Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] when you are using Tor, Twitter will blocked your acc

Tom Ritter tom at ritter.vg
Mon Jun 9 09:20:48 PDT 2014


On 9 June 2014 12:06, Seth David Schoen <schoen at eff.org> wrote:

> Griffin Boyce writes:
>
> >   I'd recommend reaching out formally (perhaps to privacy@ ?) and
> > proposing a whitelist or other special consideration for Tor users.
>
> It seems obviously crazy to me for Twitter to prevent people from
> accessing it over Tor, both in light of widespread censorship of Twitter
> on different networks and in light of governments' attempts to find out
> where users of services are connecting from.
>
> On the other hand, if a service is viewing anomalous originating IP
> address as an indicator of compromise, then using Tor destroys that
> information source.  For example, if Twitter whitelists Tor exit nodes
> and says that connecting from them is never viewed as suspicious, then
> anybody who knows this and compromises a Twitter user's account can
> just use the stolen account over Tor and never get detected or blocked.
>
> I guess there are some people who try to compromise Twitter accounts
> who wouldn't learn about this policy and take advantage of it, but
> that seems like a significant assumption.  So, should Twitter just
> stop enforcing the compromise detection entirely when users connect
> via anonymity services?  It seems like that would significantly
> undermine the compromise detection.
>
> One alternative idea is to have a flag on people's accounts that says
> "OK to connect via anonymity services"; then a question is how people
> can get that flag (ideally, without getting the account blocked even
> once) and how someone who hijacks an account can be prevented from
> setting the flag maliciously.
>
>
Excellent email talking about the tradeoffs and problems with just treating
Tor as always-legitimate all-the-time.

FWIW, Mike Hearn has talked a little bit about Google's process (as of a
few years ago) with generic anonymizing networks (like Tor, which I will
use interchangably), and it was roughly, login with Tor, do an extra
verification step, and your account is flagged as 'Tor friendly' and you
don't need to do that again.

Twitter requires an email.  My thought would be that logins via Tor and
other anonymity networks need to use 2FA.  Either the Code Generator, SMS,
or email-click-a-link.  Either that, or require it on first Tor-login, and
flag the account as not needing it going forward.

-tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140609/a2092ff8/attachment.html>


More information about the liberationtech mailing list