Chris Palmer([EMAIL PROTECTED])@Sun, Mar 02, 2008 at 01:15:57PM -0800: > defcon writes: > > > I have been using tor for a while now, and I absolutely love it, although > > the only thing keeping me from using it, is the insecurities of the exit > > nodes. I know to truly stay anonymous you should stay away from personal > > accounts "but" how can I connect through tor to gmail or other ssl enabled > > services without risking my password being sniffed or my dns request being > > hijacked. Any advice would be greatly appreciated! > > The answer is to use SSL. I'm not sure but I think you meant to say "... or > other *non*-ssl enabled serviecs...". > > In the particular case of Gmail: Gmail normally uses HTTPS for the login > phase but not thereafter. That is of course totally silly, because while the > attacker won't see your password they will still see your Gmail session > cookies. That's all they need to hijack your Gmail session -- they don't > need your password. BUT! the good news is that if you go to Gmail via > https://mail.google.com/, Gmail will use HTTPS for the entire session, not > just the login phase, and then you are as safe as anyone ever can be from > network eavesdroppers (including traffic-sniffing Tor operators).
"Better Gmail 2" [1] claims to force SSL on all gmail connections. I haven't tested it to verify that it is correct. Sorry, no general-case solution, just some help for the Gmail users :) [1] http://lifehacker.com/software/exclusive-lifehacker-download/better-gmail-2-firefox-extension-for-new-gmail-320618.php -- Bill Weiss A system composed of 100,000 lines of C++ is not be sneezed at, but we don't have that much trouble developing 100,000 lines of COBOL today. The real test of OOP will come when systems of 1 to 10 million lines of code are developed. -- Ed Yourdon
