yancm@xxxxxxxxxxxxxxxx top posted (please don't): > > Just in case you wondered whether Tor and Gmail are a good > > combination: They are not. > > > > I did some testing with Privoxy's cvs version and this filter: > > Results: > > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png > > http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png > > (My original mail's content is "Foo bar" of course.) > > > > More information (in German): > > http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html > I'm not quite sure what you are saying? > > Are you saying that some info gets leaked if you use > unencrypted http to transfer mail with gmail? Yes, and some info means everything but your password. And even if you enter through https://mail.google.com/, a man in the middle can send your browser a redirect to http://mail.google.com/, Google then sends your browser another redirect to the encrypted login page on another server and after the secured login you will get redirected back to http://mail.google.com/. Firefox/1.5.0.7 honours an unencrypted redirect as response for a https connection request. You don't get a warning, but of course if you look for it, you can see that the connection is unencrypted. At that point, however, the man in the middle already has your authentication cookies and I would be surprised if he couldn't take over the session. Of course that'll require greater efforts than some regular expressions. Fabian -- http://www.fabiankeil.de/
Attachment:
signature.asc
Description: PGP signature