How do I log into or use Gmail without having to go through the HTTPS or SSL version?
Since the 443 ports for HTTPS is filtered in Iran, is there any alternative method of logging into Gmail which does not require the use of this port?
gmailssl
How do I log into or use Gmail without having to go through the HTTPS or SSL version?
Since the 443 ports for HTTPS is filtered in Iran, is there any alternative method of logging into Gmail which does not require the use of this port?
Best Answer
First of all:
If the filtering is really only based on port numbers, then things are quite easily, and securely solved by using the official HTTPS URL via Tor, or via a proxy server (in another country) that supports "
CONNECT
" for SSL requests. For such proxies the SSL data is transferred over the port the proxy operates on (like often 81, 3128, 8080, 8181, 9090), not on the default HTTPS port 443.(For whoever wants to set up a proxy to help fight censorship: see for example Create anonymous Squid proxy for Iranian election protestors. The good thing about that article is that apparently, in June, communications through proxies were indeed not blocked? Or is nobody using HTTPS through those proxies?)
Unfortunately, filtering is probably based on protocol, not on port numbers. Tools like Wireshark show how easily SSL traffic is detected, even when running through non-default ports. (Use display filter "
ssl
", and see what port is used in the TCP data. Or, when using a proxy, use display filter "tcp.port eq 443
" and see nothing is found.)Some web based anonymising proxies support HTTPS over HTTP. For example: Hide My Ass Gmail proxy uses only HTTP. Of course, both a censor and the folks operating the proxy can peek into the communications.
Some project called Haystack was introduced (and withdrawn) in 2010:
Which compared itself to Tor:
Bad security holes though:
When all does get filtered or is otherwise unavailable, then maybe your only hopes are someone outside the country who can run a HTTP-to-HTTPS gateway, using for example DeleGate. Again, the censoring government (and whoever is running that DeleGate server) can then monitor all your traffic. (Google might be smart enough to hash your password, even when Google thinks you're using HTTPS. Still, even if the password is secure, then all other text can still be read, and cookies can probably be stolen.)
NOTE: the following does not work (yet?). I can show the Gmail login page, but after logging in, the many redirects (from gmail.com to www.google.com/accounts, to mail.google.com) confuse DeleGate. Maybe some smart
MOUNT
or some entries inhosts
are required after all. Maybe it can put someone on the right track tough (if no easier solutions are found, like: ensure that does not work!).See Force web address to go through https for a full explanation on mapping
http://twitter.com
tohttps://twitter.com
. For a generic HTTP to HTTPS gateway, the command would not include the Twitter-specific MOUNT parameter, so:No need for adjustments in
hosts
either; instead you can then use URLs like:(Where 127.0.0.1 needs to be replaced with the IP address of the DeleGate server.)
(Hmmm, if no easier solutions are posted then I might see if I can set up something like the above.)