Re: Using Gmail (with Tor) is a bad idea

Mon, 18 Sep 2006 15:18:41 -0700 

I'm not quite sure what you are saying?

Are you saying that some info gets leaked if you use
unencrypted http to transfer mail with gmail?

Why not just switch the connection to https? If you do this
manually, it seems all communication with gmail is encrypted?

I do use gmail with tor. I do enable https before I transfer any
significant data. Though the message list sometimes gets displayed
before I switch over... Sometimes I cannot establish an https connection
until after I have the http session going.

Code is good. Comments and summary mean more to me.
--gene

> Just in case you wondered whether Tor and Gmail are a good
> combination: They are not.
>
> I did some testing with Privoxy's cvs version and this filter:
>
> FILTER: googlemail Hides sponsored links with css and shows why insecure
> mail transfer is a bad idea.
> s@</head>@<style type="text/css">\#fbc, \#fbl, \#ra, .rhh{visibility:
> hidden !important;}</style>[EMAIL PROTECTED]
> [EMAIL PROTECTED]( to switch to Google Mail)@stupid $1 and transfer mail 
> unencrypted
> to make sure everbody is reading [EMAIL PROTECTED]
> [EMAIL PROTECTED] [EMAIL PROTECTED] integrity compromised! Yay for GMail.@
> [EMAIL PROTECTED]@insecure@
>
> together with these action sections:
>
> {-block \
>  -crunch-incoming-cookies \
>  -crunch-outgoing-cookies \
>  -filter{content-cookies} \
>  -filter{img-reorder} \
>  -filter{webbugs} \
>  -filter{frameset-borders} \
>  +filter{googlemail} \
>  -filter-client-headers \
>  -filter-server-headers \
> }
> mail.google.com/
> {+redirect{http://www.fabiankeil.de/bilder/icons/fingerzeig.png} \
> }
> mail.google.com/favicon.ico
> {+limit-connect{443} \
> }
> .google.com/
>
> Results:
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-gmail-inbox-1024x768.png
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/screenshot-modifizierte-mail-1024x768.png
> (My original mail's content is "Foo bar" of course.)
>
> More information (in German):
> http://www.fabiankeil.de/blog-surrogat/2006/09/18/google-mail-fingerzeig.html
>
> About 0.3% of my Tor exit nodes' users seem to consider using
> Gmail with Tor a good idea. I suggest they reconsider.
>
> Fabian

Reply via email to