[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance



#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by jgrahamc):

 Hello. I'm CloudFlare's CTO.

 ''There are companies - such as CloudFlare - which are effectively now
 Global Active Adversaries.''

 That's an inflammatory introduction. We are not adversarial to TOR as an
 entity, we are trying to deal with abuse that uses the TOR network. It's
 inevitable that a system providing anonymity gets abused (as well as
 used). I'm old enough to remember the trials and tribulations of the Penet
 remailer and spent a long time working in antispam.

 ''Using CF as an example - they do not appear open to working together in
 open dialog,''

 Really? We've had multiple contacts with people working on TOR through
 events like Real World Crypto and have been trying to come up with a
 solution that will protect web sites from malicious use of TOR while
 protecting the anonymity of TOR users (such as myself). We rolled out
 special handling of the TOR network so that users should not see a CAPTCHA
 on a circuit change. We also changed the CAPTCHA to the new one since the
 old was serving very hard to handle text CAPTCHAs to TOR users. The crypto
 guys who work for me are interested in blinded tokens as a way to solve
 both the abuse problem and preserve anonymity.

 Earlier @ioerror asked if there was open data on abuse from TOR exit
 nodes. In 2014 I wrote a small program called "torhoney" that pulls the
 list of exit nodes and matches it against data from Project Honeypot about
 abuse. That code is here: https://github.com/jgrahamc/torhoney. You can
 run it and see the mapping between an exit node and its Project Honeypot
 score to get a sense for abuse from the exit nodes.

 I ran the program today and have data on 1,057 exit nodes showing that
 Project Honeypot marks 710 of them as a source of comment spam (67%) with
 567 having a score of greater than 25 (in the Project Honeypot terminology
 meaning it delivered at least 100 spam messages) (54%). Over time these
 values have been trending upwards. I've been recording the Project
 Honeypot data for about 13 months that the percentage of exit nodes that
 were listed as a source of comment spam was about 45% a year ago and is
 now around 65%.

 So, I'm interested in hearing about technical ways to resolve these
 problems. Are there ways to reduce the amount of abuse through TOR? Could
 TorBrowser implement a blinded token scheme that would preserve anonymity
 and allow a Turing Test?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs