Opened 10 years ago

Closed 6 years ago

Last modified 6 years ago

#1562 closed defect (wontfix)

Expand the list of email providers for bridge requests

Reported by: phobos Owned by: isis
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Keywords: bridgedb-email
Cc: isis@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


gmail is frequently starting to require sms verification for new account creation. We should figure out other providers that offer both ssl and dkim headers.

Child Tickets

Change History (11)

comment:1 Changed 10 years ago by phobos

perhaps (now Opera) or are options.

comment:2 Changed 10 years ago by arma

Needs to be more than just ssl and dkim -- it needs to also rate limit
account creation about as well as gmail does.

If we do want to add a variety of further mail providers, we might consider
breaking the "email" bridgedb bucket into multiple buckets -- so bridges you
can learn via gmail aren't the same as the ones you can learn via lavabit.
That approach may not make much sense until we have more bridges, though.

comment:3 Changed 10 years ago by phobos

Define "rate limit account creation". Gmail doesn't seem to do any such rate limiting. Lavabit allows 1 account per IP address per 24 hours according to my testing.

comment:4 Changed 10 years ago by arma

I mean exactly things like sms verification. They more work they force users
to do for accounts, the stronger gmail is for rate-limiting for our purposes.

I was under the impression they require at least a captcha solution. It does
seem like their requirements vary quite a bit over time though, which actually
isn't really what we want.

comment:5 Changed 10 years ago by nickm

Component: Tor - Tor clientTor - BridgeDB

comment:6 Changed 9 years ago by phobos

Milestone: Tor: unspecified

I think we've seen that gmail's and yahoo's new account creation rate limiting is fairly useless. What would be the result of accepting any valid dkim signature, but limiting the IPs provided by dkim-verified provider? Such that always gets the same 3 bridge addresses, while gets a random different set of 3 bridge addresses, but always the same 3? This is modulo bridge reachability being successful.

comment:7 Changed 7 years ago by isis

Cc: isis@… added
Status: newneeds_information

Marking #5655 as a duplicate of this ticket: Sam from GA Tech requested that we add '' to the whitelist. This is done in this branch in this commit if it is ever decided what to do about this.

If/when social bridge distribution (#7520) is implemented, the email whitelist will be removed, so I´ll leave it up to others if domains should be added.

comment:8 Changed 7 years ago by isis

Keywords: email added


from SamWhited on #5655, in comment:5:

Each student has a single address that can't be changed, and they can create unlimited alias' (but only one every 30 days I think). The answer would be to just accept mail from the domain (the one each student only gets one of). The alias' ( don't matter.

comment:9 Changed 6 years ago by isis

If we're still adding email addresses, we should probably whitelist Riseup. IIRC, Riseup accounts sell for more than Google accounts because they are more difficult to create (essentially boiling down to multiple humans approving your account creation).

comment:10 Changed 6 years ago by isis

Keywords: bridgedb-email added; email removed
Owner: set to isis
Status: needs_informationassigned

comment:11 Changed 6 years ago by isis

Resolution: wontfix
Status: assignedclosed

This was discussed at the "BridgeDB and Gmail" breakout session at the 2014 Winter developer meeting. There was full consensus among those present that adding leads to a rabithole of whitelisting university addresses, and that we don't really want to down it. If someone disagrees, please feel free to reopen this ticket.

Last edited 6 years ago by isis (previous) (diff)
Note: See TracTickets for help on using tickets.