[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Using Gmail (with Tor) is a bad idea
From: glymr <glymr_darkmoon@xxxxxxx>
Date: Wed, 20 Sep 2006 18:41:04 +1000
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Wed, 20 Sep 2006 04:41:50 -0400
In-reply-to: <20060919191953.2f619e25@localhost>
References: <20060919000911.70009ff8@localhost> <g82vhp1h5343$.vzx12c31q51w$.dlg@40tude.net> <450F3C75.9070108@brainonfire.net> <Pine.LNX.4.64.0609182050050.14135@pl2.zayda.com> <450F4E14.6060308@brainonfire.net> <450F5140.8090201@cs.uchicago.edu> <68ffb7080609182159i70215a50vdf958e844a0d0cf1@mail.gmail.com> <20060919191953.2f619e25@localhost>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.5 (X11/20060918)

i personally don't like the ajax interface, fancy as it might be,
javascript is full of holes and to be honest it's slower than a direct
pop access.

in case anyone reading this mailing list didn't know, you can access
gmail via pop and they also have an smtp server (altho it rewrites the
sender thing to the name of the account logged in to use the smtp
server) and it can be accessed by thunderbird proxied through tor with
the straight socks5 setup.

oh yes, and i think it should be pointed out that anyone who has a
history of running a tor server exit node, any lapses in one's security
cannot be conclusively mapped to you, since they all look the same
(apart from the username)

Fabian Keil wrote:
> "Taka Khumbartha" <scarreigns@xxxxxxxxx> wrote:
> 
>> is the issue here not with gmail, but perhaps javascript?  can anyone
>> confirm that there is no in-secure re-direction if javascript is
>> dis-abled? if there still is (in-secure re-direction), please be
>> specific about how to observe such an in-security.
> 
> The redirects I'm talking about are basic HTTP features
> and don't depend on JavaScript at all.
> 
> It's possible to emulate redirects with JavaScript,
> but if an attacker is already in the position to run code
> on your system, she probably has better things to do than
> just to redirect you.
> 
> If you want to see how a redirect looks like,
> use a Privoxy section like:
> 
> {-limit-connect \
>  +redirect{http://tor.eff.org/} \
> }
> secure-login.example.org:443/
> 
> Enter https://secure-login.example.org/ in your browser
> and see what happens. If you are still using Privoxy 3.0.3
> use:
> 
> {+block \
>  +handle-as-image \
>  -limit-connect \
>  +set-image-blocker{http://tor.eff.org/} \
> }
> secure-login.example.org:443/
> 
> instead.
> 
> Fabian

References:
- Using Gmail (with Tor) is a bad idea
  - From: Fabian Keil
- Re: Using Gmail (with Tor) is a bad idea
  - From: Claude LaFrenière
- Re: Using Gmail (with Tor) is a bad idea
  - From: Tim McCormack
- Re: Using Gmail (with Tor) is a bad idea
  - From: Jason Holt
- Re: Using Gmail (with Tor) is a bad idea
  - From: Tim McCormack
- Re: Using Gmail (with Tor) is a bad idea
  - From: Wesley Pegden
- Re: Using Gmail (with Tor) is a bad idea
  - From: Taka Khumbartha
- Re: Using Gmail (with Tor) is a bad idea
  - From: Fabian Keil

Prev by Author: Re: [INFO] new anonymizing software
Next by Author: Re: Tor-compatible secure email systems
Previous by thread: Re: Using Gmail (with Tor) is a bad idea
Next by thread: Re: Using Gmail (with Tor) is a bad idea
Index(es):
- Author
- Thread