Using Gmail (with Tor) is a bad idea

yancm at sdf.lonestar.org yancm at sdf.lonestar.org
Mon Sep 18 23:16:59 UTC 2006


> yancm at sdf.lonestar.org:
>
>> > Just in case you wondered whether Tor and Gmail are a good
>> > combination: They are not.
>> >
>> > I did some testing with Privoxy's cvs version and this filter:
>
>> > Results:
>> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
>> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
>> > (My original mail's content is "Foo bar" of course.)
>> >
>> > More information (in German):
>> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
>
>> I'm not quite sure what you are saying?
>>
>> Are you saying that some info gets leaked if you use
>> unencrypted http to transfer mail with gmail?
>
> Yes, and some info means everything but your password.
>
> And even if you enter through https://mail.google.com/,
> a man in the middle can send your browser a redirect to
> http://mail.google.com/, Google then sends your browser
> another redirect to the encrypted login page on another
> server and after the secured login you will get redirected
> back to http://mail.google.com/.

OK, is this specific to Google? Or are there other free/nonfree
email services that are immune to this behavior? If so, please
suggest.

What about ecommerce or other secured sites?
--gene



More information about the tor-talk mailing list