After you login (which is on a https://www.google.com address), you are
redirected (with auth tokens) to a http://mail.google.com/ address.
There seem to be two issues:
1) Is Gmail secure with regard to the exit node, even when entering on
https://www.gmail.com/?
2) Is the Tor network leaking data with Gmail?
- Tim
Jason Holt wrote:
On Mon, 18 Sep 2006, Tim McCormack wrote:
The problem is that Google puts the auth tokens in an http:// GET
request -- you can see for yourself. And then it switches to https://.
The exit node could grab your auth tokens, I guess. Since you're
effectively at the same IP as the Tor exit node, gmail wouldn't know the
difference.
Where does that happen? When I go to gmail.com I get redirected to an
https login page.
-J