[tor-talk] TorBirdy doesn't work with Gmail?

Mike Hearn hearn at google.com
Wed Oct 10 13:40:53 UTC 2012


> Your phone messages presumably have a
> fixed format and can be logged by the network; drawing attention to Tor
> usage is not the goal and I can see that being a serious problem.

I think you can also opt to receive a phone call that says something
like "Your verification code is 12345". It doesn't mention Google and
certainly doesn't mention Tor. But it's been a while since I went
through this myself so I don't remember exactly.

I should note that this is the worst case scenario. For most users you
do NOT have to receive a verification code. We were considering
requiring that for all anonymizing proxy users in the past, but did
not do so. It's an option we reserve for the future though. For now,
answering a security quiz is good enough. Note that you can add a fake
phone number to your account (we don't presently verify them) and this
acts as a second password, more or less, so as long as it's a number
you can remember you can get through ID verification without receiving
any phone codes.

> I see a cookie called GAPS under accounts.google.com - is this
> the only one which needs to persist for authentication to work?

Yes, we know that saying "don't clear cookies" rather goes against the
advice and design of tools like the browser bundle. Potentially TBB
could have some specific hack for Google.

The GAPS cookie is the only one that's needed for a login to be
recognized as good. It's part of how we propagate goodness around
between second factors.

Simple example: you log in from an IP address that is nearby to one
you previously used (in physical or internet space), and don't have a
GAPS cookie. We issued you a new one when you visited the login page.
The act of logging in from a good IP whitelists that GAPS cookie.

Now you travel and log in from a new country. The IP is unknown but
the GAPS cookie you have was seen before. We let you in without hassle
because we know that device is legit. Your new IP geo is now
whitelisted too.

> I believe it would be very much appreciated if your team could provide a
> support page with a walk-through for Tor users explaining how to gain
> access by the second method

I agree. There was actually some work done on this around the time we
were considering requiring phone verification for all logins, but I
can't find it on our support site now. I think I need to chase that up
again.


More information about the tor-talk mailing list