Using Gmail (with Tor) is a bad idea
Fabian Keil
freebsd-listen at fabiankeil.de
Fri Sep 22 10:54:53 UTC 2006
Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
> yancm at sdf.lonestar.org top posted (please don't):
> > I'm not quite sure what you are saying?
> >
> > Are you saying that some info gets leaked if you use
> > unencrypted http to transfer mail with gmail?
>
> Yes, and some info means everything but your password.
>
> And even if you enter through https://mail.google.com/,
> a man in the middle can send your browser a redirect to
> http://mail.google.com/, Google then sends your browser
> another redirect to the encrypted login page on another
> server and after the secured login you will get redirected
> back to http://mail.google.com/.
>
> Firefox/1.5.0.7 honours an unencrypted redirect
> as response for a https connection request.
> You don't get a warning, but of course if you look for it,
> you can see that the connection is unencrypted.
I missed something here: in my test Firefox was already
configured to use Privoxy as SSL proxy, which means
it has to ask the proxy to connect to the SSL server.
As this happens with an unencrypted request,
the client also accepts an unencrypted response.
Most likely the client does not accept an unencrypted
redirect while trying to open a direct SSL connection
(without any proxy involved).
It might not even work, if the man in the middle isn't
already located between SSL proxy and browser. If this
is true, a Tor exit node wouldn't be the right place
to send these bogus redirects.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060922/5e725235/attachment.pgp>
More information about the tor-talk
mailing list