[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Fastmail.fm better E-mail for Tor users than Gmail? HTTPS!



That doesn't matter:

"As I presented in my Black Hat and DefCon talks on Securing the Tor
Network, it turns out that using https for accessing mail.google.com
is not sufficient to protect you from many "Sidejacking" attacks. The
'GX' authentication cookie for mail.google.com is set to be
transmitted for any type of connection (http or https). This is the
only cookie one needs to authenticate to gmail." - Mike Perry,
http://www.securityfocus.com/archive/1/475658

"Researcher: Google Mail vulnerable to sidejacking despite SSL"
http://arstechnica.com/news.ars/post/20080201-report-google-mail-vulnerable-to-sidejacking-despite-ssl.html

"SSL-encrypted Gmail not safe to 'sidejacking' attacks, says researcher"
http://www.news.com/8301-10789_3-9862242-57.html

"Even SSL Gmail can get sidejacked"
http://blogs.zdnet.com/security/wp-mobile.php?p=842

This sidejacking issue is but one of several issues with Gmail I and
others have noticed. Instead of certain people giving me attitude
(poster I'm replying to now excluded) perhaps they should chill and do
some research?

On 2/2/08, Ricardo Lee <ricardoslee@xxxxxxxxx> wrote:
> On Feb 2, 2008 11:55 AM, Thomas Barvo <luteandflute@xxxxxxxxx> wrote:
>
> > On 2/2/08, Anil Gulecha <anil.verve@xxxxxxxxx> wrote:
> > > Logging into gmail with https://mail.google.com keeps you in https at
> > > all times. So there.
> >
> > This is not always true when using Tor with Gmail, even when you
> > initiate the session with https://mail.google.com ! I and several
> > others have posted on the web regarding this, especially when exit
> > nodes change and the session during logout is often forced in another
> > language to http from https during logout, what happens to the cookies
> > then? What of broken connections during use which crop up from time to
> > time? These and other strange events make me and others question using
> > Gmail with a web browser in Tor.
> >
>
>
> There's a plugin to firefox that do just that, ensures that the connection
> is always https.
>
> It's name is CustomizeGoogle. This and much more.
>
> --
> Ricardo.
>