Gmail session is not being encrypted

1 view
Skip to first unread message

Surmandal

unread,
Feb 11, 2008, 11:06:25 PM2/11/08
to NepS...@googlegroups.com
Recently, I saw that gmail session is not encrypted.  First i hit the gmail.com then enter the username and password. during this stage it is https but after login to mailbox page it is http only. that means whole session is not encrypted. what do you think?? but hitting https://mail.google.com remains https. :(

--
HACKER VS CRACKER

nepbabu

unread,
Feb 12, 2008, 3:38:46 AM2/12/08
to NepS...@googlegroups.com

Hi Surmandal,
I do not use Webmail but what does loading up the SSL'ized page show up in your sniffer?

--
Cheers,
Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
Journal: http://nepbabu.livejournal.com || pubkey: see header
"Rule 6: There is no Rule 6." - Rob Pike
"Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet

Surmandal

unread,
Feb 12, 2008, 5:50:18 AM2/12/08
to NepS...@googlegroups.com
On Feb 12, 2008 2:23 PM, nepbabu <nepbabuc...@yahoo.ca> wrote:
On Tue, Feb 12, 2008 at 09:51:25AM +0545, Surmandal wrote:
> Recently, I saw that gmail session is not encrypted.  First i hit the
> gmail.com then enter the username and password. during this stage it is
> https but after login to mailbox page it is http only. that means whole
> session is not encrypted. what do you think?? but hitting
> https://mail.google.com remains https. :(

Hi Surmandal,
I do not use Webmail but what does loading up the SSL'ized page show up in your sniffer?
I am using wireshark .(root) but i got only garbage data.  anyway  the whole session should be ssl'zed.




 

--
Cheers,
Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
Journal: http://nepbabu.livejournal.com || pubkey: see header
"Rule 6: There is no Rule 6." - Rob Pike
"Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet



--
HACKER VS CRACKER

Probin

unread,
Feb 12, 2008, 7:01:37 AM2/12/08
to NepS...@googlegroups.com
I sniffed the username/pw on ettercap.

prob

bibstha

unread,
Feb 12, 2008, 8:46:39 AM2/12/08
to NepSecure (Nepali computer security and hacking community )
Um,
well if u need security there is always https://mail.google.com which
encrypts whole session, from login to logout as u've mentioned.
But that aside, https isn't always flexible IMO, and its slow as well.
Thats why i think http://mail.google.com is there. Depending upon how
paranoid u are about ur security. :)
> session is not encrypted. what do you think?? but hittinghttps://mail.google.comremains https. :(
>
> --
> HACKER VS CRACKER

nepbabu

unread,
Feb 12, 2008, 10:35:28 AM2/12/08
to NepS...@googlegroups.com
On Tue, Feb 12, 2008 at 05:46:39AM -0800, bibstha wrote:
>
> Um,
> well if u need security there is always https://mail.google.com which
> encrypts whole session, from login to logout as u've mentioned.
> But that aside, https isn't always flexible IMO, and its slow as well.
> Thats why i think http://mail.google.com is there. Depending upon how
> paranoid u are about ur security. :)

I think Bibek bro. :) IMHO, SSL'izing is not about being paranoid or over-paranoid. It's about ensuring that your traffic is encrypted so that no MITM can occur easily. This has serious privacy implications and you do not want some middle person sniffing for plaintext in your network. hoina? It _used_ to be about being paranoid but those days are long gone. Criminals & would-be criminals would forfeit much from this [and don't forget about s[cp]ammers as well].

My mail client [mutt] only encrypts the login credentials with AES. However, I wish it could have encrypted the whole session [I am thinking of starting to use the SSL'ized version of Gmail webmail with my other account since POP protocol doesn't maintain state afaik].

