Gmail Security Is a Problem For Tor Users In Repressive Countries

blottsie writes Google is a long-time contributor to the Tor Project. But a security feature in Gmail poses a potential problem for Tor users who live under dangerous regimes or otherwise need to protect their anonymity, reports Joseph Cox at the Daily Dot. The email service kicks users out of their login session if it detects logins from IP addresses originating in other countries, then requires a user to enter a PIN code sent to a cellphone. Unless the user has a burner phone, this could potentially betray his or her identity to authorities.

Mobile generated codes

Ever heard of https://support.google.com/accounts/answer/1066447?hl=en

Re:Mobile generated codes

[stephanruby]

Ever heard of https://support.google.com/acc...

That was my first thought. And before someone gets upset at needing a mobile device or a computing device in order to generate that pin number. Google even allows you to use pre-made pin codes, so if you're ever caught in a foreign land where the authorities are about to knock down your door, you just need to swallow the paper containing those codes.

Re:Mobile generated codes

^^correct. It's not secure to use SMS, and provides a phone number for regimes to hunt down and track if they twist Googles arm to get your data.

But common!! Why are so many so dumb? Just use keepass2 and the keeOTP plugin.

The little known fact (outside of us geek circles) is that "Google Authenticator" is a wide open standard that anyone can write code to implement and many have. It does not call the google mother ship. It's a time based key generation technique based on a shared secret key you enter upon setup, and ayone with the time and interest can write their own implementation.

Big thanks to the keepass2 team and Devin Martin who made the TOTP generator plugin. And gosh. It's pretty old folks, this isn't news.

And to those who say "Stop using google mail" i hear you brother, but many folks don't have the skills, knowledge or means to host their own MX. Gmail with external TOTP generation ala keepass2 is about as good as you can get without rolling your own IMHO. I don't trust Google as far as I can throw them, but they do allow you to have disposable accounts with better security features than the average person will ever be able to self implement.

Re:under dangerous regimes

[grcumb]

Whew! I feel so safe in the good old USA, the shining beacon of freedom. And I fully expect our FBI to hack down the repressive firewalls of censorship, without a warrant, and ram some of our great freedoms down their commie throats.

I know where you're coming from (literally - I'm North American), but some beacons of freedom shine more brightly than others. In Fiji, a country which I visit professionally on a fairly regular basis, this story about a man hospitalised by military intelligence has raised some eyebrows.

Ever since the military take-over some years ago, there have been rumours of wholesale surveillance. Numerous people who for whatever reason objected to the post-coup regime reported being contacted by police or military on the day before a gathering (for example), and asked questions about things that they could only know about by eavesdropping on their communications. Soldiers reputedly beat up a large number of people in order to intimidate them into silence. There has indeed been video released of police torturing their prisoners. [Find it yourself; I'm not going to gratify your prurience.]

But this appears to be the first time a person has explicitly been detained tortured and imprisoned because of text messages sent complaining about the regime's leader (and lo and behold, newly-elected prime minister).

So yes, sending authorisation keys via text message is a Very Bad Idea in some places.