yancm@xxxxxxxxxxxxxxxx wrote: > > yancm@xxxxxxxxxxxxxxxx: > > > >> > Just in case you wondered whether Tor and Gmail are a good > >> > combination: They are not. > >> I'm not quite sure what you are saying? > >> > >> Are you saying that some info gets leaked if you use > >> unencrypted http to transfer mail with gmail? > > > > Yes, and some info means everything but your password. > > > > And even if you enter through https://mail.google.com/, > > a man in the middle can send your browser a redirect to > > http://mail.google.com/, Google then sends your browser > > another redirect to the encrypted login page on another > > server and after the secured login you will get redirected > > back to http://mail.google.com/. > > OK, is this specific to Google? Or are there other free/nonfree > email services that are immune to this behavior? If so, please > suggest. > > What about ecommerce or other secured sites? Any site that keeps the whole session encrypted and doesn't use redirects based on user supplied URL parameters is not affected. The problem is specific to a broken "security" concept and while there are probably a few websites with similar problems, you shouldn't have a problem finding one that gets it right, after all that's common sense since the invention of HTTPS. You can easily test for yourself if a website is affected. Use Privoxy to disable HTTPS after you successfully logged in. If you can still transfer privacy-sensitive data, you know that the site is broken. I can't comment on different web based email services because I don't use them. This short test was an exception to see which Privoxy filters have to be disabled to get GMail working. It wasn't my account and I would never trust Google to take care of my data anyway. For me a quick look at their terms and conditions already is reason enough to stay away from them. Fabian -- http://www.fabiankeil.de/
Attachment:
signature.asc
Description: PGP signature