Surmandal

unread,
Feb 12, 2008, 12:14:48 PM2/12/08
to NepS...@googlegroups.com
Now I just capture the contain from gmail. now onwards i am gonna use htps://mail.gmail.com .
--
HACKER VS CRACKER

bibstha

unread,
Feb 13, 2008, 4:57:13 AM2/13/08
to NepSecure (Nepali computer security and hacking community )
Sorry my bad, now that i realize the importance, i should start using
https as well :)

On Feb 12, 8:35 pm, "nepbabu" <nepbabucxspamf...@yahoo.ca> wrote:
> On Tue, Feb 12, 2008 at 05:46:39AM -0800, bibstha wrote:
>
> > Um,
> > well if u need security there is alwayshttps://mail.google.comwhich
> > encrypts whole session, from login to logout as u've mentioned.
> > But that aside, https isn't always flexible IMO, and its slow as well.
> > Thats why i thinkhttp://mail.google.comis there. Depending upon how
> > paranoid u are about ur security. :)
>
> I think Bibek bro. :) IMHO, SSL'izing is not about being paranoid or over-paranoid. It's about ensuring that your traffic is encrypted so that no MITM can occur easily. This has serious privacy implications and you do not want some middle person sniffing for plaintext in your network. hoina? It _used_ to be about being paranoid but those days are long gone. Criminals & would-be criminals would forfeit much from this [and don't forget about s[cp]ammers as well].
>
> My mail client [mutt] only encrypts the login credentials with AES. However, I wish it could have encrypted the whole session [I am thinking of starting to use the SSL'ized version of Gmail webmail with my other account since POP protocol doesn't maintain state afaik].
>
> --
> Cheers,
> Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
> Journal:http://nepbabu.livejournal.com|| pubkey: see header
> "Rule 6: There is no Rule 6." - Rob Pike
> "Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet
>
> application_pgp-signature_part
> 1KDownload

nepbabu

unread,
Feb 13, 2008, 11:05:55 AM2/13/08
to NepS...@googlegroups.com
On Wed, Feb 13, 2008 at 01:57:13AM -0800, bibstha wrote:
>
> Sorry my bad, now that i realize the importance, i should start using
> https as well :)

Nah.. no need to be sorry. It's just that regular folks think the same. I believe it's of utmost important that every folk out there using computer should protect their privacy. Btw is that a surcasm bibek? :P

nepbabu

unread,
Feb 13, 2008, 8:14:30 PM2/13/08
to NepS...@googlegroups.com
On Wed, Feb 13, 2008 at 02:05:28AM +1030, nepbabu wrote:
> On Tue, Feb 12, 2008 at 05:46:39AM -0800, bibstha wrote:
> >
> > Um,
> > well if u need security there is always https://mail.google.com which
> > encrypts whole session, from login to logout as u've mentioned.
> > But that aside, https isn't always flexible IMO, and its slow as well.
> > Thats why i think http://mail.google.com is there. Depending upon how
> > paranoid u are about ur security. :)
>
> I think Bibek bro. :) IMHO, SSL'izing is not about being paranoid or over-paranoid. It's about ensuring that your traffic is encrypted so that no MITM can occur easily. This has serious privacy implications and you do not want some middle person sniffing for plaintext in your network. hoina? It _used_ to be about being paranoid but those days are long gone. Criminals & would-be criminals would forfeit much from this [and don't forget about s[cp]ammers as well].
>
> My mail client [mutt] only encrypts the login credentials with AES. However, I wish it could have encrypted the whole session [I am thinking of starting to use the SSL'ized version of Gmail webmail with my other account since POP protocol doesn't maintain state afaik].

Correction: Since, apparently the version of POP3 I am using is over TCP and over a link that supports SSL (from the server<->client), my connection with Yahoo! POP3 server is encrypted. Previously, I said the possibility of encryption only for login credential but it was not so. The whole POP session is crypted. I discussed this with fellow colleagues at #security@freenode as well as with my own findings and little discussion with sh00nya. Also, he reckons that it's the same with Gmail. :)

So folks, either https://mail.google.com OR pop3 over SSL should do for all your privacy need at least for Gmail & Yahoo! :-)

Buahahaha!

Btw, people here read about Hushmail?

