Rant on Tor

[theymos]

I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

However, I was just reading a couple of things from the Tor project ([1], [2]) which really annoyed me. The blame for Tor getting blocked everywhere belongs squarely at the feet of the Tor project for their failure to come up with any anti-DDoS solution whatsoever. Large sites cannot function by accepting connections from everyone without any possibility of rate-limiting. Probably this is a core flaw in the design of the Internet itself, but for now we have to live with it. If you say "well, the sites should just accept every Tor connection and treat them all as perfectly-good traffic", then you're actually saying "the sites should spend hundreds of thousands of dollars on handling every attacker as if it was legitimate". It's insane, and it's not going to happen.

There are very obvious ways of handling this while also preserving privacy. One idea is CloudFlare's Privacy Pass, which Tor categorically rejected for no good reason. (Note: I am not so confident in Privacy Pass's exact blind signature scheme, though the Tor people didn't actually use that as their reason for rejecting it. And it is a good idea at its heart.) You could extend the Tor protocol to give hidden services a way of requiring a proof-of-work from the client before handing the connection off to the application, and then sites could at least safely offer a hidden service option to Tor users. You could even think about extending TCP to require a client proof-of-work, which would address the DDoS issue beyond Tor. But instead Tor has done nothing.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.

[1713999599]

1713999599

[1713999599]

1713999599

[1713999599]

1713999599

[1713999599]

1713999599

[HiDevin]

Just use google chrome or firefox, Who even needs to use Tor? pedophiles? criminals?

why is this even an issue? People using Tor have something to hide, we don't want their kind on this forum.

What do you mean? Everyone, people use Tor because they don't want their privacy to be leaked.

It's because right now, you can literally grab information about a person through any information your computer beams to the internet. Maybe they don't want to be tracked by advertisers too, etc. etc.

I don't personally use Tor but I see the reasoning behind it even though its perceived as what you said they are "pedophiles? criminals?"

edit; back to OP, is there any services except Cloudflare which will block ddosers and other people trying to destroy the forum, or no? I think there is better Tor alternatives like Freenet that people can use.

Though like you said, Tor could a proof-of-work, but I see them as pretty lazy people who work on the Tor project to be honest, which is why I don't use it.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.

edit2: I like how you say this and it could be like 80% true, also why can't the government just run a shit ton of Tor nodes?

[theymos]

People using Tor have something to hide, we don't want their kind on this forum.

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Privacy is good. Tor's approach to it is bad, or at least very incomplete.

[turtletime]

People using Tor have something to hide, we don't want their kind on this forum.

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Privacy is good. Tor's approach to it is bad, or at least very incomplete.

I know I deleted that post because I over reacted.  It just makes people look really suspect if they use Tor.

Sorry.

[LeGaulois]

Tor is used as a honeypot since a long time https://www.wired.com/2014/12/fbi-metasploit-tor/ by the institution that likes to know everything about you. Your underwear color included...

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
https://www.schneier.com/blog/archives/2017/03/fbis_exploit_ag.html
https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95
*
]turtletime

Following your logic, you have something to hide so since you use cryptocurrency supposed to give to people a (financial) privacy
Some people use TOR, they do nothing bad, they just want privacy which is a basic right that people stopped to fight for

[Quickseller]

One possible solution to accepting certain TOR traffic that you know is "perfectly-good traffic" would be to setup a hidden service as a reverse proxy for a specific person, possibly for a cost, and possibly that will only support a pre-determined amount of traffic.

For example, I could ask you to setup a hidden service that I can use to connect to the forum. I would pay you $xx for you to do this. You would then spin up a VPS that runs a hidden service that connects to the "real" IP address of the forum (it bypasses cloud flare) that is intended for only me to access. Our agreement could be that once the hidden service receives xx GB worth of traffic, then it will be shut down -- this will more or less prevent me from using the hidden service to DDoS the forum, or otherwise making the hidden service address public.

I am not sure if you can run multiple hidden services via one VPS/IP address, although I suspect there is a good chance you can.

This would reduce privacy incrementally, as it would expose sockpuppets that are all used to access this hidden service. However the location of the person accessing the hidden service would remain hidden from you, along with other sensitive information, such as their IP address, and ISP.  

