Dear Mike, Mike Hearn: > Hello, > > I work for Google as TL of the account security system that is blocking > your access.
Thanks for joining the discussion; I've talked with a number of people from Google about this and you might be the person we've been looking to contact. > > Access to Google accounts via Tor (or any anonymizing proxy service) is not > allowed unless you have established a track record of using those services > beforehand. You have several ways to do that: > > 1) With Tor active, log in via the web and answer a security quiz, if any > is presented. You may need to receive a code on your phone. If you don't > have a phone number on the account the access may be denied. > The phone portion of this is extremely problematic - to tie a username to a phone may create a direct link with a government issued ID card. That in turn will create liability for the user and also likely for Google, who now holds the key to the user's anonymity. Is there a possible way to pro-actively indicate that a user will want to use Tor? For example - if you notice they're regularly in Iran, China, Syria and so on - won't current events of filtering be enough to tip Google off to the political changes that impact how users connect? > 2) Log in via the web without Tor, then activate Tor and log in again > WITHOUT clearing cookies. The GAPS cookie on your browser is a large random > number that acts as a second factor and will whitelist your access. > Is there a way to add that token to the email authentication happening with Thunderbird and TorBirdy? > Once we see that your account has a track record of being successfully > accessed via Tor the security checks are relaxed and you should be able to > use TorBirdy. It would be quite helpful if we could add a setup wizard to TorBirdy that could walk a user through doing these things safely. I fear that any setup is a usability nightmare but no clear path to such a setup at all is perhaps even worse. > > Hope that helps, It does indeed - thank you for writing on the list! As a slight aside - I have noticed that the Gmail login list does not seem to know about Tor nor about XMPP logins. It also sometimes has extremely inaccurate GeoIP data. I have on many occasions been warned that my account was hacked from China (!) only to find that the access was of type "Unknown" (rather than say, HTTP) and rather than China, it was a Tor exit node that I was using at the time. It would be quite nice if Google's audit log was Tor aware - so as to reduce panic - and if it didn't say unknown, when it was clearly via XMPP. Unless this was a bug in some kind of wiretapping interface, of course. In which case... forget that I mentioned it! :) All the best, Jacob _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