Surmandal

unread,
Feb 13, 2008, 11:22:40 PM2/13/08
to NepS...@googlegroups.com
On Thu, Feb 14, 2008 at 6:59 AM, nepbabu <nepbabuc...@yahoo.ca> wrote:
On Wed, Feb 13, 2008 at 02:05:28AM +1030, nepbabu wrote:
> On Tue, Feb 12, 2008 at 05:46:39AM -0800, bibstha wrote:
> >
> > Um,
> > well if u need security there is always https://mail.google.com which
> > encrypts whole session, from login to logout as u've mentioned.
> > But that aside, https isn't always flexible IMO, and its slow as well.
> > Thats why i think http://mail.google.com is there. Depending upon how
> > paranoid u are about ur security. :)
>
> I think Bibek bro. :) IMHO, SSL'izing is not about being paranoid or over-paranoid. It's about ensuring that your traffic is encrypted so that no MITM can occur easily. This has serious privacy implications and you do not want some middle person sniffing for plaintext in your network. hoina? It _used_ to be about being paranoid but those days are long gone. Criminals & would-be criminals would forfeit much from this [and don't forget about s[cp]ammers as well].
>
> My mail client [mutt] only encrypts the login credentials with AES. However, I wish it could have encrypted the whole session [I am thinking of starting to use the SSL'ized version of Gmail webmail with my other account since POP protocol doesn't maintain state afaik].

Correction: Since, apparently the version of POP3 I am using is over TCP and over a link that supports SSL (from the server<->client), my connection with Yahoo! POP3 server is encrypted. Previously, I said the possibility of encryption only for login credential but it was not so. The whole POP session is crypted. I discussed this with fellow colleagues at #security@freenode as well as with my own findings and little discussion with sh00nya. Also, he reckons that it's the same with Gmail. :)

So folks, either https://mail.google.com OR pop3 over SSL should do for all your privacy need at least for Gmail & Yahoo! :-)

Buahahaha!

Btw, people here read about Hushmail?

Hushmail???? no idea :(
 

--
Cheers,
Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
Journal: http://nepbabu.livejournal.com || pubkey: see header
"Rule 6: There is no Rule 6." - Rob Pike
"Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet



--
HACKER VS CRACKER

Probin

unread,
Feb 14, 2008, 12:15:53 AM2/14/08
to NepS...@googlegroups.com
well. i do have an account with hush. supposed to be secure. but they have very short inactivity time-out period and 2 MB of max storage (free version). doesn't sound very charming these days.

so.. if anyone wants to talk about something really confidential, mail me at probin at hush dot com. ;-)

prob

nepbabu

unread,
Feb 14, 2008, 10:47:01 AM2/14/08
to NepS...@googlegroups.com

Some criminals were using Hushmail to communicate their daily dealings of steroids. The feds were tracking these groups [i.e, the big daddy from USA] and asked Hushmail to provide the email in cleartext of these people. Hushmail [based in Canada] sent the emails of those criminals in CD [unencrypted] after recieving subpoena from Canadian authorities.

It highlights one important fact that even though Hushmail said that the email are undecipherable by anyone other than the owner of those email account, that really wasn't the case [or so it appears].

It highlights another epicentral topic which is that "you can run, but you can't hide". One can not hide their criminal activity/s with things like encryption. Eventually IF one is doing something criminal, they will be made to give up their keys and will be subdued. However, it is important to note that personal liberty also collides with this sort of stuff sometimes.

Another epicentral topic this case touches is that United States is an entirely different country compared to Canada. How is the laws even apply to Hushmail? The answer to this was the some kind of treaty between Canda and USA. O_o

Very heated discussion going on in the blogosphere at the moment between the limits where privacy and criminal behaviour collide with each other.

I'll leave the real happenings to you to search on your favorite search engine. You'll find plenty. ;)

Byee.

Message has been deleted

nepbabu

unread,
Feb 16, 2008, 7:17:21 PM2/16/08
to NepS...@googlegroups.com, foss-...@googlegroups.com
Thus spoke Bipin Gautam on Saturday, 16 February 2008 at 9:45:14 +0545:

>
> >
> > It highlights another epicentral topic which is that "you can run, but you can't hide". One can not hide their criminal activity/s with things like encryption. Eventually IF one is doing something criminal, they will be made to give up their keys and will be subdued. However, it is important to note that personal liberty also collides with this sort of stuff sometimes.
> >
>
> not really!
> We already have technology to make anonymous and secure communication
> possible, with the right know how you can send email that can NEVER be
> tracked. (of course not for criminal activity ) .... maybe next topic
> :)

Cool Bipin! How does one do secure communication anonymously? Or, is it a myth? O_o

And how can one know that the person using those secure communication "anonymously" is not a criminal?

--
Cheers,
Bikal KC (Please use: nepbababucxspamfree_at_yahoo DOT ca)
Journal: http://nepbabu.livejournal.com || pubkey: see header
"Rule 6: There is no Rule 6." - Rob Pike

"Those who can make you believe absurdities, can make you commit atrocities." - François-Marie Arouet

Message has been deleted

nepbabu

unread,
Feb 18, 2008, 7:51:03 AM2/18/08
to foss-...@googlegroups.com, NepS...@googlegroups.com
Thus spoke Bipin Gautam on Sunday, 17 February 2008 at 20:38:16 +0545:

>
> On Feb 17, 2008 6:02 AM, nepbabu <nepbabuc...@yahoo.ca> wrote:
> > Thus spoke Bipin Gautam on Saturday, 16 February 2008 at 9:45:14 +0545:

.............

> alright,
> secure communication as in.... ?
>
> - voice communication (telecom: say mobile)
> - email communication
> - Chat ? ( a vague topic)
> - ...........or fill in as you prefer

The 2,3 are application layer except for the 1st one. Would you like to tell us about anonymous secure communication used on the whole application layer [ that includes email, chat, www etc..]. Thanks!

> as all of the above topics are epic please choose only one topic as
> you prefer and i will reply it in my free time sometimes soon if have
> the knowhow alright?

Sure as I said above, the application layer.

> > And how can one know that the person using those secure communication "anonymously" is not a criminal?
> >
>

> you got me on this one :P
>
> actually what i mean was maybe talks on those topics maybe in next
> topic but its not to promote something illegal.

Ahh.. cool. I understand what you mean. :)

Message has been deleted
Message has been deleted

Himanshu Chhetri

unread,
Feb 20, 2008, 3:38:19 PM2/20/08
to NepS...@googlegroups.com
Hey Bipin,
               That was a good anonymity guide. However is routing traffic through TOR really secure? You must have heard of the recent incident where someone ran a "rogue" TOR node and captured the email passwords for many govt. embassies worldwide.

-Himanshu
 

On Feb 20, 2008 1:00 PM, Bipin Gautam <bipin....@gmail.com> wrote:

Firstly, please don't expect this reply as a walkthrough on the
topic... just a small push in the right direction to the curious few,
if any. As said earlier, this topic is very vague and beyond the scope
of this text for an in-depth explanation.

Nevertheless anonymous and secure communication in the world today is
still possible, it's just that the bar has been slightly raised… ;)

Rule 1: hide everything you can, best you can all the time and of
create decoys in things you are intentionally revealing…

Let's begin:
Topic: Anonymous Communication (web, mail)

1). Os of choice
a). anonymos-shmoo.iso, live CD. It is a hardened OS and transparently
tunnels all your communication via TOR.
 OS in r/w medium it leaves back track of your activities in details
in the storage.

b).Check and disable self updating components (softwares, plugin etc)
in your OS that might bypass proxy rules, leak confidential
information. It includes disabling self updates from your hardware
firewall. At OS use application level firewall. Use snifters to
monitor your tools of choice over time and ensure they are following
proxy/vpn rules.

2). Place/means

a).behind NAT. better someone else/different MAC address, auth, IP
b). Free hotspot : hotel, office, …..?
c). Cyber, public computer
If it's not the place you own, better.
Check for cctv or other logging / monitoring device around. Appear
common. Too many unfamiliar screens on your computer screen draw
attention of side by. Get the idea…

Technology:
Consider chaining anonymous technologies listed below (google about it
in details). Always insure 1 or few layers of encryption on content
you are trying to hide using different tools that follow different
protocols and use different encryption algorithm to secure your data
as you may not want to relie the confidentiality of your entire
procedure on the strength/weakness of just one tool, one protocol and
one algorithm. Is performance and work overhead of using these
multiple layers worthwhile?

