Delivery-Date: Sun, 27 Jul 2014 19:12:06 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 4C7D01E02C2
	for <archiver@seul.org>; Sun, 27 Jul 2014 19:12:04 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9B9B32FF35;
	Sun, 27 Jul 2014 23:12:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8F7C62FE85
 for <tor-talk@lists.torproject.org>; Sun, 27 Jul 2014 23:08:10 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id yDXcCWSaSiSs for <tor-talk@lists.torproject.org>;
 Sun, 27 Jul 2014 23:08:10 +0000 (UTC)
Received: from patternsinthevoid.net (greyarea.patternsinthevoid.net
 [106.187.37.158])
 by eugeni.torproject.org (Postfix) with ESMTP id 0FAC62FD7F
 for <tor-talk@lists.torproject.org>; Sun, 27 Jul 2014 23:08:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by patternsinthevoid.net (Postfix) with ESMTP id 2DDD23A1414
 for <tor-talk@lists.torproject.org>; Sun, 27 Jul 2014 23:08:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at patternsinthevoid.net
Received: from patternsinthevoid.net ([127.0.0.1])
 by localhost (greyarea.patternsinthevoid.net [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id YGkV-HOqQMFE for <tor-talk@lists.torproject.org>;
 Sun, 27 Jul 2014 23:08:02 +0000 (UTC)
Date: Sun, 27 Jul 2014 23:07:43 +0000
From: isis <isis@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20140727230643.GC6056@patternsinthevoid.net>
References: <53D16B7A.6000100@cpunk.us> <20140724203626.GS7408@moria.seul.org>
 <53D177B8.4010306@riseup.net>
 <20140725231953.GR7899@patternsinthevoid.net>
 <CAD2Ti28Ed0jtRmTWxd3FNiA52xMfJbwdFTy+JBVJ=MqDkr8HiA@mail.gmail.com>
 <53D355B3.2060800@riseup.net>
 <0f0bde22-6ca2-4cb2-9219-937e754ee3c1@email.android.com>
 <20140727160046.GA29192@localhost>
MIME-Version: 1.0
In-Reply-To: <20140727160046.GA29192@localhost>
X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt
X-Louis-Lingg: In this hope do I say to you I despise you. I despise your
 order, your laws, your force-propped authority. Hang me for it!
Subject: Re: [tor-talk] Why does requesting for bridges by email require a
 Yahoo or Gmail address?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7103068771396115219=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============7103068771396115219==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="NtwzykIc2mflq5ck"
Content-Disposition: inline


--NtwzykIc2mflq5ck
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Matthew Finkel transcribed 5.0K bytes:
> On Sun, Jul 27, 2014 at 02:09:52AM -0400, The Caped Wonderwoman wrote:
> > The difficulty of obtaining a Riseup account may be prohibitive for a l=
ot
> > of people, especially if they need a bridge quickly for whatever
> > reason. Anecdotally, I requested one under a different identity over a
> > week ago and have yet to hear back. In some situations, that's an
> > eternity, and while I'm sure it would go more quickly with an invite, t=
hat
> > presupposes knowing someone who has one to offer.
>=20
> An important point, that I don't think was mentioned previously, is that
> Riseup cannot be a substitute for gmail and yahoo mail. The latter
> are two service providers which place very few restrictions on the
> users. Riseup, on the other hand, only accepts people who either
> honestly have similar political and social ideals or they lie. Granted,
> if an adversary is trying to surveil or track users then they probably
> won't have any problem with deception and lying during the application
> process. However, this does raise the bar for entry into retrieving
> the specific bridges which are only distributed to riseup users.
>=20
> > As a side note, I'm always slightly surprised by how few mentions Zoho
> > gets. They're nowhere near perfect, but compared to Google, Yahoo, and
> > such, at least they don't mine your email for targeted advertising, they
> > have a business model where the user is the customer, and their privacy
> > policy is readable and honest ("we'll log your IP and fingerprint your
> > browser to see where you go and what you do on our site, but we won't r=
ead
> > your mail or follow you around the
> > Internet"). http://www.zoho.com/privacy.html
>=20
> I hadn't heard of them. The account creation process seems simple,
> sadly the captchas are not very difficult, either. I'm not saying
> they're not usable, only that this seems like an easy target for
> powerful adversaries. They also have offices in the US and China,
> which could cause other problems.

