[tor-talk] Google disable web-access to gmail for Tor-users?

Matthew pumpkin at cotse.net
Sat Apr 2 17:16:47 UTC 2011 

  Google / Gmail requires cookies to login. I use a cookie manager addon in 
Firefox 4. I allowed Google to set temporary cookies, & didn't get "cookies 
are disabled" message. But, when open the Gmail page in Tor mode, try to 
login - it gives me the following message (which seems like an idiotic 
privacy invasion & bad security idea - from user's stand point):
>> Verify your account
>> We've detected unusual activity on your account. To immediately restore 
>> access to your account, type your phone number below.
>> *Verification Options *
>> *Text Message*
>>
>> Google will send a text message containing a verification code to your 
>> mobile phone.
>> *Voice Call*
>>
>> Google will make an automated voice call to your phone with a 
>> verification code.
>>
>> *Country *
>> *Mobile phone number *
> If click on link "learn more about your support options," get this screen:
>>
>> Accounts <https://www.google.com/accounts/> › Help articles 
>> <http://www.google.com/support/accounts/> › Suspicious activity detected 
>> on your account
>>
>> Google Accounts: Suspicious activity detected on your account
>> Share Print
>>
>> Because we detected unusual activity on your account, we've disabled all 
>> access for your protection. We do this to protect your privacy and make 
>> sure that only you have access to your account.
>>
>> *For immediate access, follow these steps:*
>>
>> 1. Sign in to your account at http://www.google.com/accounts
>> 2. You’ll be prompted to enter your phone number to verify your
>> account. Enter your phone number and choose how you want to
>> receive a verification code (SMS or voice call)
>> 3. Click *Send verification code to my phone*
>> 4. You may need to wait up to 10 minutes to receive our SMS or
>> voice call. Please do not request another code if the first one
>> has not arrived. Only the most recent code requested will be
>> accepted.
>>
>> If the above process does not work, you can 
>> <https://www.google.com/support/accounts/bin/request.py?ara=1&hl=en&contact_type=ara&ctx=ara>fill 
>> out this form, (gives a link) which asks you to provide details about 
>> your account. Make sure to take your time and answer as many questions 
>> as possible. If we are able to verify that you own the account, you’ll 
>> be able to reset your password.
>>
>> Read this article 
>> <https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=46526> 
>> for more information on keeping your account secure.
>>
>
> This problem has been discussed before, but I don't know the real 
> solution, if there is one. Because the Tor exit node (in my case) appears 
> to be in a diff country than one given to Gmail when opened the acct (or 
> the assumed country from my orig IP address), Google thinks it may be 
> someone trying to hack the acct. There may be settings users can change 
> in their acct to have Google (or other providers) to contact in a case 
> like this, other than sending your phone #, to verify your identity. 
> Don't think I'll be sending them my phone #. I've never seen this or 
> heard of them (or any site) asking users to send their phone #. Yes, I'm 
> sure I was on the real Gmail login page - 
> https://www.google.com/accounts/ServiceLoginAuth
>
> When I set up my acct, I chose "security questions" for verification (or 
> at least if forget my password), but in this case, seems Google isn't 
> using that to verify I'm the real acct owner.
>
> It might be possible to limit relays Tor uses to your country, but never 
> dealt w/ that. Others will know more than me.
> _______________________________________________
>

Using StrictExitNodes 1 limits the nodes to whatever you have set for 
ExitNodes. For example:

StrictExitNodes 1

#ExitNodes blutmagie
#ExitNodes blutmagie2
#ExitNodes cassiope
ExitNodes DynoTor

Would set the exitnode to DynoTor (in the UK). You can have multiple 
uncommented ExitNodes. You can also select by country, for example:

ExitNodes {au} # Australia

Question: when you got this error were you playing around with temporary 
cookies? Why not let TorButton handle your cookies or allow cookies then 
securely delete cookies.sqlite afterwards? Then see if you have the same 
problem.

More information about the tor-talk mailing list