If you are selecting multiple encryptions and hashing algorithm make
sure your choice is redundant… i.e. don't just use algo approved by
American standard, consider using European standard as well (eg:
Whirlpool hashing algorithm adopted by NESSIE, SHA512 American
Standard, NIST.
Rijndael (latter to be chosen as AES) was chosen over Serpent (despite
added security in serpent) for performance reasons. Though both
algorithm are similar and has no known attack that has broken them
till date. You may want to use other algorithms as well. In properly
designed software encrypted output doesn't leak the name of algorithm
used to produce the content which means attacker can just assume
tools, protocols and algorithms used to produce the content to start
brut forcing. Considering 'just this fact' as stated above Truecrypt
is better over PGP disk encryption suit.

Make sure to hide trivia things like file extensions, meta-data,
timestamp (?) even with encrypted output.

-For some ssh tunnel to the private mail server listening on loopback
to access gpg encrypted mail is enough security... but it might not
guarantee enough anonymity. Route your traffic through f2f and TOR and
proxy chaining. Use port knocking to temporarily redirect port 80 to
22 locally(example) so that you can access port 22 via proxy chaining
will add a layer of anonymity. Think creative.

Research on these terms:

-F2F network (example: Freenet, anoNet)

-TOR (run in server mode if you use it too often, some plausible
deniability feature as it is difficult for the attacker to insure if
the traffic being transmitted is generated locally or being relayed
from another node)
       TOR servers don't relay standard SMTP traffic by default. But many
mail providers/ servers listen to different except the standard.

-Proxy Chaining

-Open SMTP relay, have email account on servers in third world

-Open Proxy Servers

Though above technologies are vulnerable to traffic analysis from
observers who can watch both ends of a user's connection and it has no
defend against timing analysis.

If you can enforce a particular routing of your data across
predetermined servers, better. Though routing table can change often.
Its better if you can insure your anonymous data is routed across
several countries with different legal and political jurisdictions
(rivals!.... better ;)

Establish strict protocol between sender and receiver in a way... what
to use to communicate, how to use, in what order and change it every
few month including secret key, private/public key, passwords etc and
medium and pattern of communication including changing of email
address etc. Destroy everything you send/receive unless NECESSARY to
store.

-Data destruction would mean shredding the storage medium to not
larger than 1mm and smelting (NIST standard for secure data disposal)

-Software disk Wiping:
 Wipe KEY, header of your encrypted storage volume (first few mb, ref
specific manual) Ref using Peter Gutmann standard of data wipeing (35
wipes)
And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)

OS keep multiple copies of partition header and store it in different
places of hdd to insure recovery incase of data corruption, virus
infection etc. This fact depends on the file-system use. (ref FS and
OS specific manual)

Avoid solid state memory for data storage when possible, prefer
magnetic storage.
Note: Though, pen drives (solid state memory) can be quickly hammered
to pieces and flushed. They are economically very cheap too. Your
choice of cost vs level of security for data disposal depends on what
is the value of information you are trying to hide and how far would
you go to assure what are you trying to accomplish?


Don't choose passwords that matches with your interests, backgrounds,
music, bike, sports, quotes etc This information can be used to create
specific password dictionary for brutforce.
 Using password (something you know) + key (something you have)
better. i.e. two ways token for authentication.
Some ideas generating/using a secure key:
•       Generate SHA hash and MD5 hash of two-three secure passwords that is
easy to remember and XOR it simultaneously, then append or delete some
characters on the output. Use this final output as your password.
•       Or how about using hash of Google's logo as password starting from
byte x to byte y… (avoid file headers, footers) If the logo of the
search engine changes ref search engine cache, archive.com etc ;) This
way you have a secure key but you don't have to store it locally.Just
remember few things.
Get creative about choosing your password. See, you can easily create
passwords easy to remember but difficult to predict/ brutforce. Be
cautious while choosing a key/password. If a attacker cant attack a
design flaw he second thing they will try to attack is the key.

