Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by aperture):

 As a website owner, I had to take the somewhat difficult decision to block
 Tor on some services in order to minimize disruption. Creating a special
 read-only or restricted mode for Tor users were not feasible as I have
 engineering time constraints. I suspect this is fairly common.

 Fundamentally, site owners typically rely on identifiers like IP, email,
 CAPTCHA, etc to weakly identify users. Each of these resources have a
 small cost, and hence blocking abuse is a possibility as there is a cost
 to abuse. Tor removes these identification vectors, making individual
 blocking unfeasible.

 This is not a question of humanness or the turning test. It's about
 introducing a progressive cost to privileged actions (whether that's
 creating an account, posting on a forum, etc) that has zero monetary cost
 for the user.

 To resolve this problem, there needs to be an easy way (both from a site
 owner, and a user's perspective) of applying a cost to privileged actions,
 when conventional identification methods do not work. One option is
 bitcoin micropayments, which is already being done on many bitcoin-related
 sites with good success. Bitcoin isn't accessible to the vast majority of
 people though.

 Another more promising option is proof of work. Unfortunately PoW heavily
 tilts in the favor of botnets, spammers running a Xeon, etc. Decentralized
 and possibly zero knowledge identity '''is''' what appears to the most
 promising solution.

 In the interim, I think resolving CAPTCHA loop issues on Tor is a good
 fix. 1 CAPTCHA per site is too much, but it's better than nothing.

 As for the read only concept, I just don't think it'd work. Many modern
 web sites submit data with AJAX post requests or websockets; you can't
 intercept that and return a CAPTCHA. `<form>` for POST is getting rarer
 and rarer, and whatever cloudflare does needs to work for almost every
 site; not just "some sites" or even "a majority of sites".

 @jgrahamc: I'm glad to see the whitelist tor option. This has certainly
 made me consider re-subscribing to Cloudflare Business for one of my
 sites.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:171>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs