[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Wikimedia and Tor



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> You can't reliably block by IP address. It's unfair, because numerous
> users behind a NAT router will have the same public IP address. And it's
> also trivial to evade using proxies, with or without Tor. Blocking Tor
> (or even all known proxies) only stops the clueless. Anyone serious
> about evading a block could just use a private proxy on AWS (via Tor).

We do not usually permanently block IP addresses, and blocking them
only prevents editing not reading.  The purpose of a block is not
punitive, but to prevent abuse long enough that the attacker gives
up and moves on with life.

Blocking an IP address for a week to a couple of months and working
to identify IP addresses that permanently belong to organisations
such as schools or libraries stops the vast majority of abuse.  We
also work with Sysadmins at schools and libraries to get them to
pass XFF headers through their proxies so that we can block
individuals on their networks rather than the entire network.

I agree that blocking Tor or proxies is a pointless exercise, but I
can't argue with the folks that say that most of what comes from Tor
is abuse.  This is why I want to try to find a better way to solve
the problem than just blocking Tor (or for that matter proxies in
general as any solution to this should work pretty well for them).

> Even imposing a nontrivial cost for creating accounts (say 10 BTC) would
> not help. Determined adversaries would pay it. And of course, that would
> exclude numerous innocents who wouldn't or couldn't pay.

Yeah, I was just listing off some items that we came up with brainstorming
over the past few years.  Clearly that item was cut fairly quickly.  Some
type of proof of work might work, so long as it was expensive enough to
deter attackers after the first few times while still cheap enough to
generate just once for well behaved actors.

> That would exclude numerous users living under repressive regimes. But
> then, Wikimedia is already doing that by blocking edits by Tor users.

Indeed.  In some parts of China and Iran Tor is one of the only ways to
even read Wikipedia.

> The bottom line is that blocking Tor harms numerous innocent users, and
> by no means excludes seriously malicious users.

I agree that it harms numerous innocent users, but it does stop those
wish to hurt Wikipedia's content or community who are savvy enough to
know how to evade a simple IP block, but not savvy enough to know
how to set up their own proxy server.  This is apparently a surprisingly
large set of people.

Just a note.  I've never had to stop abuse from Tor and the only evidence
I have for the abuse is ancedotal stories from those who have.  It is
those people though that I have to convince to allow Tor because without
their support I stand no chance of getting it unblocked.  I am working on
trying to get together an idea for a limited trial with Tor unblocked
to see what happens, but I will be able to convince folks to unblock
Tor for a few days to gather data.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFULEORRHoDdZBwKDgRAgGFAKCOrrCiNfs32ilAbjKgCJv1e2Q0xACeN5KS
BSnOaHjpbuXU0R/zw2ypH1o=
=81Ch
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk