On 2014-05-15 05:06, grarpamp wrote: [..big snip skipping over the complete nonsense..]
TLDwtR: the proposed setup breaks all anonymity (OpenVPN sends Raw IP packets) + few users will ever use this, few random exits will support it, thus 1:1 mapping for the few people who will use it.
Only reason why this is being asked: circumvent site policies where the operator has already had enough problems with random Tor users and other proxies defying their access policy.
[.. moved from the reply up here as it is useful ..]
I run services, they are account based, and I refuse to block access to me via tor exits.
If you want to make a positive contribution, please detail how exactly you handle abusive users, make a good post about this somewhere (and link it from the blocking services page) and when you encounter a site operator that for you "wrongly blocks Tor" ask them to reconsider based on your proposal.
Greets, Jeroen
--- further blurb...
[..]
This service is there so that operators of sites can decide if they want to serve anonymous users or not.
As said and echoed in other threads, I warrant that a signifigant portion of them are not making such careful, balanced and thoughful decisions as you suggest.
Even though you are guessing that other people, who operate a site, don't make a "balanced and thoughtful decision", it is not for you to attempt to circumvent that decision.
That is like saying "they should not have connected it to the network at all if they did not want me to access it" or "hey look the space shuttle designs, they should not have allowed me to exploit that hole to get access to it".
If an operator does not want you on their site, do not circumvent it. It will only cause more problems for other people who are allowed access to it.
Note that that is there to reduce the amount of abuse, and thus the global and full blocking of Tor.
As in other threads, prove that the incidence of abuse via tor is greater than the incidence via clearnet.
You mean because people are trying to circumvent the policies of a site?
Typically an operator will only block registration through Tor, while allowing logins through Tor.
Doesn't matter which one is blocked, result is the same, a service unusable by legit users who care about their good privacy interests as noted on the tor front page.
And still, as the operator does not want anonymous users, you will have to abide by that.
As an example: a service like Netflix. They can provide content because the "owners" of that content allow them to do so in certain jurisdictions. Bypassing those rules might cause the "owner" of the content to drop Netflix as a service.
Hence, if you are bypassing the regulations that Netflix has put in place, you might damage the content availability for all those users.
Did it help you to be anonymous? Not really. Did it damage lots of people who played ball, definitely.
Who is "We"? Which users complain, and about what exactly?
Ever try to access a site via tor and be rejected for doing nothing wrong? That's who.
Obviously you are accessing sites who had problems with Tor users abusing the functionality of the site.
Not unlogical that they thus classify that access as bad.
What would you do if it was your site, let them run rampant on your site or make it easy: filter those users out?
As they are anonymous there is little way to differentiate between user A and user B and if the majority coming through whatever-open-proxy is being malicious, then it is a good thing to block them.
[..]
Tor's encrypted circuits give source anonymity.
And that is the primary intent of Tor.
Tor's exits (or this OpenVPN/binding) give the ways around things.
That is NOT an intent of Tor.
Absolutely right, I wish to give users ways to avoid gratuitous unthoughtful (in respect and consideration to the individual legit user wishing access to such services) ways around such blocking.
You are thus stating: I want to circumvent a site's decision to block me.
That is not a target of Tor.
Please, don't abuse it as such. Please, go abuse some Open Proxy somewhere like most people do.
By trying to avoid blocks that way, you will only give a bad name to Tor and other similar projects.
Only if you assume tor users are 'bad' actors. That is a shame people think that.
Tor users are typically not bad actors. But there are always the people who do do so and thus cause damage for the normal people who really do just want to be anonymous.
[..]
You are trying to defy policy of a site...
Tor ITSELF is trying to defy all manner of policies, this fits that just fine.
It might "defy" a policy to get access to the Tor network (ingress) to give you anonymity, but Tor itself does not give you the ability to defy the policy of the site one is connecting to (exit).
Yes, you can likely pick a US exit to see 'some' US content or otherwise get geolocated differently, but that is not defying policy of the remote (exit) site directly.
not bypassing a bad operator.
This makes no sense. I never said relay ops were bad.
'operator' in that sentence context is that of "ISP operator", eg that big old lovely Chinese firewall.
You don't have to run described openvpn extension if you don't want.
I don't think anybody will. There are too many ways to abuse that setup and more importantly, too easy to detect.
I'm putting the idea out there. Some relays will, some won't. You don't like it, you don't have to. Some blocklists and site ops will scan and detect these new IP's, some won't.
