[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Using Gmail (with Tor) is a bad idea
why not just use your own client with the socks proxy turned on and
access gmail via the pop and smtp they provide (both of which are
encrypted, one ssl, the other tls)?
Anthony DiPierro wrote:
> On 9/18/06, Fabian Keil <freebsd-listen@xxxxxxxxxxxxx> wrote:
>> yancm@xxxxxxxxxxxxxxxx top posted (please don't):
>> > Are you saying that some info gets leaked if you use
>> > unencrypted http to transfer mail with gmail?
>>
>> Yes, and some info means everything but your password.
>>
>> And even if you enter through https://mail.google.com/,
>> a man in the middle can send your browser a redirect to
>> http://mail.google.com/, Google then sends your browser
>> another redirect to the encrypted login page on another
>> server and after the secured login you will get redirected
>> back to http://mail.google.com/.
>>
> OK, so if you're careful, and enter through https://mail.google.com/,
> you're fine, as long as you don't go to *any* http site before you
> clear your cookies.
>
> But if you log in to gmail, even through https, then you go to a an
> http site (like http://www.yahoo.com/, for example), then your session
> can be stolen.
>
>> Firefox/1.5.0.7 honours an unencrypted redirect
>> as response for a https connection request.
>> You don't get a warning, but of course if you look for it,
>> you can see that the connection is unencrypted.
>>
> Assuming this can't be turned off, the only real workaround I think
> would work is to disable the http proxy. This might be realistic, you
> could switch between three proxy settings, one for normal browsing,
> one just for gmail/tor (which would send http requests to a proxy at a
> nonexistant IP address), and one for normal tor browsing. These three
> settings could be managed through SwitchProxy, which would
> automatically clear cookies between each one.
>
> For those gmail diehards (like me) who want to hide their IP address
> from gmail (not a bad idea), it might be a reasonable workaround.
>
>> At that point, however, the man in the middle already has your
>> authentication cookies and I would be surprised if he
>> couldn't take over the session. Of course that'll require
>> greater efforts than some regular expressions.
>>
> And considering how many sites, including financial sites, are happy
> to send you a new password by email, getting your gmail session stolen
> could be really horrible.
>
> Anthony