Comment by jjcon
5 years ago
I also got locked out of my google account - not because of a violation (automated flag or otherwise) but because google decided my login location was too different. I know my password and have access to my recovery email but I am put into and endless login loop of ‘unable to verify’. I contacted support which had me fill out a form and that was maybe 6 months ago. I’ve moved on now but I’ll never use a google product seriously ever again.
I'm always afraid this will happen when I use a VPN or TOR. The internet in general is pretty hostile to any sort of privacy protecting measures, which they justify by saying your activity looks "suspicious". I've already been locked out of my Facebook account once because I forgot to turn my VPN off.
The last time I used TOR it was almost impossible to do anything on the internet. Every Google search was met with "We detected you are a bot" and every website interaction was blocked by never-ending CAPTCHAs.
My ISP has literally a single public IP address they use for all subscribers. And, I have third-party cookies disabled in my browsers because they are almost never used for something legitimately good. Because of these two things, I'm constantly being punished with captchas, and sometimes downright bans ("your IP isn't good enough to post on this forum"), in places where I least expect. Yes, looking at you, Google and Cloudflare.
Oh wow, the dreaded carrier-grade NAT. I still can't believe that's a thing.
2 replies →
Unfortunately, enabling TOR basically makes your traffic "malicious-shaped" these days. One of the largest users of privacy services are users (bot or human) who don't want their traffic easily traced because they're doing something malicious.
It's definitely not the only use case for such services, but if a service provider sees that 90% of traffic shaped a certain way is malicious traffic, it's understandable they will take steps to mitigate that traffic.
ETA: I'm not happy about it because I believe in the value of anonymity, but it is what it is. Here's a Cloudflare blog post talking about the challenges handling Tor traffic, which to their estimate is (a) 94% malicious "per se," so any tooling you do that tries to estimate intent based on origin IP address is gummed up by the malicious signal emanating from the same Tor exit node as your legit traffic and (b) anonymized by design, therefore any attempts you might make to build a reptutation signal for a given client are intended to be thwarted. The result is that a Tor user's traffic looks reputationless to a service like Cloudflare, and you can't just assume reputationless signal is benign (so, CAPTACHAs and "bot-like behavior suspected" walls).
https://blog.cloudflare.com/the-trouble-with-tor/
Interesting article, thanks, and especially at the end of the article:
> (Some cloudflare people) have proposed a solution to the Tor Project that moves part of the process of distinguishing between automated and human traffic to the Tor browser itself. The Tor browser could allow users to do a sort of proof-of-work problem and then send a cryptographically secure but anonymous token to services like CloudFlare in order to verify that the request is not coming from an automated system.
> By moving the proof-of-work test to the client side, the Tor browser could send confirmation to every site visited so that users wouldn’t be asked to prove they are human repeatedly
(+ Link to the suggestion)
The onion site Https cert idea is also interesting