-       WASTE (ref unofficial release) it is a chat and file sharing f2f
network and support some degree of anonymity even on standalone use.
It has the some capability of evading Traffic Analysis by masking the
channel by sending dummy encrypted traffic keeping the channel 100%
busy.


Using different browsers per unique work is good. Say, using safari to
access web mail and online transaction, internet explorer for trusted
site, firefox for regular searching, and opera for browsing etc.
Maintaining separation of duties per browser ensures cookie
information even when leaked can be confined to particular
work/interest.

Embedded contents like audio, video, flash, pdf, docs, java, js,
exploits :P may-or may not follow proxy rules. Some applications cant
be forced to follow proxy rules. They leak vital and unique
information about your system, browser activity and internal network.
So know what you'd installed, know what is running. Tracking plug-in
and their activity can be difficult so be it for your browser, or your
media player or your word processor or your IM.

Example how anonymity breaks:
Suppose you are searching something anonymously in google and
meanwhile you logon to your GMAIL that has your actual identity. Now
your web search, this gmail account, and the webpage you visited from
Google add sense can all be tied to point a single person, you! The
anonymity of your activity is blown right away.

Further your web browsing patterns, your topic of interests,
bookmarks, time you come online, internet speed, browser and OS
fingerprint, plugins and features your browser support, your
language/interest pattern etc can all serve as a intelligent
fingerprint REGARDLESS OF YOUR IP address and you can be tracked
uniquely in the internet regardless of the IP.

Clear cookie, cache as you close your browser window, clearing all
cache is necessary, not just cookie as they can have capabilities as
that of cookie. Disable auto reloading content, advertisement etc
Things as such, messenger (away in 5 minutes of interactivity)
behavior etc can leak your uptime, bandwith utilization etc!

(ask.com (ask eraser), customize google plugin, noscript)

Another example:
There are browser plugins, tools… that can be use to change your user
agent but BAD thing about using such tools are instead of hiding your
identity they make you stand like an ostrich in swarm of crow.
Let me explain, suppose opera released critical update to all versions
of its browser today so most of the computer user that are online with
opera browser is sure to auto update their browser within few weeks...
but as you are just changing your user agent appearing as some version
of opera you will stand infront of intelligence analyst like a
gentleman appears to be using opera but your user agent dates back to
opera released 3 year ago, unique features of browsers indicate you
are forging user-agent using patterns of tool x that has opera user
agent with version y hard coded which you are using. Further, an
attacker can know what plug-in your browser supports and what browser
specific features you have disabled combination of all intelligence
analysis data can create a unique fingerprint making tools you used to
be more anonymous, more secure backfire and these information can be
used by the attacker (Big Brother?) to instead create a unique pattern
of your identity makes you less anonymous even if you are able to use
different IPs all the time.

Real IP is something that can be associated to you if discovered. But
if you use anonymous technology haphazardly you give away unique
identity/behavior pattern that can be as good as obtaining real IP
information. Know to strike the right balance… or am I being too
paranoid?

See, Intelligence analysis is very hard to fool.



Anonymous email:

1). Encrypt and base64 encode the content securely to guarantee
point-to-point (p2p) confidentiality.

2). While sending and receiving email, force the final output to be
read as ASCII as text format can be OS specific: DOS (CRLF), UNIX (LF)
and Macintosh (CR) which can leak your OS. Grammar and spelling
correction in text can be analyzed to know which version of word
processor is used to create it; it can leak OS specific information
even with normal plain text!

3). Re-mailers
Google: Mixminion /mixmaster /Cyberpunk remailers
Basically, they route you email through several mail relay servers of
your choose striping headers that can leak the source of the email as
they pass by from one server to another. They provide feature of
redundancy that can assure delivery of email to higher degree and
employ random delays and random message padding before forwarding
message.

