SWEET: Meebo.com's SSL Site Encrypts Chats Too.
If you haven't been to meebo.com, you probably haven't needed to chat from a location that restricts chat program installs ;) Meebo.com is super slick; with nothing more than a browser, you can access your favorite chat network. The unencrypted meebo.com site does encrypt your password but stops there. By accessing Meebo.com via HTTPS, it appears that your entire session will be encrypted.
To test this, I killed all of my network connections, opened up IE (Firefox extensions make too many calls) and connected to the secure meebo.com. After chatting for some time, only the following two entries appeared in netstat -n.
Proto Local Address Foreign Address State TCP xx.xxx.x.x:3336 184.108.40.206:443 ESTABLISHED TCP xx.xxx.x.x:3337 220.127.116.11:443 ESTABLISHED
There are only connections to the HTTP SSL port, 443, and no connections to regular HTTP on port 80. Oh, and speaking of secure, here is a GreaseMonkey script that ensures that Gmail uses a secure connection. I think, however, that there must be some kind of hidden frame that encrypts all Gmail connections, even when you initally connect via HTTP and not HTTPS. It just doesn't seem right that Google would send all that info unencrypted. Let me test...
OK, I don't know if this is any true indicator, but it seems that Gmail actually does not encrypt in its AJAX calls when you hit the page in plain ol HTTP.
Proto Local Address Foreign Address State TCP xx.xxx.x.x:3590 18.104.22.168:80 ESTABLISHED TCP xx.xxx.x.x:3592 22.214.171.124:80 ESTABLISHED TCP xx.xxx.x.x:3605 126.96.36.199:80 ESTABLISHED TCP xx.xxx.x.x:3606 188.8.131.52:80 ESTABLISHED
That's nuts. If you don't use Firefox or if you don't want to use the GreaseMonkey extension, just make sure you check your Google mail by hitting https://mail.google.com/mail directly. Note: Hitting https://gmail.com will redirect you to an unsecured address.