[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Using Gmail (with Tor) is a bad idea



Just in case you wondered whether Tor and Gmail are a good
combination: They are not.

I did some testing with Privoxy's cvs version and this filter:

FILTER: googlemail Hides sponsored links with css and shows why insecure mail transfer is a bad idea.
s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility: hidden !important;}</style>$0@i
s@easy( to switch to Google Mail)@stupid $1 and transfer mail unencrypted to make sure everbody is reading it@gi
s@Foo bar@Mail integrity compromised! Yay for GMail.@
s@different@insecure@

together with these action sections:

{-block \
 -crunch-incoming-cookies \
 -crunch-outgoing-cookies \
 -filter{content-cookies} \
 -filter{img-reorder} \
 -filter{webbugs} \
 -filter{frameset-borders} \
 +filter{googlemail} \
 -filter-client-headers \
 -filter-server-headers \
}
mail.google.com/
{+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
}
mail.google.com/favicon.ico
{+limit-connect{443} \
}
.google.com/

Results:
http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
(My original mail's content is "Foo bar" of course.)

More information (in German):
http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html

About 0.3% of my Tor exit nodes' users seem to consider using
Gmail with Tor a good idea. I suggest they reconsider.

Fabian
-- 
http://www.fabiankeil.de/

Attachment: signature.asc
Description: PGP signature