Nor had I, but they look and feel like a rebranded Google, and I appear to
have caused them a series of server errors when I attempted to make an acco=
unt
just now, so I'm also not very impressed with their rebrading/coding skills.

> Before we start whitelisting many new email providers, we should
> define exactly which criterion we are looking for and what
> percentage of the bridges we should allocate to the provider based
> on which criteria they meet. We need a system that is usable by the
> masses but also one that doesn't render the majority of the system
> useless because someone/something was able to enumerate most of the
> bridges.

Interesting. I like this idea. The requirements that I listed earlier for an
email provider to be acceptable were just requirements, and obviously don't
take into account features which are better for users.

Do you have a suggestion for some point values to assign to certain desirab=
le
features?

Should we take off points if something is missing? I.e. if ProviderX doesn't
have DKIM, they get penalised -20 HP, and so pretty much no matter what they
have 0 bridges in their hashring until they fix DKIM.

I kind of don't want to do all the research for all this, nor check up on
ProviderX a year down the line when it appears that some feature/requirement
of theirs is borked. What if there was, on https://bridges.torproject.org,
some sort of "Don't see an email provider that you think is appropriate?"
link, which goes to a wiki page where people can say, e.g. "I checked Zoho =
and
they appear to get a score of 17 out of 25 in this arbitrary point system, =
so
they should be supported."

--=20
 =E2=99=A5=E2=92=B6 isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt

--NtwzykIc2mflq5ck
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQMhBAEBCgELBQJT1YY+BYMB4TOAVhSAAAAAACUAKGlzaXMrc2lnbnN1YmtleUBw
YXR0ZXJuc2ludGhldm9pZC5uZXRGQzYzQUE1Q0QxOTM4NjlDMzIzNzE0NUE1QzE3
Nzc2RTI3RjdFODRESxSAAAAAABoAKGlzaXNAcGF0dGVybnNpbnRoZXZvaWQubmV0
MEE2QTU4QTE0QjU5NDZBQkRFMThFMjA3QTNBREI2N0EyQ0RCOEIzNS4aaHR0cHM6
Ly9ibG9nLnBhdHRlcm5zaW50aGV2b2lkLm5ldC9wb2xpY3kudHh0LJhodHRwczov
L2Jsb2cucGF0dGVybnNpbnRoZXZvaWQubmV0L2lzaXMudHh0AAoJEFwXd24n9+hN
BO8P/1ZoPFbq1rIjU7ofGKSmCqY2tOKNTwlEYKcEH30z6xDADsAwQjg9UUls1Yfj
TCMjH6K8dVs3Bb/AqFOAUdVAMLbL1Zlc8h+e8N+J91kbqsuGSgXJuaxWMP+1Q71c
zW4LiePuW6s5glOMl1rYiLc5Px9ntS48NqJ+WHjU9+CcrguXiNh79HQNqxM4q8/t
wmHfFc7huo6i5vIwnYxa+jVa22uik0V8QQIT3GntGX5ioxxVZ8jPa9S+m5/3yyPj
zEn650YwaQScKDxyXrJA7cpHzantxjS7mBNtdNKKHamN+bHOsJTfxDpR3xvQAAH1
Bf3pnHqvVIN+/NquMFC+AIbwYqKy8M1cwfMziC08EuRrNZkr8BkiEzVgubuADC0Z
PXAhhyLxHbX5C3ReGJFELfevfloJia4ugVh4i0/OYCgy8BjigbRZ7qU+BqRRX7+i
PkhbmDHU1SaEcjIkgWhAWHAzdQhm3LV8jbfQlc/1wyQojoSFeVcIf1J9keuT7TdF
OMsoR2Qp71obIHQbaRT/AwHNPTBYVH+FQWribAfYYfEh9By4hrEstqrZG+JFKAZa
bBRkqBmDNRqcV5fQ7ecP5kP9yUrFpVbKt2QcQwYDSNmD4DQPAuBFP7MYL0SSI7rA
H9WRavFGUdG3XcwfcpqBrpdeLvoWD2sL+PY8aEecMdz74gBQ
=WzE7
-----END PGP SIGNATURE-----

--NtwzykIc2mflq5ck--

--===============7103068771396115219==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7103068771396115219==--

