Tor Project accuses Cloudflare of blocking users

anvilfour

Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

See full article :http://m.slashdot.org/story/307789

liamo

We see recons and attacks coming out of Tor all of the time. While I'm all for privacy, the problem is that Tor is being abused and this would appear to be a reaction to that abuse.

drcortex1124

liamo wrote: »

We see recons and attacks coming out of Tor all of the time. While I'm all for privacy, the problem is that Tor is being abused and this would appear to be a reaction to that abuse.

What solution do we have?

liamo

I wasn't proposing a solution but, seeing as you ask, I would have to ask right back : "solution to what and for whom?"

The companies that are blocking Tor are probably taking the position that

1. most of their connections come from non-Tor addresses
2. a lot of Tor-originating traffic is malicious

Solution: Block Tor.

Users who may be encountering difficulties with certain sites when using Tor could consider using a VPN service instead.

drcortex1124 wrote: »

What solution do we have?

liamo wrote: »

We see recons and attacks coming out of Tor all of the time. While I'm all for privacy, the problem is that Tor is being abused and this would appear to be a reaction to that abuse.

drcortex1124

liamo wrote: »

I wasn't proposing a solution but, seeing as you ask, I would have to ask right back : "solution to what and for whom?"

The companies that are blocking Tor are probably taking the position that

1. most of their connections come from non-Tor addresses
2. a lot of Tor-originating traffic is malicious

Solution: Block Tor.

Users who may be encountering difficulties with certain sites when using Tor could consider using a VPN service instead.

Or perhaps provide a specific .onion address of their site?

liamo

I don't really understand what you think that would accomplish.

drcortex1124 wrote: »

Or perhaps provide a specific .onion address of their site?

drcortex1124

liamo wrote: »

I don't really understand what you think that would accomplish.

Well in fairness it wouldn't be a way to protect against a Ddos but having an .onion domain would at least mean they wouldn't have to have Cloudflare asking us to point out roadsigns every time we log on.. or would it? :-D

liamo

Trying to think about it from the website owner's point of view, I can't think of a good reason to go to any trouble to accommodate Tor traffic.

• Most traffic does not originate from Tor.
• Most websites do not host content such that the privacy of users needs to be protected to the extent that Tor should be considered necessary.
• A lot of malicious traffic comes out of Tor (malicious traffic is by no means exclusive to Tor).

Blocking Tor is not an unreasonable step to take.

If they do that, then I can't see why they would take any steps to accommodate Tor.

drcortex1124 wrote: »

Well in fairness it wouldn't be a way to protect against a Ddos but having an .onion domain would at least mean they wouldn't have to have Cloudflare asking us to point out roadsigns every time we log on.. or would it? :-D

syklops

It honestly depends on the site in question. For many sites, no longer having your custom is an acceptable outcome over having to set up a .onion domain and the perceived security implications that would entail. If its a site you pay for email them and tell them why you are unhappy. If its a site whose content you get for free, you can still email, but I wouldn't expect much.

liamo

I think that's what I was trying to say in my clumsy way.

In short, the cost to a site in accomodating Tor may outweigh the benefits.

Conversely, the benefits to a site in blocking Tor (fewer attacks) may outweigh the costs, eg loss of revenue from ad-clicks or loss of paying customers.

It can come down to simple business decision about profits and costs.

syklops wrote: »

It honestly depends on the site in question. For many sites, no longer having your custom is an acceptable outcome over having to set up a .onion domain and the perceived security implications that would entail. If its a site you pay for email them and tell them why you are unhappy. If its a site whose content you get for free, you can still email, but I wouldn't expect much.

jgorres

liamo wrote: »

We see recons and attacks coming out of Tor all of the time. While I'm all for privacy, the problem is that Tor is being abused and this would appear to be a reaction to that abuse.

The abuse of something is not an argument against that something.

Although cars are abused for bank robberies they are still allowed on the roads.

liamo

jgorres wrote: »

The abuse of something is not an argument against that something.

Of course it is. It's a perfectly good argument.

It might be reasonable to say that the scope and scale of the remedy should be proportionate to the abuse. But the extension of your point is that abuse should be allowed to continue unchecked. I don't think that's realistic. In this case, I think that the blocking of Tor by a site that is experiencing abuse coming out of Tor is a perfectly reasonable response.

Although cars are abused for bank robberies they are still allowed on the roads.

Poor analogy.

Tor has not been kicked off the Internet. A property owner can decide not to permit cars on his property for reasons of security. Similarly, sites are perfectly within their rights to block sources of abuse.

Don't like it? <shrug> Go to another site.

breakoutareas

liamo wrote: »

Of course it is. It's a perfectly good argument.

It might be reasonable to say that the scope and scale of the remedy should be proportionate to the abuse. But the extension of your point is that abuse should be allowed to continue unchecked. I don't think that's realistic. In this case, I think that the blocking of Tor by a site that is experiencing abuse coming out of Tor is a perfectly reasonable response.


Poor analogy.

Tor has not been kicked off the Internet. A property owner can decide not to permit cars on his property for reasons of security. Similarly, sites are perfectly within their rights to block sources of abuse.

Don't like it? <shrug> Go to another site.

I suppose the problem is that very kind of sites working with cloudflare the very sites that most people want to access over Tor...

timmywex

This isn't anything new and has been the way Cloudflare operates for a long time.

Cloudflare catagorises all traffic and gives it a threat level, stuff coming from Tor gets a higher threat level, based on the fact that there is a higher probability of something malicious in Tor traffic. Website owners/admins can set the FW rules with a number of profiles, the default is medium. There are three actions for traffic - allow, challenge, block. The Tor traffic on the medium profile will require a challenge, so a captcha to be entered.

Following this challenge the website admin can then allow traffic for a specified length until another captcha is required - this is configurable.

In many instances the issue isn't with cloudflare, but with the configuration on cloudflare. At the end of the day it all comes down to risk appetite for the website, and sometimes allowing Tor is too risky...