[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] CloudFlare

>Date: Sun, 26 May 2013 23:23:58 -0400
>From: grarpamp <grarpamp@xxxxxxxxx
>To: tor-talk@xxxxxxxxxxxxxxxxxxxx
>Subject: Re: [tor-talk] CloudFlare


>This is twice now.. I never said anything of the sort.

You brought up the issue of wishing to keep things concealed from ones
employer in
grarpamp grarpamp at gmail.com

"For example, a year or so ago I tested an English language based
predominantly North American, slightly Euro, dating site against Tor.
Though they had no stated policy to be sure of it, from my tests it appeared
that from English speaking exit countries, Tor worked fine. If I let Tor
or come in via say Brazil, the account would be silently deleted. This
lead to belief that they utilized the 'unfathomable' policy. Again, their
actual policy is unknown, I could have just been using unlucky IP's.
Either way, I'd very much hesitate to recommend them to Tor users who
would fear for their legitimate account, and thus any developing relations,
against that unknown. Further, people find dating hard enough without having
their employer or landlord snooping on how many kids they want, and whoever
else generally reading/storing/selling their personal bits. These sites need
to respect that. Part of which is to fully and properly enable HTTPS on
their servers and to permit their users to come from Tor.
Please note the reference to wishing to conceal details from one's employer.

>Nor did I
>say people are not free to block whatever they want. And, I know
>what sort of bad traffic traverse the net since before Tor and how
>many gigs of it I block a month. Sorry your blog got hit somedays,
>but don't take it out on those expressing ideas counter to yours
>or turn that into bogus interpretations as to what they do in their
>online/professional/personal lives.

If you don't think instructing me with, "don't take it out on those
expressing ideas counter to yours" is not at least seeming to tell people
they ought not to block IPs they chose to block, I think you are mistaken.
 In anycase, I don't consider blocking IPs associated with scraping,
fingerprinting, attempting XSS attacks and so forth to be taking anything
out on " those expressing ideas counter to [mine]".

>My advocacy is clear and easygoing: Services should not block users
>merely for using Tor, should find other ways to manage things, and
>should do so for a variety of very good reasons.

I didn't tell you you can't advocate what you wish to advocate. You can
advocate whatever  you like.  I think my response is just as clear and
easy going as yours. I think others can decide whether they wish to take
your advice. With respect to TOR: To the extent that it causes problems
for 3rd parties, they will block it. The reason is: They will often value
protecting their servers more than whatever it is you believe they ought
to value.

I don't consider my telling you this either unclear or not easy going. My
view: You do what you like. Those providing services do what they like.
Everyone gets their freedom on this matter.

In anycase, I don't think my blog is "a service". It is my hobby blog.

>>...And in: https://twitter.com/lucialiljegren/status/316243078161776641
>>[Cludflare User]: Is there anyway to setup blocking of tor exit nodes?
>>[Lucia]: Get the IPs here: http://exitlist.torproject.org/exit-addresses
>>Extract them, then submit with Cloudflares API. I do it weekly.

Someone on Twitter asked how to block Tor at Cloudflare. I told them how
to do it.  I have no idea why our exercising our right to speak on Twitter
bothers you.

I do block TOR by reading the Tor exist lists and submitting those to
Cloudflare's API. For what it's worth: People can also use Cloudflare's
API to unblock TOR IP's if they wish to do so. If someone asked how to do
that and I read the question, I'd tell them how to do that too.  In fact,
I have a system to unblock Tor IPs after the drop of the list of exit
nodes for more than a month.

I've posted here-- and at Twitter-- totally in public.  I happen to
support the freedom of speech-- even to the extent of discussing how one
may block Tor. I happen to also support the right and freedom for people
who run services to put in place access restriction of their own chosing.

As for the reaction of Cloudflare: Based on some of the text I did not
requote, I imagine you are concerned that Tor could end up blocked at
Cloudflare if many, many individual customers blocked Tor IPs while none
unblocked the: Sure.  That's what I told people in previous threads.
Cloudflare is not treating Tor any differently from other IPs.

My view is that those who run or use Tor or who wish to improve it  would
benefit from learning what causes people to block Tor and where possible
find ways to address these issues.   The Tor community will be unable to
do so if they keep themselves unaware of
(a) the actual reasons why individuals who block Tor block it,
(b) how individuals actually block Tor
(c) what impact individuals blocking Tor have on third parties.

With respect to (a) I block because of XSS, vulnerability scanning,
scraping and so on. Not for comment spam nor for any desire to surpress
their viewpoints. With respect to (b) I block using Cloudflare (and I will
share knowledge with others). With respect to (c) the fact that Cloudflare
uses information from many individuals to create reputation scores for IPs
does mean that if *many* Cloudflare customers block, Tor IPs may find
themselves blocked from many sites that use Cloudflare.  I imagine that
many who block Tor do so for similar reasons.

This is information the Tor community might wish to be aware of.

Or, maybe not. Maybe you'd prefer to think they are blocking IPs to
prevent freedom of speech and so believe that lecturing them on the
importance of freedom of speech or privacy will solve the problem. Or
something. But 'educating' people about the importance of privacy or
freedom of speech will not solve your difficulties if people are blocking
for security reasons, or to contain costs required to deal with scraping.
To deal with those issues you need to consider whether there is someway
you guys could do things like block incoming IPs that attempt to hit
"timthumb.php" or other vulnerabilities.

>specifically herein those
>of its exits and users that have never done anything to you... down
>thousands of other subscribers throats, and against tens of thousands
>of Torizens... weekly.

I haven't forced my opinion of Tor on anyone.  My blocking Tor doesn't
force anything down anyone's throats. My blocking Tor doesn't even affect
any *people*. People are not IPs.  My blocking Tor merely prevents them
from visiting my private blog using *Tor IPs* or any IP that is  blocked. 
Since people are manifestly NOT their IPs, these people are free to visit
using a non-Tor IP.

>I shall have nothing more to say to you on these and bid you Good Day.

Happy memorial day,

tor-talk mailing list