Using Gmail (with Tor) is a bad idea
Fabian Keil
freebsd-listen at fabiankeil.de
Mon Sep 18 23:07:17 UTC 2006
yancm at sdf.lonestar.org top posted (please don't):
> > Just in case you wondered whether Tor and Gmail are a good
> > combination: They are not.
> >
> > I did some testing with Privoxy's cvs version and this filter:
> > Results:
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> > (My original mail's content is "Foo bar" of course.)
> >
> > More information (in German):
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
> I'm not quite sure what you are saying?
>
> Are you saying that some info gets leaked if you use
> unencrypted http to transfer mail with gmail?
Yes, and some info means everything but your password.
And even if you enter through https://mail.google.com/,
a man in the middle can send your browser a redirect to
http://mail.google.com/, Google then sends your browser
another redirect to the encrypted login page on another
server and after the secured login you will get redirected
back to http://mail.google.com/.
Firefox/1.5.0.7 honours an unencrypted redirect
as response for a https connection request.
You don't get a warning, but of course if you look for it,
you can see that the connection is unencrypted.
At that point, however, the man in the middle already has your
authentication cookies and I would be surprised if he
couldn't take over the session. Of course that'll require
greater efforts than some regular expressions.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060919/fc487b65/attachment.pgp>
More information about the tor-talk
mailing list