Notes:
- Don't trust the server blindly assuming they will guarantee your
anonymity needs. Operators have to comply with local law all the time.
Assume, they can be monitored, logged, hacked and bugged. Use other
intermediate means of anonymity before you choose to these services.
- Keep message size normal.
-consult re-mailer statistics sites to know about history of the
operator, security track record of the OS they use, country in which
these servers are situated etc

4). User should take great care stripping meta data while emailing
images, audio, video files, documents etc as they may embed and store
information within them about the user or system that created/modified
the file. This information can be retrieved when transmitted and can
be uniquely associated to you.
 Like, they might store and leak registered Unique IDs of a product
that created the content, embed your hardware serial number (like
Ethernet MAC address CPU info etc) this information can be used to
track you down to a country or region where the particular sales
happened. Microsoft Windows Activation, Microsoft Office… infamous
example.

5). Technologies as f2f network, open proxies that cross different
geographical boundaries etc can be chained together so that you can
relay your communication through open smtp relays from china :P ,free
mail servers from third world where logging, monitoring and technical
capabilities are primitive or you could use your own SMTP server to
route your (encrypted) mail directly to the destination. There are
online sites that claim to provide disposable email address for email
delivery or retrieval.

Anonymous-Sender.com, Pookmail.com (Research…)
Example: te...@pookmail.com is common emails add. How about you write
an article about features pookmail in dig with a test example,
te...@pookmail.com While test@pookmail gets thousand of hits you send
your private encrypted content in that crowd for delivery to your
receiving party, or how about using steganography and posting a secret
content to a website/forum embedding it as pornography. This can act
as a drop zone. The content can be retrived by the receiving party.
Think creative… its not necessary text communication should happen
through @email_address! You could use free file upload server to
accomplish the same. Upload 10 files of similar size using
steganography. Embed one video with encrypted content and rest 9
videos just random data (decoy). The receiver who knows the key can
easily extract the encrypted content while an attacker will have to
try and brut force all the obtained files. Similar can be used for
encrypted volume.

6). While sending anonymous email make sure trivia things like
X-Mailer string, your time zone (GMT) doesn't gets leaked or best
forged if intentionally leaked. Version info of encryption technology
you use can sometime serve as a advantage to the attacker. Example,
GPG software version you are using can leak from your Public Key.

Conclusion:
Anonymous and secure communication is not about just using the right
tools and its not just about focusing on application layer, link laye
bla… bla….:P
It's about truly knowing what you are doing in fine details.
Flexibility and security is always like opposite poles of a sea-saw.

There are many of things I skipped which are beyond the scope of this
email but this should be a good push to the curious starters. All I
recommend you if to prioritize on is right intelligence and in-depth
understanding of the subject matter over any tools or technologies
because no matter what technologies you use it only stands a slim
chance over intelligence analysis in right direction.

Thanks,
-bipin


On Mon, Feb 18, 2008 at 8:41 PM, Bipin Gautam <bipin....@gmail.com> wrote:

> On Feb 18, 2008 6:36 PM, nepbabu <nepbabuc...@yahoo.ca> wrote:
> > Thus spoke Bipin Gautam on Sunday, 17 February 2008 at 20:38:16 +0545:
> > >
> > > On Feb 17, 2008 6:02 AM, nepbabu <nepbabuc...@yahoo.ca> wrote:
> > > > Thus spoke Bipin Gautam on Saturday, 16 February 2008 at  9:45:14 +0545:
> >
> > .............
> >
> > > alright,
> > > secure communication as in.... ?
> > >
> > > - voice communication (telecom: say mobile)
> > > - email communication
> > > - Chat ? ( a vague topic)
> > > - ...........or fill in as you prefer
> >
> > The 2,3 are application layer except for the 1st one. Would you like to tell us about anonymous secure communication used on the whole application layer [ that includes email, chat, www etc..]. Thanks!
> >
>
> you don't understand
>
> The protocol you will use to communicate will largely governs what
> means and technology you will use to "securely" communicate.
>
> Enough of the GIRLY talks on an mailing list largely governed to technology.....
>
> i am choosing the topic "email communication" and will be explaining it shortly
>
> thanks,
> -bipin
>

___________________________________________________________________________________

Message has been deleted
Message has been deleted

Navin

unread,
Feb 14, 2008, 12:49:51 AM2/14/08
to NepSecure (Nepali computer security and hacking community )
hey, guys, am a tech blogger from nepal, and I just featured this
article on my blog , okie?? I want you guys to have a look at here:
http://technewsnepal.com/tnnmain/2008/02/14/gmail-is-not-secure-how-to-be-secured.html

if you think there is any copyright issue. Just let me know, I shall
delete the content if you don't agree.

