Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Open Recent Office 2008 Docs by Date

Office 2008 applications like Word and Excel now list recently opened documents on a File > Open Recent submenu. Choose More from that menu, and you'll get a multifunction Project Gallery dialog. Click the Recent button at the top and then select a date range in the Dates list to find files that were last opened today, yesterday, earlier in the week, last week, and so forth. (The Settings pane in the Project Gallery dialog lets you set how many recently opened files show in the File > Open Recent submenu.)

 
 

Security Experts Urge Google to Secure All Sessions

Send Article to a Friend

Google has been name-checked on security. A letter sent on 16-Jun-09 to Google CEO Eric Schmidt strongly urges the company to make a secure connection the default method for Web applications. Among the 38 signatories to the letter are a host of well-known security experts, researchers, and advocates, including Ronald Rivest (the R of RSA), Bruce Schneier, Jon Callas, Eugene Spafford, Peter G. Neumann, William Cheswick, and Steven Bellovin.

Two years ago, Google's use of unsecured connections came to the fore with the discovery of sidejacking, a technique for grabbing the authentication cookies that Google uses to identify users during an unsecured session and inserting them into a browser under the sidejacker's control. Sidejacking can be performed anywhere there's an open Wi-Fi hotspot or an untrusted Ethernet network in which traffic is mingled and sniffable. (See "Sidejack Attack Jimmies Open Gmail, Other Services," 2007-08-27.)

Google has taken some steps to derail sidejacking, including marking the Gmail authentication cookie with a secure flag that should keep it from being sent without encryption even if https isn't used. Google also added an option to require https (SSL/TLS secured) connections for Gmail. (See "Google Gmail Adds Secure Session Option," 2008-07-28.) The researchers noted that other services, like Google Docs and Google Calendar, support https as well, although there's no way to set that level of security as a default.

The letter sent to Google claims that acquiring a Google authentication cookie from Docs or Calendar would allow access to Gmail, but one of Google's security team members, Alma Whitten, said in a blog entry that it wouldn't be possible for such a cookie to be intercepted.

The security experts urge that https sessions become the default for all Web-based services. The letter acknowledges that this lack is a widespread problem, and is even worse at Microsoft Hotmail, Yahoo Mail, Facebook, and MySpace because those services don't offer a secure option. We expect that the security experts are starting with Google because of Google's existing optional support for secure connections, and if they can convince Google to make the switch, they'll move on to these other companies.

They note that because Google apps are designed to work asynchronously, queuing and performing tasks at the server and then updating the browser without a page reload, any latency introduced by the additional user or server computational load for encryption won't make the experience of using these applications worse.

Google's response, in Whitten's blog entry, is that Google remains concerned that there's not enough known about whether specific computer configurations, networks, or parts of the world would suffer far worse performance in an all-https world. Whitten also said that Google is planning a trial that moves small sets of Gmail customers who haven't explicitly requested https-only sessions to that option.

 

Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <http://tidbits.com/advertising.html>