[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Defeat Exit Node Sniffing?

On Mon, Mar 3, 2008 at 2:08 AM, Marco Bonetti
<marco.bonetti@xxxxxxxxxxxx> wrote:
> On Mon, March 3, 2008 06:39, Chris Palmer wrote:
>  > no HTTP connections at all.
>  I can confirm the "HTTP jump" instead, on a customizegoogle-d profile and
>  on a vanilla one, both visiting https://mail.google.com/ with every
>  "private data" cleared before each try.

with a rogue exit node you also need to be aware of intentional
injection of http://.  since google does not bind authenticated
session cookies to ssl only (secure only flag) you need to mitigate
this yourself.  otherwise, a single http://...google.com/ will expose
your session cookie and permit session hijacking.

i've done this via one of two ways, and there are certainly many ways
to skin this cat:

1. use adblock or proxy filter to explicitly block all plain text
http:// requests to google.com domains.

2. use proxy to mangle the cookie settings for the authenticated login
to force secure only before it is sent to the browser.

the former breaks lots of google services that are not available via
https, the latter is a pain in the @$$ to configure.

best regards,