[tor-talk] Why does requesting for bridges by email require a Yahoo or Gmail address?
isis at torproject.org
Sun Jul 27 23:07:43 UTC 2014
Matthew Finkel transcribed 5.0K bytes:
> On Sun, Jul 27, 2014 at 02:09:52AM -0400, The Caped Wonderwoman wrote:
> > The difficulty of obtaining a Riseup account may be prohibitive for a lot
> > of people, especially if they need a bridge quickly for whatever
> > reason. Anecdotally, I requested one under a different identity over a
> > week ago and have yet to hear back. In some situations, that's an
> > eternity, and while I'm sure it would go more quickly with an invite, that
> > presupposes knowing someone who has one to offer.
> An important point, that I don't think was mentioned previously, is that
> Riseup cannot be a substitute for gmail and yahoo mail. The latter
> are two service providers which place very few restrictions on the
> users. Riseup, on the other hand, only accepts people who either
> honestly have similar political and social ideals or they lie. Granted,
> if an adversary is trying to surveil or track users then they probably
> won't have any problem with deception and lying during the application
> process. However, this does raise the bar for entry into retrieving
> the specific bridges which are only distributed to riseup users.
> > As a side note, I'm always slightly surprised by how few mentions Zoho
> > gets. They're nowhere near perfect, but compared to Google, Yahoo, and
> > such, at least they don't mine your email for targeted advertising, they
> > have a business model where the user is the customer, and their privacy
> > policy is readable and honest ("we'll log your IP and fingerprint your
> > browser to see where you go and what you do on our site, but we won't read
> > your mail or follow you around the
> > Internet"). http://www.zoho.com/privacy.html
> I hadn't heard of them. The account creation process seems simple,
> sadly the captchas are not very difficult, either. I'm not saying
> they're not usable, only that this seems like an easy target for
> powerful adversaries. They also have offices in the US and China,
> which could cause other problems.
Nor had I, but they look and feel like a rebranded Google, and I appear to
have caused them a series of server errors when I attempted to make an account
just now, so I'm also not very impressed with their rebrading/coding skills.
> Before we start whitelisting many new email providers, we should
> define exactly which criterion we are looking for and what
> percentage of the bridges we should allocate to the provider based
> on which criteria they meet. We need a system that is usable by the
> masses but also one that doesn't render the majority of the system
> useless because someone/something was able to enumerate most of the
Interesting. I like this idea. The requirements that I listed earlier for an
email provider to be acceptable were just requirements, and obviously don't
take into account features which are better for users.
Do you have a suggestion for some point values to assign to certain desirable
Should we take off points if something is missing? I.e. if ProviderX doesn't
have DKIM, they get penalised -20 HP, and so pretty much no matter what they
have 0 bridges in their hashring until they fix DKIM.
I kind of don't want to do all the research for all this, nor check up on
ProviderX a year down the line when it appears that some feature/requirement
of theirs is borked. What if there was, on https://bridges.torproject.org,
some sort of "Don't see an email provider that you think is appropriate?"
link, which goes to a wiki page where people can say, e.g. "I checked Zoho and
they appear to get a score of 17 out of 25 in this arbitrary point system, so
they should be supported."
♥Ⓐ isis agora lovecruft
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1154 bytes
Desc: Digital signature
More information about the tor-talk