrypted meebo.com site does encrypt your password but stops there. By accessing Meebo.com via HTTPS, it appears that your entire session will be encrypted.

To test this, I killed all of my network connections, opened up IE (Firefox extensions make too many calls) and connected to the secure meebo.com. After chatting for some time, only the following two entries appeared in netstat -n.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    xx.xxx.x.x:3336       ESTABLISHED
  TCP    xx.xxx.x.x:3337       ESTABLISHED

There are only connections to the HTTP SSL port, 443, and no connections to regular HTTP on port 80. Oh, and speaking of secure, here is a GreaseMonkey script that ensures that Gmail uses a secure connection. I think, however, that there must be some kind of hidden frame that encrypts all Gmail connections, even when you initally connect via HTTP and not HTTPS. It just doesn’t seem right that Google would send all that info unencrypted. Let me test…

OK, I don’t know if this is any true indicator, but it seems that Gmail actually does not encrypt in its AJAX calls when you hit the page in plain ol HTTP.

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    xx.xxx.x.x:3590      ESTABLISHED
  TCP    xx.xxx.x.x:3592      ESTABLISHED
  TCP    xx.xxx.x.x:3605       ESTABLISHED
  TCP    xx.xxx.x.x:3606       ESTABLISHED

That’s nuts. If you don’t use Firefox or if you don’t want to use the GreaseMonkey extension, just make sure you check your Google mail by hitting https://mail.google.com/mail directly. Note: Hitting https://gmail.com will redirect you to an unsecured address.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools and holds a master's degree in Systems Engineering. Chrissy is also certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Security
2 comments on “SWEET: Meebo.com's SSL Site Encrypts Chats Too.
  1. Frederic says:

    The problem I have with this page is just that using meebo.com is not end to end encrypted, you’re just encrypted to the meebo servers, and then it’s plain text through AIM servers, and on to your friends… if they also use meebo, then you’re encrypted to meebo.com -> plaintext -> AIM -> plaintext -> meebo.com ->encrypted -> friends. If meebo chooses to implement some encryption that works within the text, it’s possible, but loads more processing on them, to remove the plaintext through aim link, it could work with adiumx, or gaim’s or trillians, if all of those have open spec’s but it probably would just work if both participants use meebo.

  2. Pachai_kili says:

    Could you please let me know how i can access Meebo.com bypassing the Block that has been applied to it…
    i tried with https with firefox… yet i am not able to connect to it… when i try with https, i get a Msg :
    “The connection was reset.

    The connection to the server was reset while the page was loading.”

    how can i bypass this… i even tried with yet i am not able to get to the site.

    can you help me out here, Please!
    pachai kili

Leave a Reply

Your email address will not be published. Required fields are marked *