[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



yancm@xxxxxxxxxxxxxxxx top posted (please don't):

> > Just in case you wondered whether Tor and Gmail are a good
> > combination: They are not.
> >
> > I did some testing with Privoxy's cvs version and this filter:

> > Results:
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> > (My original mail's content is "Foo bar" of course.)
> >
> > More information (in German):
> > http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html

> I'm not quite sure what you are saying?
> 
> Are you saying that some info gets leaked if you use
> unencrypted http to transfer mail with gmail?

Yes, and some info means everything but your password.

And even if you enter through https://mail.google.com/,
a man in the middle can send your browser a redirect to
http://mail.google.com/, Google then sends your browser
another redirect to the encrypted login page on another
server and after the secured login you will get redirected
back to http://mail.google.com/.

Firefox/1.5.0.7 honours an unencrypted redirect
as response for a https connection request.
You don't get a warning, but of course if you look for it,
you can see that the connection is unencrypted.

At that point, however, the man in the middle already has your
authentication cookies and I would be surprised if he
couldn't take over the session. Of course that'll require
greater efforts than some regular expressions.

Fabian
-- 
http://www.fabiankeil.de/

Attachment: signature.asc
Description: PGP signature