Using Gmail (with Tor) is a bad idea

Anthony DiPierro or at inbox.org
Wed Sep 20 21:51:44 UTC 2006 

On 9/18/06, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> yancm at sdf.lonestar.org top posted (please don't):
> > Are you saying that some info gets leaked if you use
> > unencrypted http to transfer mail with gmail?
>
> Yes, and some info means everything but your password.
>
> And even if you enter through https://mail.google.com/,
> a man in the middle can send your browser a redirect to
> http://mail.google.com/, Google then sends your browser
> another redirect to the encrypted login page on another
> server and after the secured login you will get redirected
> back to http://mail.google.com/.
>
OK, so if you're careful, and enter through https://mail.google.com/,
you're fine, as long as you don't go to *any* http site before you
clear your cookies.

But if you log in to gmail, even through https, then you go to a an
http site (like http://www.yahoo.com/, for example), then your session
can be stolen.

> Firefox/1.5.0.7 honours an unencrypted redirect
> as response for a https connection request.
> You don't get a warning, but of course if you look for it,
> you can see that the connection is unencrypted.
>
Assuming this can't be turned off, the only real workaround I think
would work is to disable the http proxy.  This might be realistic, you
could switch between three proxy settings, one for normal browsing,
one just for gmail/tor (which would send http requests to a proxy at a
nonexistant IP address), and one for normal tor browsing.  These three
settings could be managed through SwitchProxy, which would
automatically clear cookies between each one.

For those gmail diehards (like me) who want to hide their IP address
from gmail (not a bad idea), it might be a reasonable workaround.

> At that point, however, the man in the middle already has your
> authentication cookies and I would be surprised if he
> couldn't take over the session. Of course that'll require
> greater efforts than some regular expressions.
>
And considering how many sites, including financial sites, are happy
to send you a new password by email, getting your gmail session stolen
could be really horrible.

Anthony

More information about the tor-talk mailing list