[tor-talk] Email provider for privacy-minded folk

Mr Dash Four mr.dash.four at googlemail.com
Tue Feb 19 19:08:26 UTC 2013


> IMO, only stupid idiot doesn't use https with gmail.
> That's why I think all talkings about gmail and beeing hacked is useless.
> Let him set "Use always https" in the gmail settings, then log out, log in, change password and secure q/answer and that's all.
>
> This should be about Tor and Tor close stuff...
>
>
> Game's over.
>   
Indeed! I also employ one additional measure, which, admittedly, may not 
be to everyone's taste - I have all my 
browser/system/email/everything-else-you-care-to-name root certificate 
store wiped out clean!

If I have to access a specific (https) site or access a new email 
account (by using secure pop/starttls, secure smtp or secure imap) I 
tend to get the site's certificate well in advance via other means (not 
through tor, obviously) and store it manually on my system for use by 
these programs. That way, I know that if the "certificate unrecognised" 
error pops up there is either 1) a new site I have never accessed before 
(most likely); or 2) someone is trying to use spoof certificates.

The latter doesn't occur very often, though I've had this on a number of 
(rare) occasions when a tor exit node for example (prior to being banned 
in my torrc file and banished forever) tries to pretend to be my email 
server and gets caught out with its pants down, quite literally... This 
measure also prevents the likes of hacked/rogue CA's out there leaking 
certificates to people/organisations who use them for various 
criminal/unsavoury purposes.


More information about the tor-talk mailing list