Fabian Keil <freebsd-listen@xxxxxxxxxxxxx> wrote: > yancm@xxxxxxxxxxxxxxxx top posted (please don't): > > I'm not quite sure what you are saying? > > > > Are you saying that some info gets leaked if you use > > unencrypted http to transfer mail with gmail? > > Yes, and some info means everything but your password. > > And even if you enter through https://mail.google.com/, > a man in the middle can send your browser a redirect to > http://mail.google.com/, Google then sends your browser > another redirect to the encrypted login page on another > server and after the secured login you will get redirected > back to http://mail.google.com/. > > Firefox/1.5.0.7 honours an unencrypted redirect > as response for a https connection request. > You don't get a warning, but of course if you look for it, > you can see that the connection is unencrypted. I missed something here: in my test Firefox was already configured to use Privoxy as SSL proxy, which means it has to ask the proxy to connect to the SSL server. As this happens with an unencrypted request, the client also accepts an unencrypted response. Most likely the client does not accept an unencrypted redirect while trying to open a direct SSL connection (without any proxy involved). It might not even work, if the man in the middle isn't already located between SSL proxy and browser. If this is true, a Tor exit node wouldn't be the right place to send these bogus redirects. Fabian -- http://www.fabiankeil.de/
Attachment:
signature.asc
Description: PGP signature