These are instructions for setting up an email account for use with the
email rendezvous (fp-registrar-email / flashproxy-reg-email).

You are strongly advised to use an email account dedicated for this
purpose. If your email provider supports it, we advise you to use an
app-specific password rather than your account password.

Once you have an email address and the password for it, you should add
this information to reg-email.pass in your flashproxy config directory.
For your security, this file should be on encrypted storage.

The following section provides some instructions on how to set up a new
Google account whilst revealing as little information to Google as is
feasible.

== Creating a Google account securely

These instructions were current as of May 2013.

You may have trouble if you are using Tor to create the account, for two
reasons. The first is that exit nodes are a source of abuse and Google
is more suspicious of them. The second is that Gmail is suspicious and
can lock you out of the account when your IP address is changing. While
setting up the account, use a single node in your torrc ExitNodes
configuration. Choose a U.S. exit node, one with low bandwidth.

Go to https://mail.google.com/. Allow JavaScript to run (even from
youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT"
button.

Enter the account details. You don't need to fill in "Your current email
address". Enter a mobile phone number for later activation of two-factor
authentication. Solve the captcha. Click "Next Step". You may have to do
a phone SMS verification here.

At this point the Gmail account is created. If you are pushed into
joining Google+, close everything out and go back to
https://mail.google.com/.

Log out of the account and then back in again. There will be new text in
the lower right reading "Last account activity". Click "Details" and
turn off the unusual activity alerts. This will keep you from getting
locked out when you come from different IP addresses. At this point you
should remove the temporary ExitNodes configuration from torrc.

Add a filter to prevent registrations from being marked as spam. Click
on the gear icon and select "Settings". Select "Filters" then "Create a
new filter". For "Has the words" type "in:spam", then "Create filter
with this search". There will be a warning that filters using "in:" will
never match incoming mail; this appears to be false and you can just
click OK. Check "Never send it to Spam" and click "Create filter".

Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and
POP/IMAP".
	* Disable POP
	* Enable IMAP
	* Auto-Expunge on
Click "Save Changes".

Enable two-factor authentication. We do this not so much for the
two-factor, but because it allows creating an independent password that
is used only for IMAP and does not have access to the web interface of
Gmail. Two-factor authentication also enables you to set up a Google
Authenticator one-time password token and decouple the account from the
phone number. Click the email address in the upper right, then
"Account". Click "Security". By "2-step verification" click "Setup".
Click through until it lets you set up. The phone number you provided
when the account was created will be automatically filled in. Choose
"Text message (SMS)" then click "Send code". Get your text message, type
it in, and hit "Verify". Uncheck "Trust this computer" on the next
screen. Finally "Confirm".

Now set up a Google Authenticator secret and. Under "Primary way you
receive codes", click "Switch to app". Choose "BlackBerry" and
"Continue". Copy the secret key to a file. Use a program such as
https://github.com/tadeck/onetimepass to generate a verification code
and click "Verify and Save". Now you can remove the phone number if you
wish by clicking "Remove" next to it.

Under "Backup codes", click "Print or download", and save the codes to a
file so you can log in if all else fails.

Still on the 2-step verification page, click the "App-specific
passwords" tab and the "Manage application-specific passwords" button.
Under "Select app", select "Custom" and enter "IMAP" for the name. Click
"Generate". Store the password in reg-email.pass, as mentioned in the
introduction.