There would still be the problem of how someone would access the forum in the first place, which is more complicated. One option would be to run a separate website with a separate server, whose only purpose is to sell access to these hidden services. This would be easier to maintain then a major forum, and when that website goes down, it would not affect the forum.

edit: you may not like this, however for added privacy, you may accept payment via certain privacy focused altcoins.

edit2:

People using Tor have something to hide, we don't want their kind on this forum.

[...]
Privacy is good. Tor's approach to it is bad, or at least very incomplete.

One reason for this may be that the TOR devs don't want too much privacy when using tor in order to avoid the government regulate, or otherwise entirely break tor because too many serious criminals are hiding behind tor.

[The Cryptovator]

2. Do you have plan feature which allow copper membership/registered user to bypass CloudFlare by present signed message with linked their Bitcoin address, show their linked certificate or confirm with their PGP signature?

I think bypass isn't possible if CloudFlare is active. Because if you use CloudFlare than you have to change original DNS ( Domain Name Server) to CloudFlare DNS. So you must enter domain in order to visit website. If you want to skip than you have to deactive ClouFlare from Name Server.

Both Tor and CloudFlare are being lazy, but i can accept with current condition since my main goal is to jump through censorship

Yes it's little bit lazy but CloudFlare high security in low cost, especially for DDOS attack.

I forget to mention there should be another domain (preferable .onion), but normally user only can see login page with input field signed message/PGP signature/certificate and register page which force copper membership.
To prevent spam, there should reCAPTCHA, but configured to allow JS-disabled browser to solve it.

Adding new subdomain will redirect you on main doamin. Once you click loging page than same thing will happen. But I think for reCAPTCHA problem could solve by CAPTCHA.
For Example 9+2=?
If use this kind of CAPTCHA I think Tor browser will not face problem.

[escrow.ms]

Personally I think TOR is not the perfect solution for privacy, However you should consider implementing proof of work captchas for tor traffic.

[RocketSingh]

I forget to mention there should be another domain (preferable .onion), but normally user only can see login page with input field signed message/PGP signature/certificate and register page which force copper membership.
To prevent spam, there should reCAPTCHA, but configured to allow JS-disabled browser to solve it.

Adding new subdomain will redirect you on main doamin. Once you click loging page than same thing will happen. But I think for reCAPTCHA problem could solve by CAPTCHA.
For Example 9+2=?
If use this kind of CAPTCHA I think Tor browser will not face problem.

AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.

[Welsh]

AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.

There's a sneaky little way of bypassing (automating) Google's captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.

AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.

[DIKUL]

With captcha the last days a very big problem. Directly go as before did not work even once. Login directly through the Tor in 10 cases out of 10 all ends with the inscription:

reCAPTCHA has apparently marked your IP address as suspicious, and refuses to tell me whether you actually solved the CAPTCHA. If you go back and retry it several times, it will eventually work. If you are using Tor, going to Onion->New Identity might immediately fix it.

Entry is possible only through the passage of 2 step captcha:

One more step
Please complete the security check to access bitcointalk.org

[bluefirecorp_]

I don't think there's any great solution for allowing perfect anonymity that's resistant to prevent a distributed denial of service.

There's no solution to the problem without artificially limiting the ability to create anonymous profiles.

The only solution I can come up to fix the underlying problem is requiring some level of work to be done to generate a private profile. Seems like a silly solution though.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.

If you think about who built the TOR network, and think about the purpose behind it, it really just gives the exit-nodes plausible deniability within our legal framework. Overall, I'm not sure it actually gives anonymity at a nation-state level.

[mprep]

In regards to Tor's unwillingness to compromise, I'd say it's more so stubbornness than malice. Having read through the discussion on the 2nd ticket (since the link to the first one seems to be broken), quite a few users seem to be opposed to the idea due to their sheer distrust for Cloudflare. Considering the fact that we're talking about a pretty hardcore segment of an already rather niche (at least compared to the widespread usage of the Internet) privacy crowd (of whom probably very few actually had to manage a website with large and resource intensive traffic), them putting their foot down and raising their battle flags against Cloudflare, a service that they perceive as ideologically incompatible, instead of trying to find a compromise is anything but an unexpected reaction.

