[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Using Gmail (with Tor) is a bad idea
From: yancm@xxxxxxxxxxxxxxxx
Date: Mon, 18 Sep 2006 17:18:31 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 18 Sep 2006 18:18:47 -0400
Importance: Normal
In-reply-to: <20060919000911.70009ff8@localhost>
References: <20060919000911.70009ff8@localhost>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: SquirrelMail/1.5.0

I'm not quite sure what you are saying?

Are you saying that some info gets leaked if you use
unencrypted http to transfer mail with gmail?

Why not just switch the connection to https? If you do this
manually, it seems all communication with gmail is encrypted?

I do use gmail with tor. I do enable https before I transfer any
significant data. Though the message list sometimes gets displayed
before I switch over... Sometimes I cannot establish an https connection
until after I have the http session going.

Code is good. Comments and summary mean more to me.
--gene

> Just in case you wondered whether Tor and Gmail are a good
> combination: They are not.
>
> I did some testing with Privoxy's cvs version and this filter:
>
> FILTER: googlemail Hides sponsored links with css and shows why insecure
> mail transfer is a bad idea.
> s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility:
> hidden !important;}</style>$0@i
> s@easy( to switch to Google Mail)@stupid $1 and transfer mail unencrypted
> to make sure everbody is reading it@gi
> s@Foo bar@Mail integrity compromised! Yay for GMail.@
> s@different@insecure@
>
> together with these action sections:
>
> {-block \
>  -crunch-incoming-cookies \
>  -crunch-outgoing-cookies \
>  -filter{content-cookies} \
>  -filter{img-reorder} \
>  -filter{webbugs} \
>  -filter{frameset-borders} \
>  +filter{googlemail} \
>  -filter-client-headers \
>  -filter-server-headers \
> }
> mail.google.com/
> {+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
> }
> mail.google.com/favicon.ico
> {+limit-connect{443} \
> }
> .google.com/
>
> Results:
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> (My original mail's content is "Foo bar" of course.)
>
> More information (in German):
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
>
> About 0.3% of my Tor exit nodes' users seem to consider using
> Gmail with Tor a good idea. I suggest they reconsider.
>
> Fabian

Follow-Ups:
- Re: Using Gmail (with Tor) is a bad idea
  - From: Fabian Keil

References:
- Using Gmail (with Tor) is a bad idea
  - From: Fabian Keil

Prev by Author: Re: Now tor does not work at all...
Next by Author: Re: Using Gmail (with Tor) is a bad idea
Previous by thread: Using Gmail (with Tor) is a bad idea
Next by thread: Re: Using Gmail (with Tor) is a bad idea
Index(es):
- Author
- Thread