On Fri, Jul 25, 2014 at 03:44:21PM +0000, obx wrote: > > Because we need an adequately popular provider that makes it hard to > > generate lots of addresses. Otherwise an attacker could make millions > > of addresses and "be" millions of different people asking for bridges. > > I know this is the reason, but there are still captchas, right? >
Yes, they do rely on captchas and phone numbers. But luckily, in the case for gmail, the capture-difficulty is variable. This in no way solves the problem, but it's certainly better than most alternatives. > Also, I think this list needs to be expanded. > > > (Also, it recently became clear that it would be useful for people to > > access this provider via https, rather than http, so a network adversary > > can't just sniff the bridge addresses off the Internet when the user > > reads her mail. > > I'm not sure if gmail is safe against this recent adversary, regardless > of the protocol. > Excluding the NSA/US Gov, I think gmail is the best corporate-controlled service available, right now. This opinion may change if contradictory information is released, but at this time, for our purposes, I am happy requiring gmail. Services like riseup are excellent, but we are abusing their systems (a little), as well as potentially putting more work/stress/pressure on the staff. I wish there was a way to necessitate the requirements and rigor of riseup with the scalability of gmail. Alas, this isn't available, as far as I know. Riseup is also special due to existing person relationships, it's possible we can expand the whitelist to other provides such as autistici, but it will be a more involved process. Suggestions and help always appreciated -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
