The problem is that Google puts the auth tokens in an http:// GET request -- you can see for yourself. And then it switches to https://. The exit node could grab your auth tokens, I guess. Since you're effectively at the same IP as the Tor exit node, gmail wouldn't know the difference.
- Tim Claude LaFrenière wrote: > Hi *Fabian Keil* : > >> Just in case you wondered whether Tor and Gmail are a good >> combination: They are not. > > [...] > >> About 0.3% of my Tor exit nodes' users seem to consider using >> Gmail with Tor a good idea. I suggest they reconsider. > > I'm using Gmail with Tor and Thunderbird not Firefox or an other browser. > > pop.gmail.com on port 995 -> SSL ... > smtp.gmail.com port 587 -> TLS ... > > So the connections between my computer and the Google servers > are encrypted. (With or without Tor...) > > With this the only privacy problem remaining is what Google is doing > with the mail data in their servers... and this can be easily solve by > using PGP/ GnuPG. > > I'm not convinced that Tor failed to encrypt correctly the communications > with the combination of Tor + Firefox + Gmail ... > > If your demonstration is correct there is a problem with Tor itself: > how a Man-in-the-middle may have an access to the authentication cookies ? > > I'm interested to have some advices on this. > > :)
