[tor-talk] Tor and Google error / CAPTCHAs.

blobby at openmailbox.org blobby at openmailbox.org
Tue Sep 27 14:57:32 UTC 2016 

On 2016-09-27 09:45, Alec Muffett wrote:
> On 27 September 2016 at 09:42, Mirimir <mirimir at riseup.net> wrote:
> 
> Exactly.  This manifests where folk on Twitter complain that "zomg i'm
> using the onion site and it's blocked me!" - when in fact some perhaps 
> code
> is running - code that someone took the time to write - to 
> learn/remember
> that you are a person who logs-in over Tor, that you really are who you
> claim to be, and that this is all "okay".
> 
> Otherwise the first time that someone logs-in from a Tor exit node 
> might be
> someone using Tor to experiment with your credentials, which they 
> phished
> off you via an e-mail, or something. (This is another popular misuse of 
> Tor
> from the perspective of the big platforms.)
> 
> It is definitely a _tough_ problem.
> 
>     -a


This is exactly my issue. If I login to my Gmail or FB account then 
invariably Gmail or FB thinks I am a suspicious person hence "Something 
seems a bit different about the way you're trying to sign in. Complete 
the step below to let us know it's you and not someone pretending to be 
you" or worse "Google couldn't verify it's you, so you can't sign in to 
this account right now." In the FB case, I am asked to identify my 
"friends" half of whom have baby photos or the image is unclear.. 
Sometimes I get them wrong and am locked out for a few hours. And this 
is when connecting via the FB .onion address.

IMO, and I am curious to know what Alec thinks, Google, FB, etc are 
creating far too many false positives. Googling "Something seems a bit 
different about the way you're trying to sign in" results in numerous 
cases where innocent users have been locked out.

Two questions:

Is there a way that using an exit node for Gmail, FB, etc will not be 
considered suspicious? Is that even possible?

Is it possible to use a different proxy way to access Gmail, FB, etc 
without being seen as suspicious? For example, one could use proxychains 
with Tor followed by a SOCKS proxy to login.

In both cases above (exit node and exit node plus SOCKS) we assume that 
the IP address more or less matches the "normal" non-proxy login. I am 
in Paris and use a Paris exit node and a Paris SOCKS proxy for example.

Finally, thanks for participating in this discussion. It is rare to have 
people who work or used to work at the major webmail and social media 
companies from a) getting involved and b) providing a nuanced (not 
anti-Tor) perspective.

More information about the tor-talk mailing list