[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Google error / CAPTCHAs.

Hash: SHA1

On 10/05/2016 02:15 AM, Alec Muffett wrote:
> On 5 October 2016 at 08:28, Mirimir <mirimir@xxxxxxxxxx> wrote:
>> So maybe there is a benefit of blocking behavior, rather than 
>> IPs?
> I'd be interested to see you continue / expand upon how you
> believe this would be manifest / what this would do and how it
> would be achieved.

Let's say that I'm working on some project, and I'm getting errors
that I don't understand. So I'd like to search using Google. Because
it's the best. But I'm working in Whonix, so Google won't serve me. I
pass a CAPTCHA, and submit my search request. But then I get "403.
That's an error. Your client does not have permission to get URL ...
from this server. That's all we know." Sure, I could get Google
results via StartPage. But then I don't get some useful Google search
tweaking features. So fuck it, I just hit Google through a throwaway VPS

Now instead, Google could let me complete the search. And browse some
results. And come back to the search window with revised searches.
Given that this is all to help me with a particular problem, I don't
care that all of the searches are linked. It doesn't bother me that
Google sets a session cookie, to let me page through results and back,
and remember that I'm not an asshole. There is the issue that Tor
browser will drop cookies if my exit IP changes, but that's normally
not a serious issue.

Of course, Google is logging all sorts of other stuff about my
session, or at least trying to. And Tor browser is preventing as much
of that as it can. So I suspect that Google demands more from users
than the ability to set session cookies, to track short-term that a
user is not being an asshole. But the question, I think, is whether
any of that other stuff is actually necessary for preventing abuse. I
doubt it.

Let's say that I'm logging into my Wilders account via Tor. That works
just fine. What doesn't work is creating new Wilders accounts via Tor.
They don't allow that, because otherwise there's too much forum spam
to manage. So whatever, you can create new accounts through a Tor plus
a proxy. But the key issue is that Wilders aggressively manages
accounts for abuse. Moderators redact and delete offending posts. From
what I hear, repeat abusers may get a warning. But mostly their
accounts just stop working, or become read-only. As a long-time
Wilders user, I get lots of "Wilders nuked my account :(" messages ;)

So if a little site like Wilders can manage that, why not any forum?
And with a little extra effort, they could even allow account creation
via Tor. Just restrict posts initially to a "training subforum", and
allow full posting only after 10 or 20 acceptable posts. I've seen
many onion forums that do that. Establishing even a little reputation
is arguably too much work for forum spammers, no?

Solutions involving cross-session tokens are far more problematic. The
CloudFlare proposal for blind-signed tokens is interesting. But
there's the issue of trusting CloudFlare that some tracking feature
hasn't been embedded into the system.

It's not so much of an issue for me, because I compartmentalize my
online activity among multiple Whonix etc VMs on multiple hosts. So I
don't really care if everything done on a particular VM gets linked.
For serious compartmentalization, I use different hosts on different
LANs, to prevent GPU etc fingerprinting and LAN exploits. But most
people aren't as paranoid ;)

Anyway, that's what comes to mind.

> As it stands it's an suggestion (?) that's widely open to 
> interpretation and thus flaming arguments; I'll restrain myself 
> from dropping a couple of examples until hearing back... :-)

Hey, feel free to share :)

> -a

Version: GnuPG v2.0.22 (GNU/Linux)

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to