Using Gmail (with Tor) is a bad idea
yancm at sdf.lonestar.org
yancm at sdf.lonestar.org
Mon Sep 18 22:18:31 UTC 2006
I'm not quite sure what you are saying?
Are you saying that some info gets leaked if you use
unencrypted http to transfer mail with gmail?
Why not just switch the connection to https? If you do this
manually, it seems all communication with gmail is encrypted?
I do use gmail with tor. I do enable https before I transfer any
significant data. Though the message list sometimes gets displayed
before I switch over... Sometimes I cannot establish an https connection
until after I have the http session going.
Code is good. Comments and summary mean more to me.
--gene
> Just in case you wondered whether Tor and Gmail are a good
> combination: They are not.
>
> I did some testing with Privoxy's cvs version and this filter:
>
> FILTER: googlemail Hides sponsored links with css and shows why insecure
> mail transfer is a bad idea.
> s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility:
> hidden !important;}</style>$0 at i
> s at easy( to switch to Google Mail)@stupid $1 and transfer mail unencrypted
> to make sure everbody is reading it at gi
> s at Foo bar at Mail integrity compromised! Yay for GMail.@
> s at different@insecure@
>
> together with these action sections:
>
> {-block \
> -crunch-incoming-cookies \
> -crunch-outgoing-cookies \
> -filter{content-cookies} \
> -filter{img-reorder} \
> -filter{webbugs} \
> -filter{frameset-borders} \
> +filter{googlemail} \
> -filter-client-headers \
> -filter-server-headers \
> }
> mail.google.com/
> {+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
> }
> mail.google.com/favicon.ico
> {+limit-connect{443} \
> }
> .google.com/
>
> Results:
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> (My original mail's content is "Foo bar" of course.)
>
> More information (in German):
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
>
> About 0.3% of my Tor exit nodes' users seem to consider using
> Gmail with Tor a good idea. I suggest they reconsider.
>
> Fabian
More information about the tor-talk
mailing list