Warnings on the download page
Richard Johnson
rdump at river.com
Sun Mar 11 17:45:25 UTC 2007
At 16:33 -0600 on 2007-03-08, H D Moore wrote:
> 3) Web application hijacking. If a rogue Tor node watches for a specific
> pattern, such as the "welcome!" message from a web application or web
> mail portal, the Tor node could kick the user out and hijack their
> session. This is especially dangerous for sites that SSL-protect the
> authentication process, but leave the rest of the application unencrypted
> (Yahoo, GMail, others?).
Google mail will reportedly stick with https for the entire session if you
start via https://mail.google.com/
Use their other initial URLs, however, and your session will drop back to
http after the authentication is done.
Suggesting gmail users start with https://mail.google.com/ (until the
behavior changes, at least) may be good for a FAQ entry.
Richard
More information about the tor-talk
mailing list