[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TorBirdy doesn't work with Gmail?



Hello Mike,

On Wed, 10 Oct 2012 13:47:14 +0200
Mike Hearn <hearn@xxxxxxxxxx> wrote:
> I work for Google as TL of the account security system that is
> blocking your access.

Thank you for contributing to this discussion!

> Access to Google accounts via Tor (or any anonymizing proxy service)
> is not allowed unless you have established a track record of using
> those services beforehand. You have several ways to do that:
> 
> 1) With Tor active, log in via the web and answer a security quiz, if
> any is presented. You may need to receive a code on your phone. If
> you don't have a phone number on the account the access may be denied.

As many Tor users are up against one or more government level
adversaries (a situation that Google is familiar with) I don't know how
realistic this option is. Your phone messages presumably have a
fixed format and can be logged by the network; drawing attention to Tor
usage is not the goal and I can see that being a serious problem.

> 2) Log in via the web without Tor, then activate Tor and log in again
> WITHOUT clearing cookies. The GAPS cookie on your browser is a large
> random number that acts as a second factor and will whitelist your
> access.

This assumes that the user is able to reach Google without Tor at
all. But that aside, I'm sure you will appreciate that not clearing
cookies at all between non-Tor and Tor sessions is unacceptable to many
Tor users who intentionally use separate browser sessions for their
anonymised and non-anonymised access. The majority of users are not
computer scientists and will have difficulty identifying which
cookie(s) it is they are supposed to be preserving, let alone doing so
safely. I see a cookie called GAPS under accounts.google.com - is this
the only one which needs to persist for authentication to work?

> Once we see that your account has a track record of being successfully
> accessed via Tor the security checks are relaxed and you should be
> able to use TorBirdy.

I believe it would be very much appreciated if your team could provide a
support page with a walk-through for Tor users explaining how to gain
access by the second method, which would serve as the canonical guide
and can be updated if you change your requirements. I understand this
would take some effort, but as some users are undoubtedly paying
customers (e.g. NGOs with Google Apps accounts) I'm sure there is a
business case for it. As the official Tor Browser is based on Firefox
then most users would be covered if only this was documented.

NB. I'm not part of the Tor project, just a concerned user.

Regards,
Julian

-- 
3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012@xxxxxx>

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk