[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

Gmail with SSL is by default is a more secure webmail provider than Hotmail.
It appears to have a failure mode that is less than desirable when an
active attacker decides to mangle packets.

All someone would have to do to force non-ssl is:
Send TCP reset packets for any connection to port 443. Eventually, a
user will cease his attempts at trying the SSL version of the webmail
service. If he persists, he'll have to login without SSL. Oh no! You
have his cookies and probably his unhashed password!

Basically the implications are endless.

I guess I could just disable persistent cookies HEH

On Sun, Mar 2, 2008 at 7:02 PM, defcon <defconoii@xxxxxxxxx> wrote:
> It is unfortunate about there privacy policy, but I consider all mail unsafe, as mail passes through the net from server to server they can be intercepted, is there any guarantee your mail being sent through the net is unread/analyzed/archived before you read it?  The only solution is using PGP and I see you use that which is smart.  We all know the governments of this world are doing their best to intercept emails and search them for certain phrases/keywords.  I consider spam detection a privacy concern as well because they analyze email for certain things.  I was just running dsniff and sniffed my password from clicking igoogle from my gmail client, it sent the password in clear text unless dsniff sniffed the cookie.  What is a good way to enforce a good cookie policy for firefox?
> Best Regards,
> defcon
> Yes there is allot of good information in the archives, I should have searched them, although sometimes old questions have new answers
> On Sun, Mar 2, 2008 at 4:41 PM, scar <scar@xxxxxxxxxx> wrote:
> > Hash: SHA256
> >
> > Chris Palmer @ 2008/03/02 14:15:
> >
> > | defcon writes:
> > |
> > |> I have been using tor for a while now, and I absolutely love it, although
> > |> the only thing keeping me from using it, is the insecurities of the exit
> > |> nodes.  I know to truly stay anonymous you should stay away from personal
> > |> accounts "but" how can I connect through tor to gmail or other ssl
> > enabled
> > |> services without risking my password being sniffed or my dns request
> > being
> > |> hijacked.  Any advice would be greatly appreciated!
> > |
> > | The answer is to use SSL. I'm not sure but I think you meant to say
> > "... or
> > | other *non*-ssl enabled serviecs...".
> > |
> > | In the particular case of Gmail: Gmail normally uses HTTPS for the login
> > | phase but not thereafter. That is of course totally silly, because
> > while the
> > | attacker won't see your password they will still see your Gmail session
> > | cookies. That's all they need to hijack your Gmail session -- they don't
> > | need your password. BUT! the good news is that if you go to Gmail via
> > | https://mail.google.com/, Gmail will use HTTPS for the entire session, not
> > | just the login phase, and then you are as safe as anyone ever can be from
> > | network eavesdroppers (including traffic-sniffing Tor operators).
> > |
> >
> > sorry, but that's not entirely true.  if you watch your tor circuits,
> > gmail will jump to one insecure connection on port 80 to do "something"
> > during the login phase, and then go back https, even if you use
> > https://mail.google.com/.  this has been discussed to death, please
> > search the archives.
> >
> > the best solution is to stop using gmail, since they probably keep your
> > email forever.  next-best solution is to use a 3rd-party email program
> > and configure it to use TLS or SSL for your pop.gmail.com and
> > smtp.gmail.com connections.
> >
> > iD8DBQFHyztAXhfCJNu98qARCPgTAJ9IcmnkJSyq50tH6m0YM5LnWzwmyQCfdmkd
> > s63d6BRRavBoj9CYY5daTY8=
> > =VKYu
> > -----END PGP SIGNATURE-----
> >