Using Gmail (with Tor) is a bad idea

Tim McCormack basalganglia at brainonfire.net
Tue Sep 19 01:55:32 UTC 2006


After you login (which is on a https://www.google.com address), you are
redirected (with auth tokens) to a http://mail.google.com/ address.

There seem to be two issues:
 1) Is Gmail secure with regard to the exit node, even when entering on
https://www.gmail.com/?
 2) Is the Tor network leaking data with Gmail?

  - Tim

Jason Holt wrote:
> 
> On Mon, 18 Sep 2006, Tim McCormack wrote:
> 
>> The problem is that Google puts the auth tokens in an http:// GET
>> request -- you can see for yourself.  And then it switches to https://.
>> The exit node could grab your auth tokens, I guess. Since you're
>> effectively at the same IP as the Tor exit node, gmail wouldn't know the
>> difference.
> 
> Where does that happen?  When I go to gmail.com I get redirected to an
> https login page.
> 
>                     -J
> 



More information about the tor-talk mailing list