[tor-talk] Tor and Google error / CAPTCHAs.

Wed Sep 28 01:19:41 UTC 2016

On 9/27/2016 9:57 AM, blobby at openmailbox.org wrote:
>
>
> This is exactly my issue. If I login to my Gmail or FB account then
> invariably Gmail or FB thinks I am a suspicious person hence "Something
> seems a bit different about the way you're trying to sign in. Complete
> the step below to let us know it's you and not someone pretending to be
> you" or worse "Google couldn't verify it's you, so you can't sign in to
> this account right now." In the FB case, I am asked to identify my
> "friends" half of whom have baby photos or the image is unclear..
> Sometimes I get them wrong and am locked out for a few hours. And this
> is when connecting via the FB .onion address.
>
> IMO, and I am curious to know what Alec thinks, Google, FB, etc are
> creating far too many false positives. Googling "Something seems a bit
> different about the way you're trying to sign in" results in numerous
> cases where innocent users have been locked out.
>
> Two questions:
>
> Is there a way that using an exit node for Gmail, FB, etc will not be
> considered suspicious? Is that even possible?
I can't say about Gmail today (I hope you're not trying to use it w/ 
Tor, hoping for anonymity).
But w/ other login sites that balked at Tor, forcing a exit relay in 
same country that you signed up from, sometimes fixed the messages like, 
"We've detected unusual behavior...  Give us your home phone & address & 
we'll call you." :D   Sometimes even Startpage, DDG, etc. will pop a 
captcha.  I wonder why, until I look at the exit country & it's China or 
Uzbekistan or such.  After I change that to a country less known for 
cybercrime, no more capthcas on those sites.
>
> Is it possible to use a different proxy way to access Gmail, FB, etc
> without being seen as suspicious? For example, one could use proxychains
> with Tor followed by a SOCKS proxy to login.
Probably depends on the proxy.  You could try, but I'm guessing that's 
what a lot of spammers & scammers try.  Gmail has pretty strict rules to 
try & prevent fraud (keep a good reputation). They don't want to lose 
many users, or they don't get to scan the email & scrape the private 
data.  Would be financial loss, so they don't want other ISPs or sites 
blocking gmail.

It's hard to sign up for gmail w/ Tor.  They want SMS authentication, 
which is usually going to blow most users' anonymity.
By contrast, if you create an acct w/ non-Tor browser, then access it w/ 
TBB, that accomplishes nothing - as for anonymity.

Only creating an acct w/ TBB & then *never* accessing it w/ anything 
else (& not having addons or plugins that might leak IPa) will 
accomplish anonymity.  For Tor Browser email, it just seems a better 
idea to start w/ a provider that's both Tor friendly AND privacy / 
security conscious.  That's not google.

Even then, I'm not sure.  What if you get an email - via TBB, that 
mentions your real name, or is from someone in your town - using their 
real IPa - saying, "come on over tonight, to 123 Oak St.," or gives 
their phone #, etc.?  Then the mail provider effectively knows which 
town you live in, at minimum.  The right agencies can then cross 
reference that person's contacts - if they want.  And then probably the 
national security agency know all that.
>
> In both cases above (exit node and exit node plus SOCKS) we assume that
> the IP address more or less matches the "normal" non-proxy login. I am
> in Paris and use a Paris exit node and a Paris SOCKS proxy for example.
>
> Finally, thanks for participating in this discussion. It is rare to have
> people who work or used to work at the major webmail and social media
> companies from a) getting involved and b) providing a nuanced (not
> anti-Tor) perspective.