[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Google disable web-access to gmail for Tor-users?

Thus spake Joe Btfsplk (joebtfsplk@xxxxxxx):

> On 4/2/2011 2:33 PM, katmagic wrote:
> >Google requires you to be able to receive a text message or phone call to
> >use a GMail account over Tor. This is unrelated to Torbutton's cookie 
> >handling
> >(which was broken but has since been fixed). Personally, I got a friend on 
> >IRC
> >to let me use his phone for it.
> 1st I've heard they REQUIRE a phone # to use Gmail over Tor.  Anyone 
> else aware this is the only way?
> I'd bet, from the Google message about "unusual activity," it was 
> because the exit node wasn't in the  same country I used when created acct.

This is possible. The "unusual activity" message is unrelated to
cookie issues, and appears to have something to do with the exit node
chosen to connect to gmail. You can be asked for an SMS confirmation
from one exit, and then hit "New Identity" and then not be asked on
the next. It must have something to do with either geolocation, or the
types of activity their systems see from particular exits that make
them think bots are involved.

In once case, it happened while I was using a pseudonym to contibute
to another open source project and ask questions on a mailinglist. I
was unable to get the message to go away with "New Identity" (possibly
because sending mail to a milinglist smells extra-spammy?), so I
clicked through the help links and filled out some form explaining my
desire for strong pseudonymity, and they lifted the block without a
cell #.

> Can you expand a little of Torbutton's cookie handling being fixed?  
> Again, I'm using TB 1.3.2a.
> What are the criteria for TB to allow a site to set cookies?

TB is not actually blocking any cookies here. At least not on purpose.
The TB feature that is causing this issue is one that is designed to
minimize the number of Google captchas Tor users must solve to use
Google Search. We attempt to transfer the captcha-relaed cookies from
all international domains, but we ended up mangling some login cookies
after a change to how Google auth works. The issue is fixed in the
1.3.x series, but not in 1.2. The plan is to release 1.4.0 as the new
stable ASAP, rather than backport these fixes to 1.2.x.

Otherwise, Torbutton's default cookie policy is to allow cookies to
persist in memory until either the Torbutton is toggled, or the
browser exits. We plan to eventually extend this functionality to
provide a "New Identity" button in the browser, to synchronize the
clearing of all Firefox identifiers with the "New Identity"
functionality of Vidalia/Tor, but this requires some additional
integration work...

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpc3vBWwc2QG.pgp
Description: PGP signature

tor-talk mailing list