Re: Defeat Exit Node Sniffing?

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Defeat Exit Node Sniffing?

From: defcon <defconoii@xxxxxxxxx>

Date: Sun, 2 Mar 2008 19:02:23 -0700

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Sun, 02 Mar 2008 21:02:29 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=8nI+2wPnKWbEwo1FovsukPsJtoZjvP6DNlm0wk+hU1I=; b=mCaO0rKdxyJ/AocGe4ip/xioVZh/H3eTm/xbKb+T0Pn1UdqcvpwhEfJv8vgj8lFeKZKPtat7fa4P+jUwMl87udtwm45yz+SKnwfym8o0bZj61UvYJ0Vn/An9g6WBvRPqtH62wIgBBngvxIe7tE+J2iY6qhIy/4Vts99r7Dy0vNQ=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=POnhULRhYpYogWfCT9f5BTPF8OWqFh3YTzQXDQBpp9dZKGjdwer2jxLFzQYpkyA+VN19Af2LnbNiKvNFEhuDJ++6C6iswolTje+jjv2tQWrW1KsHvDN+n+zMTq6iDLELzuZ3ftsXkhALBQgEXSbfo7T5wqzGywajpiOLHoNeA3E=

In-reply-to: <47CB3B40.3050408@xxxxxxxxxx>

References: <a45400c30803021230x47297f81t1901918c4910e48c@xxxxxxxxxxxxxx> <20080302211557.GL10785@xxxxxxxxxxxxxxxx> <47CB3B40.3050408@xxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Sun, Mar 2, 2008 at 4:41 PM, scar <scar@xxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris Palmer @ 2008/03/02 14:15:

| defcon writes:
|
|> I have been using tor for a while now, and I absolutely love it, although
|> the only thing keeping me from using it, is the insecurities of the exit
|> nodes. I know to truly stay anonymous you should stay away from personal
|> accounts "but" how can I connect through tor to gmail or other ssl
enabled
|> services without risking my password being sniffed or my dns request
being
|> hijacked. Any advice would be greatly appreciated!
|
| The answer is to use SSL. I'm not sure but I think you meant to say
"... or
| other *non*-ssl enabled serviecs...".
|
| In the particular case of Gmail: Gmail normally uses HTTPS for the login
| phase but not thereafter. That is of course totally silly, because
while the
| attacker won't see your password they will still see your Gmail session
| cookies. That's all they need to hijack your Gmail session -- they don't
| need your password. BUT! the good news is that if you go to Gmail via
| https://mail.google.com/, Gmail will use HTTPS for the entire session, not
| just the login phase, and then you are as safe as anyone ever can be from
| network eavesdroppers (including traffic-sniffing Tor operators).
|

sorry, but that's not entirely true. if you watch your tor circuits,
gmail will jump to one insecure connection on port 80 to do "something"
during the login phase, and then go back https, even if you use
https://mail.google.com/. this has been discussed to death, please
search the archives.

the best solution is to stop using gmail, since they probably keep your
email forever. next-best solution is to use a 3rd-party email program
and configure it to use TLS or SSL for your pop.gmail.com and
smtp.gmail.com connections.
-----BEGIN PGP SIGNATURE-----

iD8DBQFHyztAXhfCJNu98qARCPgTAJ9IcmnkJSyq50tH6m0YM5LnWzwmyQCfdmkd
s63d6BRRavBoj9CYY5daTY8=
=VKYu
-----END PGP SIGNATURE-----