Using Gmail (with Tor) is a bad idea

[Fabian Keil]

Just in case you wondered whether Tor and Gmail are a good
combination: They are not.

I did some testing with Privoxy's cvs version and this filter:

FILTER: googlemail Hides sponsored links with css and shows why insecure mail transfer is a bad idea.
s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility: hidden !important;}</style>$0 at i
s at easy( to switch to Google Mail)@stupid $1 and transfer mail unencrypted to make sure everbody is reading it at gi
s at Foo bar at Mail integrity compromised! Yay for GMail.@
s at different@insecure@

together with these action sections:

{-block \
 -crunch-incoming-cookies \
 -crunch-outgoing-cookies \
 -filter{content-cookies} \
 -filter{img-reorder} \
 -filter{webbugs} \
 -filter{frameset-borders} \
 +filter{googlemail} \
 -filter-client-headers \
 -filter-server-headers \
}
mail.google.com/
{+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
}
mail.google.com/favicon.ico
{+limit-connect{443} \
}
.google.com/

Results:
http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
(My original mail's content is "Foo bar" of course.)

More information (in German):
http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html

About 0.3% of my Tor exit nodes' users seem to consider using
Gmail with Tor a good idea. I suggest they reconsider.

Fabian
-- 
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060919/0a9c2855/attachment.pgp>