Onion Information

Page Clicks: 0

First Seen: 03/11/2024

Last Indexed: 10/21/2024

Domain Index Total: 195

Feeding the Cloud https://feeding.cloud.geek.nz/tags/gmail/ Feeding the Cloud ikiwiki 2024-05-31T19:51:58Z Things that work well with Tor https://feeding.cloud.geek.nz/posts/things-that-work-well-with-tor/ Creative Commons Attribution-ShareAlike 4.0 International License 2024-05-31T19:51:58Z 2013-11-19T05:38:00Z Tor is a proxy server which allows its users to hide their IP address from the websites they connect to. In order to provide this level of anonymity however, it introduces latency into these connections, an unfortunate performance-privacy trade-off which means that few users choose to do all of their browsing through Tor. Here are a few things that I have found work quite well through Tor. If there are any other interesting use cases I've missed (e.g. reviewing academic papers ), please leave a comment! Tor setup There are already great docs on how to install and configure the Tor server and the only thing I would add is that I've found that having a Polipo proxy around is quite useful for those applications that support HTTP proxies but not SOCKS proxies. On Debian, it's just a matter of installing the polipo package and then setting the following in /etc/polipo/config : logSyslog = true logFile = /var/log/polipo/polipo.log # Configure polipo for use with tor proxyAddress = "127.0.0.1" proxyPort = 8008 allowedClients = 127.0.0.1 allowedPorts = 1-65535 proxyName = "localhost" cacheIsShared = false socksParentProxy = "localhost:9050" socksProxyType = socks5 chunkHighMark = 67108864 diskCacheRoot = "" localDocumentRoot = "" disableLocalInterface = true disableConfiguration = true dnsQueryIPv6 = no dnsUseGethostbyname = yes disableVia = true censoredHeaders = from,accept-language,x-pad,link censorReferer = maybe # Suggestions from Incognito configuration maxConnectionAge = 5m maxConnectionRequests = 120 serverMaxSlots = 8 serverSlots = 2 tunnelAllowedPorts = 1-65535 RSS feeds The whole idea behind RSS feeds is that articles are downloaded in batch ahead of time. In other words, latency doesn't matter. I use akregator to read blogs and the way to make it fetch articles over Tor is to change the KDE -wide proxy server using systemsettings and setting a manual proxy of localhost on port 8008 (i.e. the local instance of Polipo). If you don't see the proxy settings in the KDE control panel, make sure that the kde-baseapps-bin , libkonq-common and kpart-webkit packages are installed. Similarly, I use podget to automatically fetch podcasts through this cron job in /etc/cron.d/podget-francois : 0 12 * * 1-5 francois http_proxy=http://localhost:8008/ https_proxy=http://localhost:8008/ nice ionice -n7 /usr/bin/podget -s Prior to that, I was using hpodder and had the following in ~/.hpodder/curlrc : proxy=socks4a://localhost:9050 GnuPG For those of us using the GNU Privacy Guard to exchange encrypted emails , keeping our public keyring up to date is important since it's the only way to ensure that revoked keys are taken into account. The script I use for this runs once a day and has the unfortunate side effect of revealing the contents of my address book to the keyserver I use. Therefore, I figured that I should at least hide my IP address by putting the following in ~/.gnupg/gpg.conf : keyserver-options http-proxy=http://127.0.0.1:8008 However, that tends to makes key submission fail and so I created a key submission alias in my ~/.bashrc which avoids sending keys through Tor: alias gpgsendkeys='gpg --send-keys --keyserver-options http-proxy=""' Package updates Since most Debian packages are fairly small, downloading them over Tor doesn't take a whole lot longer. Large updates on the other hand are affected unless you do them in the background like I do with this daily cron job : apt-get -qq update apt-get -qq clean apt-get --download-only --assume-yes --force-yes -qq dist-upgrade apt-get -qq autoclean To do updates over Tor, simply install the apt-transport-tor package and then replace http:// with tor+http:// everywhere in your /etc/apt/sources.list so that it looks like: deb tor+http://httpredir.debian.org/debian sid main contrib deb-src tor+http://httpredir.debian.org/debian sid main contrib deb tor+http://httpredir.debian.org/debian experimental main deb-src tor+http://httpredir.debian.org/debian experimental main Instant messaging Communication via XMPP is another use case that's not affected much by a bit of extra latency. To get Pidgin to talk to an XMPP server over Tor, simply open "Tools | Preferences" and set a Tor/Privacy (SOCKS5) proxy of 127.0.0.1 on port 9050 . GMail Finally, I found that since I am running GMail in a separate browser profile , I can take advantage of GMail's excellent caching and preloading and run the whole thing over Tor by setting that entire browser profile to run its traffic through the Tor SOCKS proxy on port 9050 . Keeping GMail in a separate browser profile https://feeding.cloud.geek.nz/posts/keeping-gmail-in-separate-browser/ Creative Commons Attribution-ShareAlike 4.0 International License 2021-06-11T20:43:57Z 2012-12-20T06:34:00Z I wanted to be able to use the GMail web interface on my work machine, but for privacy reasons , I prefer not to be logged into my Google Account on my main browser. Here's how I make use of a somewhat hidden Firefox feature to move GMail to a separate browser profile. Creating a separate profile The idea behing browser profiles is simple: each profile has separate history, settings, bookmarks, cookies, etc. To create a new one, simply start Firefox with this option: firefox -ProfileManager to display a dialog which allows you to create new profiles: Once you've created a new "GMail" profile, you can start it up from the profile manager or directly from the command-line: firefox -no-remote -P GMail (The -no-remote option ensures that a new browser process is created for it.) To make this easier, I put the command above in a tiny gmail shell script that lives in my ~/bin/ directory. I can use it to start my "GMail browser" by simply typing gmail . Tuning privacy settings for 2-step authentication While I initially kept that browser profile in private browsing mode , this was forcing me to enter my 2-factor authentication credentials every time I started the browser. So to avoid having to use Google Authenticator (or its Firefox OS cousin ) every day, I ended up switching to custom privacy settings and enabling all cookies: It turns out however that there is a Firefox extension which can selectively delete unwanted cookies while keeping useful ones. Once that add-on is installed and the browser restarted, simply add accounts.google.com to the whitelist and set it to clear cookies when the browser is closed: Then log into GMail and tick the "Trust this computer" checkbox at the 2-factor prompt: With these settings, your browsing history will be cleared and you will be logged out of GMail every time you close your browser but will still be able to skip the 2-factor step on that device. Preventing man-in-the-middle attacks on fetchmail and postfix https://feeding.cloud.geek.nz/posts/preventing-man-in-middle-attacks-on/ Creative Commons Attribution-ShareAlike 4.0 International License 2021-06-11T20:43:57Z 2010-04-30T21:00:00Z Recent attacks against the DNS infrastructure have exposed the limitations of relying on TLS/SSL certificates for securing connections on the Internet. Given that typical mail servers don't rotate their keys very often, it's not too cumbersome to hardcode their fingerprints and prevent your mail software from connecting to them should the certificate change. This is similar to how most people use ssh: assume that the certificate is valid on the first connection, but be careful if the certificate changes afterwards. Fetchmail Here's how to specify a certificate for a POP/IMAP server (Gmail in this example). First of all, you need to download the server certificate: openssl s_client -connect pop.gmail.com:995 -showcerts openssl s_client -connect imap.gmail.com:993 -showcerts Then copy the output of that command to a file, say gmail.out , and extract its md5 fingerprint: openssl x509 -fingerprint - md5 -noout -in gmail.out Once you have the fingerprint, add it to your ~/.fetchmailrc : poll pop.gmail.com protocol pop3 user " remoteusername " is " localusername " password " mypassword " fetchall ssl sslproto ssl3 sslfingerprint " 12:34:AB:CD:56:78:EF:12:34:AB:CD:56:78:EF:12:34 " Postfix Similarly, to detect changes to the certificate on your outgoing mail server (used as a smarthost on your local postfix instance), extract its sha256 fingerprint: openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts openssl x509 -fingerprint -sha256 -noout -in isp.out Then add the fingerprint to /etc/postfix/main.cf : relayhost = smtp.gmail.com smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_tls_security_level = fingerprint smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_fingerprint_digest = sha256 smtp_tls_fingerprint_cert_match = 12:34:AB:CD:56:78:EF:90:12:AB:CD:34:56:EF:78:90:AB:CD:12:34:AB:DD:44:66:DA:77:CF:DB:E4:A7:02:E1 Disabling the GMail spam filter and handling it yourself using SpamAssassin https://feeding.cloud.geek.nz/posts/disabling-gmail-spam-filter-and/ Creative Commons Attribution-ShareAlike 4.0 International License 2023-12-19T06:28:09Z 2008-04-27T00:10:00Z I've been using GMail ever since they decided to allow users to download their mail using POP . I was happy reading my email as usual in mutt . The only problem was that I had to log onto the website once in a while to clear out my spam folder and fish out the false positives. However, as the amount of spam I receive daily started growing exponentially (in part thanks to my involvement in Debian ), I became more and more dissatisfied with this solution. I had to login several times a day just to keep the levels of spam down to a manageable level. I tried emailing the GMail support team a few times without success. The solution came just as I was looking at switching to a different email provider: IMAP access. Using fetchmail , I can now download my received and sent mail using POP and then download (and purge) the contents of my spam folder. Here are the relevant lines of my ~/.fetchmailrc : poll pop.gmail.com protocol pop3 user "fmarier@gmail.com" is "francois" password "" fetchall ssl poll imap.gmail.com protocol imap user "fmarier@gmail.com" is "francois" password