[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



yancm@xxxxxxxxxxxxxxxx wrote:

> > yancm@xxxxxxxxxxxxxxxx:
> >
> >> > Just in case you wondered whether Tor and Gmail are a good
> >> > combination: They are not.

> >> I'm not quite sure what you are saying?
> >>
> >> Are you saying that some info gets leaked if you use
> >> unencrypted http to transfer mail with gmail?
> >
> > Yes, and some info means everything but your password.
> >
> > And even if you enter through https://mail.google.com/,
> > a man in the middle can send your browser a redirect to
> > http://mail.google.com/, Google then sends your browser
> > another redirect to the encrypted login page on another
> > server and after the secured login you will get redirected
> > back to http://mail.google.com/.
> 
> OK, is this specific to Google? Or are there other free/nonfree
> email services that are immune to this behavior? If so, please
> suggest.
> 
> What about ecommerce or other secured sites?

Any site that keeps the whole session encrypted and
doesn't use redirects based on user supplied URL parameters
is not affected.

The problem is specific to a broken "security" concept
and while there are probably a few websites with similar
problems, you shouldn't have a problem finding one that gets
it right, after all that's common sense since the invention
of HTTPS.

You can easily test for yourself if a website is affected.
Use Privoxy to disable HTTPS after you successfully logged
in. If you can still transfer privacy-sensitive data,
you know that the site is broken.

I can't comment on different web based email services
because I don't use them. This short test was an exception
to see which Privoxy filters have to be disabled to get
GMail working.

It wasn't my account and I would never trust
Google to take care of my data anyway.
For me a quick look at their terms and conditions
already is reason enough to stay away from them.

Fabian
-- 
http://www.fabiankeil.de/

Attachment: signature.asc
Description: PGP signature