Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Security Is a Problem For Tor Users In Repressive Countries

Posted by samzenpus on from the lets-see-what-you-got dept.

blottsie writes Google is a long-time contributor to the Tor Project. But a security feature in Gmail poses a potential problem for Tor users who live under dangerous regimes or otherwise need to protect their anonymity, reports Joseph Cox at the Daily Dot. The email service kicks users out of their login session if it detects logins from IP addresses originating in other countries, then requires a user to enter a PIN code sent to a cellphone. Unless the user has a burner phone, this could potentially betray his or her identity to authorities.

4 of 74 comments (clear)

  1. Stupid by Anonymous Coward · · Score: 2, Insightful

    Just disable this feature in your account settings, or better yet: don't enable it in the first place.

    Google keeps trying to get me to enter a phone number. I will never comply.

  2. It's a shame by Anonymous Coward · · Score: 2, Insightful

    that there are no alternate email providers on this green planet of our Lord and Savior Baby Jesus. Amen.

  3. Security requiring cell phones by aardvarkjoe · · Score: 2, Insightful

    I really hate these "security" features that are based on the assumption that you've always got phone service available.

    I've run into this recently with my credit card company. It used to be that I could use their service to generate a one-time use credit card number for use in online transactions. But now they've implemented a policy that every time you use it, you have to first receive a code via text message and type that into their website -- so if (like me) you spend a lot of time in places with no cell phone service, but with internet access, it becomes unusable.

    The end result: I'm now stuck giving everyone my real credit card information again if I purchase something online. Genius "security" move, guys.

    I don't have anything against the idea of having the option of receiving a code via a cell phone for added security -- but it needs to be an option, not something that's required across the board.

    --

    How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  4. Re:Mobile generated codes by Anonymous Coward · · Score: 3, Insightful

    ^^correct. It's not secure to use SMS, and provides a phone number for regimes to hunt down and track if they twist Googles arm to get your data.

    But common!! Why are so many so dumb? Just use keepass2 and the keeOTP plugin.

    The little known fact (outside of us geek circles) is that "Google Authenticator" is a wide open standard that anyone can write code to implement and many have. It does not call the google mother ship. It's a time based key generation technique based on a shared secret key you enter upon setup, and ayone with the time and interest can write their own implementation.

    Big thanks to the keepass2 team and Devin Martin who made the TOTP generator plugin. And gosh. It's pretty old folks, this isn't news.

    And to those who say "Stop using google mail" i hear you brother, but many folks don't have the skills, knowledge or means to host their own MX. Gmail with external TOTP generation ala keepass2 is about as good as you can get without rolling your own IMHO. I don't trust Google as far as I can throw them, but they do allow you to have disposable accounts with better security features than the average person will ever be able to self implement.