Corey, the issue is that your session cookie is available in the clear when using HTTP. Any web application can be hijacked by taking its session cookie, not just GMail. For example, you’re using public WiFi in a Starbucks. The guy next to you is running AirSnort/Wireshark/tcpdump/etc. and grabs your cookies out of the air. He can then send requests to the web application as you. Using https prevents this.
Would you like to comment?
Join Diigo for a free account, or sign in if you are already a member.