One of the big stories at DefCon last year was a security researcher's demonstration of wirelessly sniffing users' session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim's Gmail or Hotmail account without needing to decipher the user's password.
Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account -- which was touted at the time as a surefire way to protect Gmail users against such an attack -- is vulnerable to this hack.
Robert Graham of Errata Security says he's been able to grab session cookies even when users access their account in a presumably secure manner. He describes the vulnerability on his blog:
UPDATE: Reader Nicholas Weaver has pointed out a link to further discussion of this issue that might interest other readers. He's also written up a nice clear description explaining the issue on his own blog.