Firstly, I am a more than sattisfied GMail user (who is not?). I use several programs to check if new mail has arrived to my accounts: Gmail Notifier for Firefox & Gmail Notifier for MirandaIM. Both are great programs. But when I was using the second one... The pluging allows you to click on and it will open a browser window in Gmail. When I did that I noticed this was the url it used to open the browser:
https://www.google.com/accounts/ServiceLoginBoxAuth? continue=https%3A%2F%2Fgmail.google.com%2Fgmail&service=mail& Email=xmanoel&Passwd=NutsThisWasSupposedToBeSecret
As soon as I saw my password clearly displayed on the URL I got completely scared. First I decided to never click again on the notifier, from now on, I will log in myself in GMail and enter the password myself. (And I still have to figure out how does the notifier log into GMail: if it uses the url to transfer the password, I may skip using it any longer).
Maybe I am a little bit paranoid. Ok, let's clear the things out. Despite of what it seems, the URL does not travel around the web with the whole query string. The browser moves everthing after the '?' into the headers of the request, and therefore, the data in the query string travels encripted. At least it seems so: according to the RFC, the request string is not transmited in plaintext. safe are queries over HTTPS. (Shame on me... I should have remembered this from previous times: the query was retrieved as a HTTP header).
Still, there is dranwback on this login approach: anybody can get my password simply by checking the history of my browser. I really wonder how could GMail crew allow to login in such a way. Maybe I should just trust them and hope they know this is safe, or maybe I should keep being suspicious until I find out more about this... As somebody said to me once: 'better safe than sorry...'
