Warnings on the download page

Richard Johnson rdump at river.com
Sun Mar 11 17:45:25 UTC 2007


At 16:33 -0600 on 2007-03-08, H D Moore wrote:
> 3) Web application hijacking. If a rogue Tor node watches for a specific
> pattern, such as the "welcome!" message from a web application or web
> mail portal, the Tor node could kick the user out and hijack their
> session. This is especially dangerous for sites that SSL-protect the
> authentication process, but leave the rest of the application unencrypted
> (Yahoo, GMail, others?).


Google mail will reportedly stick with https for the entire session if you
start via https://mail.google.com/

Use their other initial URLs, however, and your session will drop back to
http after the authentication is done.

Suggesting gmail users start with https://mail.google.com/ (until the
behavior changes, at least) may be good for a FAQ entry.


Richard



More information about the tor-talk mailing list