[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Using Gmail (with Tor) is a bad idea



On 9/18/06, Fabian Keil <freebsd-listen@xxxxxxxxxxxxx> wrote:
yancm@xxxxxxxxxxxxxxxx top posted (please don't):
> Are you saying that some info gets leaked if you use
> unencrypted http to transfer mail with gmail?

Yes, and some info means everything but your password.

And even if you enter through https://mail.google.com/,
a man in the middle can send your browser a redirect to
http://mail.google.com/, Google then sends your browser
another redirect to the encrypted login page on another
server and after the secured login you will get redirected
back to http://mail.google.com/.

OK, so if you're careful, and enter through https://mail.google.com/,
you're fine, as long as you don't go to *any* http site before you
clear your cookies.

But if you log in to gmail, even through https, then you go to a an
http site (like http://www.yahoo.com/, for example), then your session
can be stolen.

Firefox/1.5.0.7 honours an unencrypted redirect
as response for a https connection request.
You don't get a warning, but of course if you look for it,
you can see that the connection is unencrypted.

Assuming this can't be turned off, the only real workaround I think
would work is to disable the http proxy.  This might be realistic, you
could switch between three proxy settings, one for normal browsing,
one just for gmail/tor (which would send http requests to a proxy at a
nonexistant IP address), and one for normal tor browsing.  These three
settings could be managed through SwitchProxy, which would
automatically clear cookies between each one.

For those gmail diehards (like me) who want to hide their IP address
from gmail (not a bad idea), it might be a reasonable workaround.

At that point, however, the man in the middle already has your
authentication cookies and I would be surprised if he
couldn't take over the session. Of course that'll require
greater efforts than some regular expressions.

And considering how many sites, including financial sites, are happy
to send you a new password by email, getting your gmail session stolen
could be really horrible.

Anthony