[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Using Gmail (with Tor) is a bad idea
i personally don't like the ajax interface, fancy as it might be,
javascript is full of holes and to be honest it's slower than a direct
pop access.
in case anyone reading this mailing list didn't know, you can access
gmail via pop and they also have an smtp server (altho it rewrites the
sender thing to the name of the account logged in to use the smtp
server) and it can be accessed by thunderbird proxied through tor with
the straight socks5 setup.
oh yes, and i think it should be pointed out that anyone who has a
history of running a tor server exit node, any lapses in one's security
cannot be conclusively mapped to you, since they all look the same
(apart from the username)
Fabian Keil wrote:
> "Taka Khumbartha" <scarreigns@xxxxxxxxx> wrote:
>
>> is the issue here not with gmail, but perhaps javascript? can anyone
>> confirm that there is no in-secure re-direction if javascript is
>> dis-abled? if there still is (in-secure re-direction), please be
>> specific about how to observe such an in-security.
>
> The redirects I'm talking about are basic HTTP features
> and don't depend on JavaScript at all.
>
> It's possible to emulate redirects with JavaScript,
> but if an attacker is already in the position to run code
> on your system, she probably has better things to do than
> just to redirect you.
>
> If you want to see how a redirect looks like,
> use a Privoxy section like:
>
> {-limit-connect \
> +redirect{http://tor.eff.org/} \
> }
> secure-login.example.org:443/
>
> Enter https://secure-login.example.org/ in your browser
> and see what happens. If you are still using Privoxy 3.0.3
> use:
>
> {+block \
> +handle-as-image \
> -limit-connect \
> +set-image-blocker{http://tor.eff.org/} \
> }
> secure-login.example.org:443/
>
> instead.
>
> Fabian