[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



I know this is taking this a bit off topic (since people are obviously raising some important issues here)... but it seems to me that, in most cases, using gmail with tor would be pretty silly anyways?

Most people's email accounts have personally identifying information, so you've already lost anonymity. What's the point of tor then? As some people were arguing before, you may well be opening yourself to MORE snooping, rather than less. I try to avoid using tor when my browsing reveals my identity anyways.

I guess it can make sense to use tor in the case where you've set up a special "anonymous" account where no emails contain identifying info.

Am I way off base here? (Again, I realize that the points that are being made, for example about firefox, are of course important in their own right...)

-Wes

Tim McCormack wrote:
After you login (which is on a https://www.google.com address), you are
redirected (with auth tokens) to a http://mail.google.com/ address.

There seem to be two issues:
 1) Is Gmail secure with regard to the exit node, even when entering on
https://www.gmail.com/?
 2) Is the Tor network leaking data with Gmail?

  - Tim

Jason Holt wrote:
On Mon, 18 Sep 2006, Tim McCormack wrote:

The problem is that Google puts the auth tokens in an http:// GET
request -- you can see for yourself. And then it switches to https://.
The exit node could grab your auth tokens, I guess. Since you're
effectively at the same IP as the Tor exit node, gmail wouldn't know the
difference.
Where does that happen?  When I go to gmail.com I get redirected to an
https login page.

                    -J