Using Gmail (with Tor) is a bad idea
Tim McCormack
basalganglia at brainonfire.net
Tue Sep 19 00:40:21 UTC 2006
The problem is that Google puts the auth tokens in an http:// GET
request -- you can see for yourself. And then it switches to https://.
The exit node could grab your auth tokens, I guess. Since you're
effectively at the same IP as the Tor exit node, gmail wouldn't know the
difference.
- Tim
Claude LaFrenière wrote:
> Hi *Fabian Keil* :
>
>> Just in case you wondered whether Tor and Gmail are a good
>> combination: They are not.
>
> [...]
>
>> About 0.3% of my Tor exit nodes' users seem to consider using
>> Gmail with Tor a good idea. I suggest they reconsider.
>
> I'm using Gmail with Tor and Thunderbird not Firefox or an other browser.
>
> pop.gmail.com on port 995 -> SSL ...
> smtp.gmail.com port 587 -> TLS ...
>
> So the connections between my computer and the Google servers
> are encrypted. (With or without Tor...)
>
> With this the only privacy problem remaining is what Google is doing
> with the mail data in their servers... and this can be easily solve by
> using PGP/ GnuPG.
>
> I'm not convinced that Tor failed to encrypt correctly the communications
> with the combination of Tor + Firefox + Gmail ...
>
> If your demonstration is correct there is a problem with Tor itself:
> how a Man-in-the-middle may have an access to the authentication cookies ?
>
> I'm interested to have some advices on this.
>
> :)
More information about the tor-talk
mailing list