OAuth Core 1.0 Final Draft – Implement it while it’s hot

After Chris blogged about it Eran Hammer-Lahav wrote a Beginner’s Guide to OAuth I have little to add.

I will add though that my C# library which I’m promising for quite some time will get out very soon :-) (Sorry for the delay, it’s been hectic around here).

Google Apps for your Domain, DNS, CNAME and Security

I’ve recently started to use Google Apps for Your domain to host my private emails on the sandler.co.il domain.

Google Apps for your domain is quite cool and was very easy to configure. I mainly moved to it due to the unbelievable amounts of SPAM and I didn’t have the power or time to configure SpamAssassin in a reasonable way that would actually work.

When I moved, one of the things I did was to change the “default” URL in which me and other members of my family use to access the web mail of the domain. Google Apps for your Domain allows you to do just that by configuring it in its configuration screen and settings a CNAME record that points to ghs.google.com.

After configuring everything I tested it out and noticed something disturbing.

It seems that CNAME (by design/default/whatever) does not support HTTPS, only HTTP. This means that the CNAME alias I configured will be resolved to mail.google.com/a/YourDomain.XXX (replace YourDomain.XXX with your domain ;-) ). If you are not authenticated you’ll be redirected to authenticate on an SSL protected address (https) and upon successful authentication you will be directed to http://mail.google.com/a/YourDomain.XXX (not https – not SSL).

This means that now, when you read or write Emails they are not protected. If you are sitting in an open WIFI network (passwordless network) people can easily sniff out your Emails and correspondence (I know that not using WPA will make you prune to man in the middle attacks, but that’s not the issue here). This is just one of the scenarios that you will be vulnerable (there are a few more).

It’s not that accessing https://mail.google.com/a/YourDOMAIN.XXX will not work. On the contrary, it will work fine and all the communication will be secured using SSL (https).

It seems Google is encouraging recklessness with their current configuration, instead of redirecting authenticated users to the secured version (https/SSL) of their web mail specifically because of the DNS CNAME limitations.

It is a simple fix on Google’s behalf which will increase the security dramatically.