Hello Mike, On Wed, 10 Oct 2012 13:47:14 +0200 Mike Hearn <hearn@xxxxxxxxxx> wrote: > I work for Google as TL of the account security system that is > blocking your access. Thank you for contributing to this discussion! > Access to Google accounts via Tor (or any anonymizing proxy service) > is not allowed unless you have established a track record of using > those services beforehand. You have several ways to do that: > > 1) With Tor active, log in via the web and answer a security quiz, if > any is presented. You may need to receive a code on your phone. If > you don't have a phone number on the account the access may be denied. As many Tor users are up against one or more government level adversaries (a situation that Google is familiar with) I don't know how realistic this option is. Your phone messages presumably have a fixed format and can be logged by the network; drawing attention to Tor usage is not the goal and I can see that being a serious problem. > 2) Log in via the web without Tor, then activate Tor and log in again > WITHOUT clearing cookies. The GAPS cookie on your browser is a large > random number that acts as a second factor and will whitelist your > access. This assumes that the user is able to reach Google without Tor at all. But that aside, I'm sure you will appreciate that not clearing cookies at all between non-Tor and Tor sessions is unacceptable to many Tor users who intentionally use separate browser sessions for their anonymised and non-anonymised access. The majority of users are not computer scientists and will have difficulty identifying which cookie(s) it is they are supposed to be preserving, let alone doing so safely. I see a cookie called GAPS under accounts.google.com - is this the only one which needs to persist for authentication to work? > Once we see that your account has a track record of being successfully > accessed via Tor the security checks are relaxed and you should be > able to use TorBirdy. I believe it would be very much appreciated if your team could provide a support page with a walk-through for Tor users explaining how to gain access by the second method, which would serve as the canonical guide and can be updated if you change your requirements. I understand this would take some effort, but as some users are undoubtedly paying customers (e.g. NGOs with Google Apps accounts) I'm sure there is a business case for it. As the official Tor Browser is based on Firefox then most users would be covered if only this was documented. NB. I'm not part of the Tor project, just a concerned user. Regards, Julian -- 3072D/F3A66B3A Julian Yon (2012 General Use) <pgp.2012@xxxxxx>
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk