Interception Modernisation Programme

[Richard Clayton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <Pine.SOC.4.64.0810091334550.509@bowling.cent.gla.ac.uk>,
Chris Edwards <chris@eng.gla.ac.uk> writes

>On Wed, 8 Oct 2008, Richard Clayton wrote:
>
>| if your webmail system allowed a snooper to determine which account was
>| logged in to, then the pattern would show up in the traffic analysis...
>
>Virtually all webmail traffic is HTTPS 

You'd think so wouldn't you ....

>- hence a snooper (presumably!) 
>cannot determine which account is being accessed, nor who is being emailed.

... but in practice a great deal is not!

It's quite common that password setting is https (albeit not the
downloading of the web form that will be used to ask for the password
which of course makes some types of active attack possible)

>So if a nest of mice all get hotmail/yahoo/google email accounts, they 
>would seem to be in a strong position.
>
>The only way to get the info above is to ask hotmail etc.

Hotmail is an example of a webmail service that runs in HTTP once the
sign-on is completed....

[FX: types a most unlikely string as my mother's birthplace]

... just resurrected my account to check, and it remains the case

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBSO4PzJoAxkTY1oPiEQKOewCeJ+4MA11mB2V7q+rVQXaOvxFJi+kAoJ5e
JZtZicEmz7kD3gyUhOey2Guf
=Q8FP
-----END PGP SIGNATURE-----