[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?

Matthew Finkel matthew.finkel at gmail.com
Sun Jul 27 16:00:49 UTC 2014 

On Sun, Jul 27, 2014 at 02:09:52AM -0400, The Caped Wonderwoman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> The difficulty of obtaining a Riseup account may be prohibitive for a lot of people, especially if they need a bridge quickly for whatever reason. Anecdotally, I requested one under a different identity over a week ago and have yet to hear back. In some situations, that's an eternity, and while I'm sure it would go more quickly with an invite, that presupposes knowing someone who has one to offer.
> 

An important point, that I don't think was mentioned previously, is that
Riseup cannot be a substitute for gmail and yahoo mail. The latter
are two service providers which place very few restrictions on the
users. Riseup, on the other hand, only accepts people who either
honestly have similar political and social ideals or they lie. Granted,
if an adversary is trying to surveil or track users then they probably
won't have any problem with deception and lying during the application
process. However, this does raise the bar for entry into retrieving
the specific bridges which are only distributed to riseup users.

> As a side note, I'm always slightly surprised by how few mentions Zoho gets. They're nowhere near perfect, but compared to Google, Yahoo, and such, at least they don't mine your email for targeted advertising, they have a business model where the user is the customer, and their privacy policy is readable and honest ("we'll log your IP and fingerprint your browser to see where you go and what you do on our site, but we won't read your mail or follow you around the Internet"). http://www.zoho.com/privacy.html
> 

I hadn't heard of them. The account creation process seems simple,
sadly the captchas are not very difficult, either. I'm not saying
they're not usable, only that this seems like an easy target for
powerful adversaries. They also have offices in the US and China,
which could cause other problems.

Before we start whitelisting many new email providers, we should
define exactly which criterion we are looking for and what
percentage of the bridges we should allocate to the provider based
on which criteria they meet. We need a system that is usable by the
masses but also one that doesn't render the majority of the system
useless because someone/something was able to enumerate most of the
bridges.

> 
> On July 26, 2014 3:16:03 AM EDT, Mirimir <mirimir at riseup.net> wrote:
> >On 07/25/2014 11:31 PM, grarpamp wrote:
> >
> ><SNIP>
> >
> >> Do we underestimate the social net in oppressed that gives
> >> them awareness of tor, and to obtain binary and share bridge
> >> info in the first place?
> >
> >Maybe we do. But what about carelessness, poor judgment and the
> >prevalence of informers? Wouldn't it be better to have a system that
> >protected bridges by design?
> >
> >> Or that oppressor will not burn $cheap govt SIM and IP army
> >> to get and block bridges from gmail to @getbridges?
> >
> >Right. Requiring hard-to-get email addresses does make it harder to get
> >bridge IPs. But who does that impact the most, potential users or
> >adversaries? Is there relevant evidence?
> >
> >> This is difficult.
> >
> >Indeed.
> >
> >Please excuse the repetition, but DNS-based fast flux (Proximax) with
> >selection-based dropping of domain names associated with bridge
> >blocking
> >is the best possibility that I've seen. Rather than trying to prevent
> >adversaries from joining the system, it recursively isolates based on
> >behavior.
> >
> ><SNIP>
> >--
> >tor-talk mailing list - tor-talk at lists.torproject.org
> >To unsubscribe or change other settings go to
> >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> 
> - --
> Sent from my Android device with K-9 Mail. Please excuse my brevity. And the cape.
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
> 
> iQJMBAEBCgA2BQJT1JewLxxDYXBlZCBXb25kZXJ3b21hbiA8Y2FwZWRfd29uZGVy
> d29tYW5Aem9oby5jb20+AAoJEBgm0LqZNaXf6wkP/Ap8j0gJ1drQ/vywryb09lPb
> tFqS1X4yFq6Drf5188DAl588SXUyTHEfYimXeNMEIjmg2Q013BrnOPY6BdLl/wPe
> 0aIiqo+iiLtuqZL+eihivPfTOThO3zjY7ZKC6AhEZf2yO8fbinome38KSZ5ToNoV
> EJcwmrL97HFQVE8Ik6JVmTmsG1San1g8I6DhxdkN/hkWy6aBt2iGdypCWe0vez2O
> YwtKdoCc5PmAKVvnszeOHutcg6FVQ8o+sJLXZU04lq3FLH1RbR5I8+r9EEa+TuZ+
> D8A5vfS4xeUFDmMpF6khOVK6ddjnsJwSc1PxY6Eqvzokg7Q8lyNxy+H8aD9WMpaK
> gG6bx1AH9YqxB1GCx924zimA+XwgYdFCv/fwmF6QdoLmLnqWUEYd8FJmjJlDsgCq
> Z4f3HflzfQTehh2Q6uB/KzcDhreOXQrFSlpvO4keb5iDRjqOh4cbrFdUZFMLN/+j
> Ny2maBjrQFl8P5Boh5vLQiQlYnWPiQH4B+Ycsy942eoTY8sUL8e0psGYBCXx+I+H
> qe4DityZ73pV6pvfX18kWv9aejML1hFri5dZX2v2Z5HVNftdTA6cXEZynrMd8kO8
> WBGnkWyiwYUO65UeK5vycdUKQ2sLd0pCnYhKKfzK6q4W+bdFtXPnnOcHXCtpaWGu
> VM50oYhzhQOO/kZTr2BO
> =A/UT
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list