Regards
Navin
http://www.technewsnepal.com
http://www.meroguff.com

On Feb 13, 9:15 pm, Probin <pingpro...@gmail.com> wrote:
> well. i do have an account with hush. supposed to be secure. but they have
> very short inactivity time-out period and 2 MB of max storage (free
> version). doesn't sound very charming these days.
>
> so.. if anyone wants to talk about something really confidential, mail me at
> probin at hush dot com. ;-)
>
> prob
>
> On Thu, Feb 14, 2008 at 9:52 AM, Surmandal <surman...@gmail.com> wrote:
>
> > On Thu, Feb 14, 2008 at 6:59 AM, nepbabu <nepbabucxspamf...@yahoo.ca>
> > wrote:
>
> > > On Wed, Feb 13, 2008 at 02:05:28AM +1030, nepbabu wrote:
> > > > On Tue, Feb 12, 2008 at 05:46:39AM -0800, bibstha wrote:
>
> > > > > Um,
> > > > > well if u need security there is alwayshttps://mail.google.comwhich
> > > > > encrypts whole session, from login to logout as u've mentioned.
> > > > > But that aside, https isn't always flexible IMO, and its slow as
> > > well.
> > > > > Thats why i thinkhttp://mail.google.comis there. Depending upon
> > > how
> > > > > paranoid u are about ur security. :)
>
> > > > I think Bibek bro. :) IMHO, SSL'izing is not about being paranoid or
> > > over-paranoid. It's about ensuring that your traffic is encrypted so that no
> > > MITM can occur easily. This has serious privacy implications and you do not
> > > want some middle person sniffing for plaintext in your network. hoina? It
> > > _used_ to be about being paranoid but those days are long gone. Criminals &
> > > would-be criminals would forfeit much from this [and don't forget about
> > > s[cp]ammers as well].
>
> > > > My mail client [mutt] only encrypts the login credentials with AES.
> > > However, I wish it could have encrypted the whole session [I am thinking of
> > > starting to use the SSL'ized version of Gmail webmail with my other account
> > > since POP protocol doesn't maintain state afaik].
>
> > > Correction: Since, apparently the version of POP3 I am using is over TCP
> > > and over a link that supports SSL (from the server<->client), my connection
> > > with Yahoo! POP3 server is encrypted. Previously, I said the possibility of
> > > encryption only for login credential but it was not so. The whole POP
> > > session is crypted. I discussed this with fellow colleagues at
> > > #security@freenode as well as with my own findings and little discussion
> > > with sh00nya. Also, he reckons that it's the same with Gmail. :)
>
> > > So folks, eitherhttps://mail.google.comOR pop3 over SSL should do for

Navin Elvis Presley

unread,
Feb 20, 2008, 4:03:02 PM2/20/08
to NepS...@googlegroups.com
people are full enough to use proxy for signing up and checking important accounts online.

check this article I've written long way ago: http://www.meroguff.com/2007/07/protect-your-privacy-be-anonymous.html

and check how to send anonymity mail: http://www.meroguff.com/2007/07/anonym-mailer-v30.html

regards
--
<a href="http://www.meroguff.com" target="_blank">Navin's Blog</a>

nepbabu

unread,
Feb 21, 2008, 6:06:57 PM2/21/08
to NepS...@googlegroups.com
Thus spoke Himanshu Chhetri on Wednesday, 20 February 2008 at 15:38:19 -0500:

> Hey Bipin,
> That was a good anonymity guide. However is routing traffic
> through TOR really secure? You must have heard of the recent incident where
> someone ran a "rogue" TOR node and captured the email passwords for many
> govt. embassies worldwide.

Hey Himanshu, All in the name of privacy o_O huh? An internet darknet. w00t?

Cool stuff Bipin :) Thanks for posting and I hope forward to your PhD report/thesis.

Reply all
Reply to author
Forward
0 new messages