Andy Walker wrote:

> Joan Battaglia wrote:
>
> >the question was if using https-based email (eg
> >https://mail.google.com) provided any protection of the password from the
> >rogue Tor operator.
>
> Not if the Tor proxy provides the encryption for the mail.google.com
> site. In which case the Tor site would establish an encrypted session

If a Tor node could do this then SSL is horrifically broken. If you
have an actual example of anyone doing this, you need to contact the
developers of SSL immediately.

No, Tor doesn't change the fact that SSL has safeguards against MITM
attacks built into it. You're misunderstanding something you've read,
and you're spreading FUD as a result.

> with your browser, decrypt the traffic as it passes through their
> servers, and then re-encrypt the traffic as they establish the
> connection to mail.google.com. Unless you are absolutely certain that
> the certificate your browser is using to encrypt the session with is
> from the intended destination, there a possibility that everything you
> send is being recorded.

Fortunately for users, SSL's primary goal is to assure that the
certificate you're using is genuine. The encryption itself is
essentially a secondary concern. Indeed, it's not part of SSL itself at
all, but an implementation of something developed by other people. SSL
is at its core the protocol that makes establishing secure encrypted
sessions possible.