[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?



Chris Palmer(chris@xxxxxxxxxxxxxxxx)@Sun, Mar 02, 2008 at 01:15:57PM -0800:
> defcon writes:
> 
> > I have been using tor for a while now, and I absolutely love it, although
> > the only thing keeping me from using it, is the insecurities of the exit
> > nodes.  I know to truly stay anonymous you should stay away from personal
> > accounts "but" how can I connect through tor to gmail or other ssl enabled
> > services without risking my password being sniffed or my dns request being
> > hijacked.  Any advice would be greatly appreciated!
> 
> The answer is to use SSL. I'm not sure but I think you meant to say "... or
> other *non*-ssl enabled serviecs...".
> 
> In the particular case of Gmail: Gmail normally uses HTTPS for the login
> phase but not thereafter. That is of course totally silly, because while the
> attacker won't see your password they will still see your Gmail session
> cookies. That's all they need to hijack your Gmail session -- they don't
> need your password. BUT! the good news is that if you go to Gmail via
> https://mail.google.com/, Gmail will use HTTPS for the entire session, not
> just the login phase, and then you are as safe as anyone ever can be from
> network eavesdroppers (including traffic-sniffing Tor operators).

"Better Gmail 2" [1] claims to force SSL on all gmail connections.  I
haven't tested it to verify that it is correct.

Sorry, no general-case solution, just some help for the Gmail users :)

[1] http://lifehacker.com/software/exclusive-lifehacker-download/better-gmail-2-firefox-extension-for-new-gmail-320618.php

-- 
Bill Weiss
 
A system composed of 100,000 lines of C++ is not be sneezed at, but we
don't have that much trouble developing 100,000 lines of COBOL today. The
real test of OOP will come when systems of 1 to 10 million lines of code
are developed.
    -- Ed Yourdon