Evidently, I can travel at the speed of light!
https://bitcointalk.org/myips.php tells me that within a quite short time span, that I have connected from:
Tallinn, Estonia
(Unspecified city), Germany
Lipova, Romania
Amsterdam, Netherlands
(Unspecified city), Austria
(Unspecified city), United States
(Unspecified city), France
(Unspecified city), Switzerland
Nafplion, Greece
Roost, Luxembourg
Sofia, Bulgaria
Brooklyn, United States
Aleksandriya, Ukraine
(Unspecified city), Germany
(Unspecified city), Austria
(Unspecified city), Ukraine
Amsterdam, Netherlands
Bergshamra, Sweden
Seriously, I suggest that by default (and without an option), the forum should automatically discard Tor IPs before the information even hits the “User IP logs”—or if needed, log access as “Tor Exit” without an IP address and city:
- The logging of exit IPs does not serve the intended purpose of assisting disposition of account recovery requests. Indeed, to the contrary: When handling account recovery, I think you must filter Tor exits anyway. Otherwise, if a user had ever connected through Tor, an account thief may get lucky and connect through an IP geolocated in a city which the user had apparently connected from. The probability is not negligible: There are over a thousand Tor exits located all over the world, mostly in densely-populated urban areas; and a Tor user can easily jump around through dozens of them in a matter of hours.
- Although the logging of Tor exits seems to be not a big privacy concern, why keep around useless data that may be useful for unlikely attacks? Is the risk to Tor users small? Large? Who cares? The principle of “need-to-know” data minimization seems implicit throughout the forum’s “about privacy” page. Keeping those IPs around just burdens to the forum and its administration with useless data that they don’t need, and probably therefore don’t want.
- For Tor users, the forum is mostly served through Cloudflare’s onions* via Alt-Svc, with no client IP address. I have instrumented my Tor daemon with connection-logging functionality that would probably scandalize Tor Project developers; thus, it has been easy for me to confirm that most of my hits on bitcointalk.org actually go to a group of v3 onions with names starting with “cflare”. I only hit bitcointalk.org via an exit when Tor Browser’s knowledge of Alt-Svc is nonexistent or stale for whatever reason. (Due to the way Alt-Svc works, a Tor user will always hit bitcointalk.org with an exit IP at least once at the start of a new browser session.)
It’s probably a relatively low priority for forum improvement; but if you anyway must exclude Tor exits when performing account recovery, the functionality is needed. I suggest it’s better to do that at the source of data, and discard Tor IPs, rather than later, at the time of use.
(* Of course, Cloudflare can still see all traffic sent through its own onions. At least their auto-onion feature takes a big load off Tor exit capacity, a perennial bottleneck due to the difficulty and risks of running an exit; and the metadata (time and IP) for connections via an onion cannot be seen by network spies who may watch traffic from Tor exits. In fairness, I will give them significant credit for doing a bit to help user privacy against adversaries who are not Cloudflare. In my book, is an offset against their terrifically larger debit for MITMing TLS for what seems like half the web nowadays. — I have observed, entities have an interest in protecting people from everybody but themselves. The NSA wans to pwn your crypto, but doesn’t want the Chinese to pwn your crypto. Google wants your connections to Google to be secure, so that only they will be able to buttfork your privacy. Facebook wants you to securely connect to Facebook (even through an onion!), so that you can privately destroy your privacy on Facebook. I think that Cloudflare is absolutely sincere in their desire to protect users against everybody except Cloudflare. Well, generally, intelligence data loses its value if others have it...)
