Gmail Security Is a Problem For Tor Users In Repressive Countries

blottsie writes Google is a long-time contributor to the Tor Project. But a security feature in Gmail poses a potential problem for Tor users who live under dangerous regimes or otherwise need to protect their anonymity, reports Joseph Cox at the Daily Dot. The email service kicks users out of their login session if it detects logins from IP addresses originating in other countries, then requires a user to enter a PIN code sent to a cellphone. Unless the user has a burner phone, this could potentially betray his or her identity to authorities.

Mobile generated codes

Ever heard of https://support.google.com/accounts/answer/1066447?hl=en

Re:Mobile generated codes

[stephanruby]

Ever heard of https://support.google.com/acc...

That was my first thought. And before someone gets upset at needing a mobile device or a computing device in order to generate that pin number. Google even allows you to use pre-made pin codes, so if you're ever caught in a foreign land where the authorities are about to knock down your door, you just need to swallow the paper containing those codes.

Re:Mobile generated codes

^^correct. It's not secure to use SMS, and provides a phone number for regimes to hunt down and track if they twist Googles arm to get your data.

But common!! Why are so many so dumb? Just use keepass2 and the keeOTP plugin.

The little known fact (outside of us geek circles) is that "Google Authenticator" is a wide open standard that anyone can write code to implement and many have. It does not call the google mother ship. It's a time based key generation technique based on a shared secret key you enter upon setup, and ayone with the time and interest can write their own implementation.

Big thanks to the keepass2 team and Devin Martin who made the TOTP generator plugin. And gosh. It's pretty old folks, this isn't news.

And to those who say "Stop using google mail" i hear you brother, but many folks don't have the skills, knowledge or means to host their own MX. Gmail with external TOTP generation ala keepass2 is about as good as you can get without rolling your own IMHO. I don't trust Google as far as I can throw them, but they do allow you to have disposable accounts with better security features than the average person will ever be able to self implement.

Stupid

Just disable this feature in your account settings, or better yet: don't enable it in the first place.

Google keeps trying to get me to enter a phone number. I will never comply.

Re:Stupid

[Primate+Pete]

You don't need a cell signal for the authenticator to work. You do, however, need an internet connection for email. So "off grid" use is very limited.

It's a shame

that there are no alternate email providers on this green planet of our Lord and Savior Baby Jesus. Amen.

Security requiring cell phones

[aardvarkjoe]

I really hate these "security" features that are based on the assumption that you've always got phone service available.

I've run into this recently with my credit card company. It used to be that I could use their service to generate a one-time use credit card number for use in online transactions. But now they've implemented a policy that every time you use it, you have to first receive a code via text message and type that into their website -- so if (like me) you spend a lot of time in places with no cell phone service, but with internet access, it becomes unusable.

The end result: I'm now stuck giving everyone my real credit card information again if I purchase something online. Genius "security" move, guys.

I don't have anything against the idea of having the option of receiving a code via a cell phone for added security -- but it needs to be an option, not something that's required across the board.

Re:Security requiring cell phones

[thegarbz]

I really hate these "security" features that are based on the assumption that you've always got phone service available.

Except in the case of most online services they do NOT make the assumption that you ALWAYS have a phone service.

What they do provide is a free sort of two-factor authentication for a scenario where they have flagged a likely attack in progress. The only time I have ever been asked to use the system was a day where Gmail, Yahoo, and my web host all asked for it at the same time after flagging login attempts from Russia using my *correct* credentials. Naturally a bit of password management ensued.

The only time the two factor authentication scheme has ever had a problem with me personally was when I was airport hopping, and back then Facebook's scheme was to show you pictures of friends and ask you to name them. No phone required. Personally I like the idea.

Doesn't happen with basic password login

[GameboyRMH]

If you stick to a basic login only with no secondary authentication options, this doesn't happen, you just get logged in and you'll get a security notification the next time you log in from your usual location - I have a very old gmail account though, I don't know if it's still possible to set up a gmail account to work this way.

Re:And that's a good thing

[mjtaylor24601]

This is obviously a harmful security feature. It locks people out of their accounts by assuming that they always have access to a cell phone.

Yeah if they'd been thinking at all they would have made this an optional feature that you're under no obligation to use....oh wait they totally did that. *eye roll*

Or did you never want to be able to travel abroad?

You can also print out a list of codes ahead of time to take with you when travelling abroad if you so desire. But...you know...don't let the facts get in the way of your rant.

Re:And that's a good thing

[Threni]

I want a per-country blacklist/whitelist, so I never have to worry about foreigners attacking my account. Two factor on top of that. Too much to ask?

Re:under dangerous regimes

[grcumb]

Whew! I feel so safe in the good old USA, the shining beacon of freedom. And I fully expect our FBI to hack down the repressive firewalls of censorship, without a warrant, and ram some of our great freedoms down their commie throats.

I know where you're coming from (literally - I'm North American), but some beacons of freedom shine more brightly than others. In Fiji, a country which I visit professionally on a fairly regular basis, this story about a man hospitalised by military intelligence has raised some eyebrows.

Ever since the military take-over some years ago, there have been rumours of wholesale surveillance. Numerous people who for whatever reason objected to the post-coup regime reported being contacted by police or military on the day before a gathering (for example), and asked questions about things that they could only know about by eavesdropping on their communications. Soldiers reputedly beat up a large number of people in order to intimidate them into silence. There has indeed been video released of police torturing their prisoners. [Find it yourself; I'm not going to gratify your prurience.]

But this appears to be the first time a person has explicitly been detained tortured and imprisoned because of text messages sent complaining about the regime's leader (and lo and behold, newly-elected prime minister).

So yes, sending authorisation keys via text message is a Very Bad Idea in some places.

Re:Or howabout IMAP?

[IamTheRealMike]

More generally, 2-step authentication disables the risk analysis based login security. If you set up 2SV then you can use your account via Tor.

However, note that - as observed in a comment below - you cannot create a Gmail account via Tor without passing phone verification. Thus if you're logging in to a Gmail account via Tor successfully that probably means it was created outside of Tor and so has some non-Tor IPs associated with it at some point.

The key point is that email and Tor don't mix, for obvious spam reasons. It's not a Google specific thing. People may wish to look into Pond, a secure messaging service designed to be used via Tor from beginning to end.