[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



I'm not quite sure what you are saying?

Are you saying that some info gets leaked if you use
unencrypted http to transfer mail with gmail?

Why not just switch the connection to https? If you do this
manually, it seems all communication with gmail is encrypted?

I do use gmail with tor. I do enable https before I transfer any
significant data. Though the message list sometimes gets displayed
before I switch over... Sometimes I cannot establish an https connection
until after I have the http session going.

Code is good. Comments and summary mean more to me.
--gene

> Just in case you wondered whether Tor and Gmail are a good
> combination: They are not.
>
> I did some testing with Privoxy's cvs version and this filter:
>
> FILTER: googlemail Hides sponsored links with css and shows why insecure
> mail transfer is a bad idea.
> s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility:
> hidden !important;}</style>$0@i
> s@easy( to switch to Google Mail)@stupid $1 and transfer mail unencrypted
> to make sure everbody is reading it@gi
> s@Foo bar@Mail integrity compromised! Yay for GMail.@
> s@different@insecure@
>
> together with these action sections:
>
> {-block \
>  -crunch-incoming-cookies \
>  -crunch-outgoing-cookies \
>  -filter{content-cookies} \
>  -filter{img-reorder} \
>  -filter{webbugs} \
>  -filter{frameset-borders} \
>  +filter{googlemail} \
>  -filter-client-headers \
>  -filter-server-headers \
> }
> mail.google.com/
> {+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
> }
> mail.google.com/favicon.ico
> {+limit-connect{443} \
> }
> .google.com/
>
> Results:
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> (My original mail's content is "Foo bar" of course.)
>
> More information (in German):
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
>
> About 0.3% of my Tor exit nodes' users seem to consider using
> Gmail with Tor a good idea. I suggest they reconsider.
>
> Fabian