[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?

isis isis at torproject.org
Sun Jul 27 19:38:06 UTC 2014


grarpamp transcribed 1.2K bytes:
> This thread talk of only gmail and yahoo, but i also believe
> outlook (hotmail) will no longer create usable accounts [1]
> (ie not via tor, but perhaps via clearnet?) without requiring
> phone. [Truly you mean to say 'phone' tech when you say
> prevent multiple or hard to create/abuse. But it is cheap enemical
> solution against people.] And yahoo now require phone
> to create. I wish there was not bridges mail service to anyone
> then, so we do not endorse preference to these phone collecting
> people. Or open to all instead.
> 
> Embed a bridge in the webpage sometimes, in twitter, in
> blog, in git, in tpo.org/bridge/blah, make all kind of captcha
> and delay, telnet, slideshow, hidden service. All different
> and more rings.
> 
> Do we underestimate the social net in oppressed
> that gives them awareness of tor, and to obtain binary
> and share bridge info in the first place? Or that oppressor
> will not burn $cheap govt SIM and IP army to get and block
> bridges from gmail to @getbridges?
> 
> This is difficult.
> 
> [1] that you can actually send mail from instead of
> just play in.

Thanks, I'm aware of the difficulties.

I don't think a SIM card is the epitome of Sybil-proof
authentication. Purchasing Yahoo emails accounts (phone verified!), as noted
on ticket #11340, costs $0.005 a piece. A SIM card doesn't prove you're a
unique human any more than 0.001 Satoshi proves you're human or solving N
CAPTCHAs proves you're human. I am increasingly convinced that the only way to
determine if a human is a unique human is to ask said human's friends. As you
can imagine, doing this without retaining a social graph of users is quite a
non-trivial task. And FWIW, the system most of us want to see implemented for
bridge distribution doesn't exactly have the most implementable
cryptography. [0] :/

Though perhaps you missed what I mentioned earlier: You can use Riseup
now. They don't require a phone, and I consider their form of social
verification to be the most secure way to authenticate strangers in any
currently-deployed system. It's got what activist groups have required for
years to combat snitches and feds AFK: convince a few real people that you're
a trustworthy friend, or convince a live human that you're useful and not a
parasite of some sort. There's no other proof-of-work system which is
effective against the state-level adversaries we aim to fight. They've got
more money, more guns, more CPU, more RAM, more Bitcoin, and more everything
than us, except friends.

[0]: https://people.torproject.org/~isis/papers/rBridge:%20User%20Reputation%20based%20Tor%20Bridge%20Distribution%20with%20Privacy%20Preservation.copy%20with%20notes.pdf

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140727/ffa6693e/attachment-0001.sig>


More information about the tor-talk mailing list