Page 1 of 1

Suggestion: Advise Tor users to use https://

PostPosted: Wed Jun 30, 2010 3:12 pm
by Paranoid2000
Scroogle (who offer a search scraping service off Google) have recently started redirecting accesses from known Tor nodes to their SSL pages in order to prevent rogue exit node operators from eavesdropping on search terms.

This did strike me as being somewhat overzealous (without some way of linking page access to a real person, such eavesdropping would serve no purpose) but it would seem more fitting for Spamgourmet to provide a similar warning.

Otherwise, a fraudster running a Tor exit node and examining traffic could obtain an SG user's password and then use it to redirect their email to an account under the fraudster's control (which could then be used to access private info including password details for other sites). Using Spamgourmet's https: login page should avoid this (with the possible exception of SSL certificate spoofing which should trigger a browser warning).