Using Gmail (with Tor) is a bad idea
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Sep 19 16:50:32 UTC 2006
Tim McCormack <basalganglia at brainonfire.net> top posted (please don't):
> Jason Holt wrote:
> >
> > On Mon, 18 Sep 2006, Tim McCormack wrote:
> >
> >> The problem is that Google puts the auth tokens in an http:// GET
> >> request -- you can see for yourself. And then it switches to
> >> https://. The exit node could grab your auth tokens, I guess. Since
> >> you're effectively at the same IP as the Tor exit node, gmail
> >> wouldn't know the difference.
> >
> > Where does that happen? When I go to gmail.com I get redirected to an
> > https login page.
> After you login (which is on a https://www.google.com address), you are
> redirected (with auth tokens) to a http://mail.google.com/ address.
>
> There seem to be two issues:
> 1) Is Gmail secure with regard to the exit node, even when entering on
> https://www.gmail.com/?
Depending on your browser setup, a man in the middle just has to
redirect you to http://mail.google.com/ or directly to Google's
login page and the situation is the same. You can easily overlook
a few redirect, they usally take less than a second and Google uses
lots of redirects anyway.
> 2) Is the Tor network leaking data with Gmail?
This isn't a Tor problem at all, in an insecure network environment the
same could be done. An exit node is just an convenient position to
start this attack, it's cheap to run one and if you only sniff traffic,
it's unlikely to get caught.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060919/f9121d7d/attachment.pgp>
More information about the tor-talk
mailing list