[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



Tim McCormack <basalganglia@xxxxxxxxxxxxxxx> top posted (please don't):

> Jason Holt wrote:
> > 
> > On Mon, 18 Sep 2006, Tim McCormack wrote:
> > 
> >> The problem is that Google puts the auth tokens in an http:// GET
> >> request -- you can see for yourself.  And then it switches to
> >> https://. The exit node could grab your auth tokens, I guess. Since
> >> you're effectively at the same IP as the Tor exit node, gmail
> >> wouldn't know the difference.
> > 
> > Where does that happen?  When I go to gmail.com I get redirected to an
> > https login page.

> After you login (which is on a https://www.google.com address), you are
> redirected (with auth tokens) to a http://mail.google.com/ address.
> 
> There seem to be two issues:
>  1) Is Gmail secure with regard to the exit node, even when entering on
> https://www.gmail.com/?

Depending on your browser setup, a man in the middle just has to
redirect you to http://mail.google.com/ or directly to Google's
login page and the situation is the same. You can easily overlook
a few redirect, they usally take less than a second and Google uses
lots of redirects anyway.

>  2) Is the Tor network leaking data with Gmail?

This isn't a Tor problem at all, in an insecure network environment the
same could be done. An exit node is just an convenient position to
start this attack, it's cheap to run one and if you only sniff traffic,
it's unlikely to get caught.

Fabian
-- 
http://www.fabiankeil.de/

Attachment: signature.asc
Description: PGP signature