There's a sneaky little way of bypassing Googles captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.

AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.

I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).

[The Sceptical Chymist]

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Even if you have nothing to hide, would you walk around nude in public?  Would you live in a house with no window shades?  Would you let everyone listen in on your conversations?

Really, even if you're the most righteous person in the world, would you want everyone to know every fucking detail of your life?  Nobody in their right mind would.  I don't use Tor, but I don't condemn those who do.  Given how much less privacy we have these days because of the internet, using browsers like Tor (and eschewing social media sites like FB, Twitter, and the like) sounds like the smart thing to do.

[Welsh]

I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).

I was being purposely vague. However, there's a method of automatically downloading the sound files when requesting for a audio version rather than the images to help with usually impaired people. Generally, people write a Python script, automatically download it, and then can input it. I haven't tried this myself, but have seen it working on a test site from a friend of mine. He kept on having bots sign up to his website out of nowhere, and he found that this was the method they were using. Basically though, you're coding something that will be able to convert the webpage so you can capture the javascript, and then you are automatically downloading the sound file, and then run it through a text to speech program or something along those lines. Its obviously not going to be 100% accurate, but definitely somewhat automated. We've looked into options to prevent this, but it doesn't seem possible as Google doesn't allow disabling the audio option. Unless, we are missing something. 

Obviously, I haven't checked whether this can be done on Bitcointalk, because I haven't logged out in a few months. But, it shouldn't be any different to what I witnessed a few months ago.

[bluefirecorp_]

I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).

I was being purposely vague. However, there's a method of automatically downloading the sound files when requesting for a audio version rather than the images to help with usually impaired people. Generally, people write a Python script, automatically download it, and then can input it. I haven't tried this myself, but have seen it working on a test site from a friend of mine. He kept on having bots sign up to his website out of nowhere, and he found that this was the method they were using.

Obviously, I haven't checked whether this can be done on Bitcointalk, because I haven't logged out in a few months. But, it shouldn't be any different to what I witnessed a few months ago.

I think the letter puzzles have an 80% solve rate when ran through several OCR cloud-products. There was a rather interesting paper I read about the bypass.

I've used deathbycaptcha before, and it's a pretty decent service. It provides an API, which makes it nearly automated.

[Welsh]

I think the letter puzzles have an 80% solve rate when ran through several OCR cloud-products. There was a rather interesting paper I read about the bypass.

I've used deathbycaptcha before, and it's a pretty decent service.

Yeah, the old text captcha ones were easily outsourced, and several places had around a 99% solve rate. Never used one myself, but know that it was very easily bypassed for cheap as mprep hinted. The way that this particular "exploit" works is by downloading the audio, and then identifying what the audio is saying automatically. This could probably be outsourced, and I would bet there are services offering this. However, what I imagine a lot of them are doing is running through a automatic speech to text. I don't know how accurate these are though, and they may well be outsourcing them.

[xtraelv]

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Even if you have nothing to hide, would you walk around nude in public?  Would you live in a house with no window shades?  Would you let everyone listen in on your conversations?

Really, even if you're the most righteous person in the world, would you want everyone to know every fucking detail of your life?  Nobody in their right mind would.  I don't use Tor, but I don't condemn those who do.  Given how much less privacy we have these days because of the internet, using browsers like Tor (and eschewing social media sites like FB, Twitter, and the like) sounds like the smart thing to do.

I have nothing to show either. It isn't show and tell. What I do is none of anyone's business. The presumption that I do something illegal to want privacy is a fallacy.

For a search warrant there has to be reasonable cause. Internet snooping is done by Governments and big business without any plausible reasons.

None of them have any legitimate reason to snoop on me - yet they still do it. I fully empathize with those that want to keep their privacy.

[hilariousetc]

I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

Why do we even use it if you think this could possibly be the case? Is it really worth the risk? How effective is CloudFlare at even stopping DDOS attacks or whatever? We've still had a few here whilst we've used it, right?

Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.

[Welsh]

Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.

I'd prefer something like this. I would far prefer trusting theymos than that of the NSA. I'm trying to find the previous discussion on this, but can't seem to find it. If anyone can send it over that would be appreciated. I think it was a discussion related to one of the DDOS attacks we had before on the forum.