[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?

Mirimir mirimir at riseup.net
Thu Jul 24 21:54:58 UTC 2014

On 07/24/2014 03:29 PM, mal wrote:
> Food for thought: How much do you think it would cost per email to have
> the same thing (collecting a heap of bridges) done via Mechanical Turk,
> etc.?

I suspect that Google and Yahoo require cellphone text confirmation for
multiple account attempts from a single IP address. There are
workarounds, but there's more required than cheap labor.

> On 07/24/2014 05:16 PM, Mirimir wrote:
>> On 07/24/2014 02:36 PM, Roger Dingledine wrote:
>>> On Thu, Jul 24, 2014 at 03:24:26PM -0500, Cypher wrote:
>>>> In light of the last year of disclosures by Edward Snowden, why is Tor
>>>> requiring that I establish an account with an email provider that is
>>>> completely out of my control and has a general history of complying with
>>>> law enforcement data requests? Why those two providers specically?
>>> Because we need an adequately popular provider that makes it hard to
>>> generate lots of addresses. Otherwise an attacker could make millions
>>> of addresses and "be" millions of different people asking for bridges.
>>> https://svn.torproject.org/svn/projects/design-paper/blocking.html#tth_sEc7.4
>> That totally makes sense.
>>> (Also, it recently became clear that it would be useful for people to
>>> access this provider via https, rather than http, so a network adversary
>>> can't just sniff the bridge addresses off the Internet when the user
>>> reads her mail. And it would also be nice to not use providers that turn
>>> their entire email databases over to the adversary, even unwittingly.
>>> Lots of adversaries and lots of goals to manage at once here.)
>>> --Roger
>> Right, and with HTTPS, users' ISPs (and their friends) can't even see
>> that bridges are being provided. Does the bridge database talk directly
>> with Google and Yahoo mail servers, to prevent possible XKeyScore snooping?

More information about the tor-talk mailing list