[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Google error / CAPTCHAs.

On 3 October 2016 at 19:06, meejah <meejah@xxxxxxxxx> wrote:

> Alec Muffett <alec.muffett@xxxxxxxxx> writes:
> > 2) In my experience the "blocking" that companies do to Tor (and similar)
> > is 100% grounded in the threats from spam, scraping, testing phished
> > credentials, and other forms of bad behaviour.
> A lot of it is just by accident, too, I think: many Cloudflare customers
> seem not to know that they have to "do something" (change an option) to
> not by default "block" Tor users (i.e. give them a CAPTCHA).

My perspective is that blocking in the context of Cloudflare is not an
"accident", nor is it exactly "intentional".

CF are acting in what they rationally believe - and I can follow and
understand their logic - that lots of scraping (etc) badness emanates from
Tor, and so they have taken to offering, "by default", some manner of
protection from that badness.

CF have many smaller customers, few amongst whom will be *aware* of Tor,
and few of whom will be substantially impacted by CF impeding access to the
tiny numbers of legit user(s) who might want to access them over Tor.

So that's why I argue that even CF blocking is borne out of the world of
spamming and scraping.

What will lead folk to switch that _off_ is awareness.

> ...and e.g. at shared hosting or similar companies, individual web sites
> likely have no idea that they are blocking Tor users (i.e. if the hoster
> decided to block Tor, for whatever reason).

Absolutely.  Exactly that.

CF (and any other company) as a hosting-provider is somewhat divorced from
the signals that would allow them to separate "bad" scraper/spammy Tor
connections from "good" Tor connections.

This all is an unfortunate side-effect of sites choosing outsourced layer-3
network frontends and/or site hosting without bundled-in site management &
related layer-7 logic; traditionally hosting providers have added basic
blocking of "bad" connections by equating "badness" to "IP address" - but
since that's the one thing which Tor eliminated, the hosting providers are
lack a grip on the badness and so are blocking Tor wholesale.

> So often a friendly note saying "did you know you're disallowing Tor
> users?" goes a long way...

Totally.  :-)

> > People who are responsible for compliance are really good to get "on your
> > side" if you are trying to make better affordance for Tor within a
> company:
> > if you can build a system for them that says:
> >
> >     "This connection is coming from a Tor exit node, That connection is
> > not."
> There is a DNS-based system for this already, from Tor Project. But I
> guess you mean making this work for "internal" systems at whatever
> company?

Correct.  One can enumerate the exit nodes from Onionoo quite easily, but
making that information dynamically available to your web fleet, and
integrating it into your business logic, is trickier.  :-)


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to