[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



The problem is that Google puts the auth tokens in an http:// GET
request -- you can see for yourself.  And then it switches to https://.
 The exit node could grab your auth tokens, I guess. Since you're
effectively at the same IP as the Tor exit node, gmail wouldn't know the
difference.

 - Tim

Claude LaFreniÃre wrote:
> Hi  *Fabian Keil*   :
> 
>> Just in case you wondered whether Tor and Gmail are a good
>> combination: They are not.
> 
> [...]
> 
>> About 0.3% of my Tor exit nodes' users seem to consider using
>> Gmail with Tor a good idea. I suggest they reconsider.
> 
> I'm using Gmail with Tor and Thunderbird not Firefox or an other browser.
> 
> pop.gmail.com on port 995 -> SSL  ...
> smtp.gmail.com port 587 -> TLS ...
> 
> So the connections between my computer and the Google servers 
> are encrypted. (With or without Tor...)
> 
> With this the only privacy problem remaining is what Google is doing 
> with the mail data in their servers... and this can be easily solve by
> using PGP/ GnuPG.
> 
> I'm not convinced that Tor failed to encrypt correctly the communications
> with the combination of Tor + Firefox + Gmail ...
> 
> If your demonstration is correct there is a problem with Tor itself:
> how a Man-in-the-middle may have an access to the authentication cookies ?
> 
> I'm interested to have some advices on this.
> 
> :)