Slashdot Mirror
Gmail Security Is a Problem For Tor Users In Repressive Countries
blottsie writes Google is a long-time contributor to the Tor Project. But a security feature in Gmail poses a potential problem for Tor users who live under dangerous regimes or otherwise need to protect their anonymity, reports Joseph Cox at the Daily Dot. The email service kicks users out of their login session if it detects logins from IP addresses originating in other countries, then requires a user to enter a PIN code sent to a cellphone. Unless the user has a burner phone, this could potentially betray his or her identity to authorities.
Ever heard of https://support.google.com/accounts/answer/1066447?hl=en
Just disable this feature in your account settings, or better yet: don't enable it in the first place.
Google keeps trying to get me to enter a phone number. I will never comply.
that there are no alternate email providers on this green planet of our Lord and Savior Baby Jesus. Amen.
This is an obviously beneficial security feature. Just use two-factor authentication and it will almost never come up.
Or did you want random hackers in other countries to guess their way into your account data?
Good for Google for protecting my logins.
- Michael T. Babcock (Yes, I blog)
I really hate these "security" features that are based on the assumption that you've always got phone service available.
I've run into this recently with my credit card company. It used to be that I could use their service to generate a one-time use credit card number for use in online transactions. But now they've implemented a policy that every time you use it, you have to first receive a code via text message and type that into their website -- so if (like me) you spend a lot of time in places with no cell phone service, but with internet access, it becomes unusable.
The end result: I'm now stuck giving everyone my real credit card information again if I purchase something online. Genius "security" move, guys.
I don't have anything against the idea of having the option of receiving a code via a cell phone for added security -- but it needs to be an option, not something that's required across the board.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
a PIN code sent to a cellphone is *NOT* the only way to do this (and it's not even that dificultto change), a pregenerated list would probably be the easiest way of doing it (assuming they don't want to install Google Authenticator on their phone).
They're even more fascist about using IMAP over tor. Then they toss you an URL through IMAP (which my IMAP client doesn't understand, and why would it? stupid google) and drop a "helpful" message in the inbox that you now can only access through the webclient.
Google does not play well with tor. They're just not worth the hassle. Find another IMAP provider. Almost any other IMAP provider.
That's what you get from living in a backward country.
We here in Kazakstan enjoy both a repressive regime and gmail anonyminity, while you people in the US have to jump thru all these hurdles just to access gmail
A friend of mine was going to a foreign country, and he was worried that he would not be able to access his gmail. So I gave him a mini-pc with an openvpn server on it that he DMZ'd on his home network. It works great, but it was a pain in the ass.
I wasn't talking about YOU. I was talking about TOR users (hint: see summary or better yet, just look at the freaking headline).
The last part was my personal anecdote. I don't care if it "works." I don't need or want the feature.
Instead of using a third-party emails, somebody should build (if it doesn't exist already) a blockchain based messaging system. People would create "accounts" that consist of a uuid, and (short) messages would be distributed publicly via the chain (but signed via PGP or some such).
If you stick to a basic login only with no secondary authentication options, this doesn't happen, you just get logged in and you'll get a security notification the next time you log in from your usual location - I have a very old gmail account though, I don't know if it's still possible to set up a gmail account to work this way.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Per the AC there is an app for that, which doesn't require phone service, and there are backup codes you can print for when you don't have your phone. So although your CC company might cause problems, gmail doesn't have to.
are dangerous.
Whew! I feel so safe in the good old USA, the shining beacon of freedom. And I fully expect our FBI to hack down the repressive firewalls of censorship, without a warrant, and ram some of our great freedoms down their commie throats.
I'm guessing most repressive countries don't have burner phones. In Saudi Arabia, we have to take government photo-ID with us to register any new SIM card. I have to enter my ID number every time I top up credit on my phone. Burners don't exist here. Anything I do on my phone or online, I do attached to my (or someone else's) identity.
I would never give Google or anyone else my cell phone number for "COUGH" security reasons. So I used TOR to sign into gmail it asked me to fill in my predetermined email address. I didn't go on from there so what's this about cellphones? Why would anyone trust a corporation that's been fined zillions of dollars for breaking laws and the customers trust? And the security works, if your a bad guy or someone who needs to hide from the government why in gods name are you using GMAIL?? lol They already told you they collect all/store your emails..DUH.
Jack of all trades,master of none
You cant sign up without giving them your number anymore.
And you're not even joking!
I'd just add that the NSA (according to Snowden) have a way of finding burner phones, something about the pattern of calls being easy to pick-up. The intelligence community themselves allegedly use SIP programs similar to SAIC "netEraser" with obfuscated SSL handshake, quite a few lawsuits on public record when other US companies have tried to incorporate the SAIC technologies. Ths is open/ public news from around the year 2000 when SAIC was thinking to sell netEraser to us normal net users
WTF. If you care enough about privacy that you need to use tor, then what the fuck are you doing using gmail at all?
Gmail, Google YouTube, is not your friend they are a part of the spy agency. They limit your contact with the real Internet. There are many email providers that do not collect IP addresses. There are also email providers that you pay for anonymously. There is so much on the Internet to protect people's privacy Gmail is definitely not one of those. If the risk is you are going to get your arms and legs broken and your face kicked until it is unrecognisable then you definitely need to stay away from Gmail, it owns its loyalty to advertisers and the NSA. Google, is not the Internet it is equivalent to AOL, Internet with walls. Google is monitoring you and not for your well-being. Don't forget the Internet people it's why you first began using it and it is not called Google. Googleâ(TM)s Eric Schmidt says âoespying is the nature of our society thereâ(TM)s been spying for years, thereâ(TM)s been surveillance for years.â http://google-spyware.com/
If you get googles 2 factor and run the authenticator app on ios or andriod you will not get the text messages, keeping you safe.
Google refuses to let you sign up for an account over Tor without providing a phone number. So the entire issue is pointless.
You don't need a phone for two factor. Just write down on offline *paper* and securely store the random authoritative recovery string a provider should be giving you at signup. And use TOTP until you need to recover.
All these sites claiming to want your phone number so they can give you recovery are LYING. They want it so they can share it on the secret backend to track you and destroy your privacy. Account recovery is a secondary feelgood purpose. And you all bought it hook line and sinker.
Boycott Google and win back your right to privacy and to control your own data.
Hell no, Google is not getting my cell phone number.
There are still a few alternative email services that respect your privacy. Google has admitted they will search & index your "private" emails.
Surely just using a non-web client would solve this too, no?
I remember sigs. Oh, a simpler time!
This is extremely dangerous, and for those who heard the whoosh, I'll try to explain why by describing how easy it would be to identify/locate someone with nothing more than a Google authenticator code. Google will ALWAYS cooperate with the authorities in whatever countries they operate in.
OK, so let's assume for a second that the authorities know that an email address exists and that it's used for nefarious purposes like planning a lawful demonstration and/or it's yours. Google sends an authenticator code to your subscriber number which is registered in your name. Now the authorities know where your phone is (and can in fact track it in real time down to three feet - they could pick you out in a moving crowd using a cellular ping) and working on the assumption that it's always in your pocket they can move to apprehend you or send in a blind assassin to kill whoever's attached to the handset. The technology exists to do either.
A burn phone (it's not a burner phone, there isn't a CDRW drive attached to it) is one which is purchased anonymously, used once then discarded - phone, battery, SIM, the lot. Separated and discarded. I've found need to use burn phones, you need disposable cash in some countries as you might find that you can't buy a phone without $10 (or equivalent) of calling credit. It's very difficult to track a device that isn't powered hence isn't sending a signal anywhere.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
So you are in a third world country and are trying to plan something, communicate in a way using an existing gmail account (and you aren't concerned about the fact that those communications are hosted by Google in the US, and probably liable to warrant search, etc) -- Still want to keep your current location secret?
* Google Authenticator app works on mathematic principles and doesn't require internet access
* Single use codes can be produced in advance, and used as needed
And what if you are in one of these countries and want a gmail account, but want to do so anonymously?
* Google asks for a cell phone number on account creation, but DOESN'T REQUIRE ONE (unless you want two factor auth)... hit skip
For the truly paranoid grey hat on the go? Pre-arrange an forum online somewhere (like here, or reddit, or even usenet), and post PGP using Tor :) Get the message out, the messages in, and stay truly anonymous.
- Holy crap, I've got MOD points! Who thought that was a good idea.
You cant sign up without giving them your number anymore.
That's just not true. I just tested this and I was able to create a new Gmail account without specifying either a phone number or an alternate email address. Go try it yourself. There's a phone number field on the form but it's not mandatory.
I wish I were as sure of anything as some people are of everything
That means the U.S.A. and the U.K. at the Top of the list buddy.
Ha ha
I'm curious why I was modded -1? If Snowden had stayed in the United States, they still would have got him even if a "Magic Genie" granted him an 0day-proof copy of TAILS and a new face/DNA/fingerprints.
gmail has never sent anything to my phone number, since I never gave it my phone number in the first place.
Baloney, not over Tor you didn't.
No one has been able to create a google account over Tor without either phone or alt email.
And hasn't for at least the past year.
And anyone who claimed they did was debunked becaue they were too dumb to lock all traffic to a single exit so their claim could be verified.
Or refused give out their test username/password so verifiers could see the exit IP first in the google last access.
Proof or gtfo.
So don't use gmail. There are PLENTY of other options out there. This is a retarded complaint.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Yes you're correct. I didn't over Tor. Perhaps I misunderstood that signing up over Tor was a requirement.
GGP: "I would never give Google or anyone else my cell phone number"
GP: "You cant sign up without giving them your number anymore."
Me: "Yes you can."
I have not tested it but I'm entirely willing to believe that account creation over Tor is more difficult.
I wish I were as sure of anything as some people are of everything
When I travel to other countries and access my GMail account, at log in I am prompted to enter the City that I normally log in from. No cell phone or pin required.