[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?

Patrick Schleizer adrelanos at riseup.net
Thu Jul 24 23:05:53 UTC 2014

> With the recent discussion about what your ISP can see when you use Tor,
> I ended up on the Tor Bridges page. On that page is the following statement:
> "I need an alternative way of getting bridges!
> Another way to get bridges is to send an email to
> bridges at torproject.org. Please note that you must send the email using
> an address from one of the following email providers: Gmail or Yahoo."
> In light of the last year of disclosures by Edward Snowden, why is Tor
> requiring that I establish an account with an email provider that is
> completely out of my control and has a general history of complying with
> law enforcement data requests? Why those two providers specically?
> Note to conspiracy theorists: I am NOT intimating that Tor is in cahoots
> with the government in any way and that's why they're requiring Yahoo
> and Gmail so don't bother going there.
> Can anyone shed some light on this?
> Thanks,
> Cypher

Because it's about different threat models and use cases.

Usually bridges are used by countries that are "unfriendly" with US -
for example China. US services gmail / yahoo won't cooperate with China.
That may or may not be true, but for the use case at hand, that is
simple censorship circumvention it works.

On the other hand, your use case is interpreted by me as "I live in some
western country (ex: US), recently read the news, that using the public
Tor network will mark you as extremist in NSA database. Bad. Bridges
hide Tor, no? So isn't it an oxymoron to ask for gmail / yahoo accounts
then?" - Oxymoron on first sight, but there is none.

Using private and obfuscated bridges alone doesn't provide strong
guarantees of hiding the fact you are using Tor from your ISP. Quote [1]
[2] Jacob Appelbaum:

> Some pluggable transports may seek to obfuscate traffic or to morph
it. However, they do not claim to hide that you are using Tor in all
cases but rather in very specific cases. An example threat model
includes a DPI device with limited time to make a classification choice
- so the hiding is very specific to functionality and generally does not
take into account endless data retention with retroactive policing.


[1] https://mailman.boum.org/pipermail/tails-dev/2013-April/002950.html
[2] http://www.webcitation.org/6G67ltL45

More information about the tor-talk mailing list