On Wed, Apr 6, 2011 at 11:25 AM, Aaron <aag...@extc.org> wrote: > On Tue, Apr 5, 2011 at 8:38 PM, grarpamp <grarp...@gmail.com> wrote: >>> If you must have GMail, I've noticed that accounts created on android >>> devices are not subject to these checks. And yes, even when using Tor >>> via Orbot. >> >> Since using your android is, afaik, the same as giving them your >> phone (SMS), or alternate identity, it would seem obvious that this >> would work. And thus a non-solution in general. >> > Actually, Android is an open source project: > http://source.android.com/ > > And also other derivatives: > http://www.cyanogenmod.com/ > > You can run Android on a phone without google proprietary code, though > most phones sold are google branded and bundled with proprietary apps. > >>> You don't have an android phone? >> >> Many good folks that would make good use of a gmail account >> do not have such things. Similarly, many good folks that do >> have such things would surely not wish to associate the identity >> of such a thing (IMEI/SIM/account/location/life/etc) with any >> gmail account just in order to get gmail. So for many, this is out >> based on access and/or principle alone. > > I do think it's ridiculous to need a cellphone to get a webmail > account. That said, there are a lot of competing providers. What I > don't understand is hating on Google but still wanting to use their > webmail service. >> >>> 1. Install the android sdk/emulator and create an avd. I tested with >>> API 8 (android 2.2) + google apis >>> 2. launch the emulator: emulator -http-proxy http://127.0.0.1:8118 >>> @your_adb_name_here (the proxy settings in the gui did *not* work for >>> me) >>> 4. navigate through settings->accounts&sync->add account->google->create >> >> Interesting... >> - Are you suggesting that this simulator runs on a PC using unix or windows? >> - What is an "adb_name"? > > The android emulator can be found here: > http://developer.android.com/sdk/index.html > It does run on the 3 major platforms. > > adb_name is a typo, I meant to say avd_name -- for 'android virtual device'. > >> - And it seems like a heavyweight solution in general. Do you have any >> insight into why it works? Such as its use of a certain browser string, >> preloaded cookie strings, or other http parameters? It would certainly >> be easier for many people to simply mimic those in say firefox than >> to setup an entire development and emulation environment. > > I don't have any idea how this works. If anyone is interested in > poking into this I suggest adding a self-signed root CA on a device or > emulator and use sslsniff + wireshark to see what is going on.
Just thought I'd update this here in case anyone else is trying this. I found a nice tutorial explaining how to install a root CA here: http://wiki.cacert.org/ImportRootCert Unfortunately this did not work and the certificate is still untrusted. I also tried installing the certificate from the SD card (through settings->location&security->install from sd card), but that doesn't affect the global certificate store. Attempts to create an account failed and sslsniff did not log anything. --Aaron >> _______________________________________________ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> > _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk