[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?



On Mon, March 3, 2008 06:39, Chris Palmer wrote:
> no HTTP connections at all.
I can confirm the "HTTP jump" instead, on a customizegoogle-d profile and
on a vanilla one, both visiting https://mail.google.com/ with every
"private data" cleared before each try.
I had monitored the connections with latest burp suite (it was handy, no
serious preference over web scarab), there're two http connections:
1) the first one during login (an id is sent out as a GET parameter)
2) the second one during logout, this one is really noticeable as firefox
itself will warn you about the https-to-http jump (you can turn off this
warning but it should be on by default)

I'm not a google expert and not too sure if the information sent in plain
text will be of any use, but I can confirm the presence.

ciao

-- 
Marco Bonetti
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/ My
webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047