This attack actually wouldn't work against Google if you are using Chrome due to its built-in hard-coded HSTS list.<p><a href="http://dev.chromium.org/sts" rel="nofollow">http://dev.chromium.org/sts</a><p><a href="http://www.rodneybeede.com/Protecting_against_MITM_and_sslstrip_attacks.html" rel="nofollow">http://www.rodneybeede.com/Protecting_against_MITM_and_sslst...</a>
I'd always thought that the application specific passwords would allow for a loophole, although I hadn't come up with a mechanism.<p>Surely the fix from Google would be pretty simple? Just make sure that any and all access to the 'Two Factor Authentication Settings' page required a two factor token.
I thought it already did, but I've just tried it and the OP is right, you just need a password.
Note: this is basically "a practical application of SSLstrip". Once you are capable of pulling <i>that</i> off, full control of the ssl-stripped site is a lesser concern. Interesting (and perhaps juicier as a media soundbite than "OMG SSLstrip exists!"), but not groundbreaking.
This is a big "duh" to me and I see very little value in this post.<p>As far as Google's control extends, I can't think of anything they could implement without flaws that wouldn't be hostile to most of their end users.<p>If it weren't this flaw, it'd be a "zomg, I can plug a USB key into Alice's computer and install a keylogger".<p>This is a trivial, routine style of attack and of course it will work against Google's security scheme which is catered towards the everyday Joe and Alice and designed more to protect against phishing.<p>A better scheme where if you lost your phone, you lose your data forever, would not pass muster with everyday users.
Reading up on SSLstrip, it looks like it relies on intercepting links and redirects sent over plain HTTP to rewrite them to something you control. So could this be defeated by authentication baked into the browser that would only send your credentials over HTTPS to a pre-specified domain? I know Mozilla was working on authentication in the browser.