[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Are webmail providers biased against Tor?



On 2015-03-16 11:33, Sukhbir Singh wrote:
I have noticed that when I try to login to my Gmail or Hotmail accounts with Tor, I invariably get asked to validate myself (e.g. receive an SMS). This is understandably due my IP being in a different country from the "usual"
IPs that I use to sign in.

However, I have experimented with StrictExitNodes. I am in New York and have
used a number of New York exit nodes. I still get asked to verify.

I am wondering if Tor developers or experienced users know (for a fact) whether or not this is "normal" or whether using an exit node automatically makes Gmail and Hotmail think that a "hacker" is attempting to access the
accounts.

This is not a case of a website e.g. Craigslist blocking Tor. It is whether the use of an exit node IP automatically engenders scrutiny from whatever
security algorithms certain webmail providers use.

Mike Hearn from Google addressed this issue on the tor-talk mailing list
in October 2012, where he said this:

"Access to Google accounts via Tor (or any anonymizing proxy service) is
not allowed unless you have established a track record of using those
services beforehand."

(https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html)

This was in response to several TorBirdy users complaining that they
couldn't access their Gmail accounts over Tor. As someone who used to
have a Gmail account and used TorBirdy over it, there were occasional
periods where I couldn't access my account over IMAP and had to log in
through the web interface and unlock it by entering a CAPTCHA.

This was still better than what some other users who used Tor over Gmail
reported -- in some cases, Gmail would force them to provide a phone
number where Google would call or send a SMS before you could use your
account. The surprising part here was that Gmail wanted _any_ phone
number in _any_ country and not a number previously associated with your account. I am unsure how this helps them and what is the purpose behind
asking users to register with a phone. If one were to assume that they
wanted to know the location of the user, then why would they allow the
user to enter the number of any country?  (A friend confirmed this
recently and had to enter a phone number to unlock the account. Gmail
refused to allow access until a phone number was entered, where they
could call or send a text.)

So yes, it seems like Gmail doesn't favour users using Tor.

--


I see. Thanks for that helpful link.

Of course, if you are in NY and you go on holiday to Nepal and login, then Gmail will ask for validation since you have a totally different IP.

The question I was wondering about was whether a Tor exit node is considered suspicious even if in the same city as the user (in other words the user hasn't gone on holiday as in the example above).

The impression seems to be that Tor is ipso facto suspicious to Gmail irrespective of the exit node's location, whereas "abnormal" IPs (e.g. those from Nepal) are only suspicious if they originate from outside the usual geographical location of the user.


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk