lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <05Feb24.131225cet.118126@fd.hif.hu>
From: adam at nhh.hu (Ádám Szilveszter dr.)
Subject: Google Search and Gmail Correlation

Hello Cody,

I think that what you are observing is this: the cookie you get when 
visiting your gmail account is valid for the whole google.com domain, and 
therefore will be transferred again when you do web searches as well.

As you write, this is not a bug per se, the cookie mechanism is working as 
expected.

It is also obvious that such an approach may raise privacy concerns.

Now, *if* google wanted to mitigate this problem, it would be easy. They 
should migrate the gmail service web frontend to a subdomain (say: 
gmail.google.com) or even a whole new domain (gmail.com exists already but 
www.gmail.com merely redirects) and make the cookie only valid in that 
domain/subdomain.

The questions is, do they want to do this?

And yes, for now, if you are privacy conscious, delete the cookie before 
doing a Google search (or using any other Google service).

Regards:

Szilveszter Adam
Budapest
Hungary

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