I am actually wondering all of a sudden why you think there can be scanning on the outbound IP address. Thus say that the 'exit' IP from OpenVPN is 192.0.2.1, thus all traffic coming out of your setup comes out of there. There does not have to be any anything listening on that IP address. Hence scanning is not possible.
Note that both client side and server side the OpenVPN can be listening on 127.0.0.1, which just means that:
browser-> ovpn -> tor -> {tornet} -> tor -> ovpn(lo:1194) -> [exit] -> {world}
Hence, no listening addresses needed at all on the [exit] IP.
Hence, no scanning or discovery that way either. Indeed TorDNSEL won't get that special exit IP as well, it does not know about you tunneling OpenVPN over Tor.
But, as you are sending Raw IP packets, all anonymity properties that Tor normally gives you are gone.
Also, as the amount of users of this setup will be in the low 10s, let say 5, and likely even less, this special exit IP address will only have those 5 users, hence it is VERY easy to see which user it is. At least you can map it to 5 users.
Remember, with real normal exits, nobody knows how many users there are as it is a mixnet. Thus 10 mbit of traffic might be 1 or 100 or 1000 users.
Hence, why are you using Tor again? It does not seem to be the anonimity property you care about that much.
Any that don't is a win for us.
Abuse it? Laugh, no more than users abuse current Tor exits. Actually, it would likely be less incidence of mundane flood of abuse since the moronic masses of the internet won't bother figuring out how to scan and setup OpenVPN over tor or using controller to map non OR_IP exits.
Thank you for calling most Tor users "moronic masses".
See above, you lost all your anonymity properties.
Please simply do not use Tor. You give the rest of the users a bad name.
Tor and other "open proxies" have a lot to do with abusive users. Typically they come hand in hand.
Seriously? A thousand Tor exits compared to a hundreds of millions of clearnet internet IP's cause more incidence of abuse reports that need handled by abuse desks and LEA? Please, GET REAL!!!
Please indeed abuse those resources instead, they better fit your purpose.
There are good users, and there are bad ones. Depending on how your user base works and how much time one wants to spend, you might not want to keep on banning the people who are obviously trying to hide.
I'm sorry you feel that the majority of tor users are bad.
I've never stated anything in that direction, quite the contrary.
Have you visited your local coffeeshop or home lately, how many of those teenage freeloaders are bad. No difference, maybe even worse incidence.
Everybody is aware that one is semi-anonymous[1] in a Starbucks.
But that is not a problem to do with Tor is it?
[1] your computer will show all traces of you though, thus too late.
There is a list of these kind of services here: https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlocking... Attempting to bypassing those restrictions will only cause them to block that method too, and IMHO with good reason.
They are free to do that, we are free to continue to deploy countermeasures against indiscriminate non user-account-based blocking.
Haha, yeah China and legalities.... so yes, obviously you are NOT trying to circumvent entity like the GFW. Thus what are you trying to circumvent?
Duh. Already said this many times. Tor users complain about being blocked indiscriminantly when doing nothing wrong themselves. Posts from these users are frequent on tor-talk. And indeed as you listed, on that wiki page as well. We should try to help them. This is one way to do that. And to continue to put pressure on clearnet services to deploy their own account based, NOT archaic ip based, abuse management solutions.
You obviously have never run a service of any size that had to deal with that kind of abuse. IP based blocking is the easiest and best method as it takes care of most of the abusers.
Please look at Wikipedia, they are pretty open about how they block things.
[..]
Of course. Unless of course, as suggested before, some operators choose the method of binding/routing their exit over an ip different from their OR_IP, then it would just be native tor and native TCP.
If they do so, TorDNEL will properly list that IP address as it should be doing.
[..]
No it can't. The user is running ovpn and tor on their node, and the exit operator is running ovpn and tor on their node. The only thing that hits clearnet is tor, not ovpn. So there is zero difference to any observer between 'user' and 'ovpn_ip' there at all, all they see is tor. Same as before.
Of course it can. For the traffic out of OpenVPN to go anywhere it is either using a real IP address or doing NAT. Voila, Raw IP.
Or are you connecting through another TCP based proxy inside the OpenVPN VPN?
[..]
Then yhy don't you suggest users sign up and pay anonymously for three separate vpn/shell services and onionchain them all together and roam them around new vpn/shells once in a while. It's the same thing. You see.
Far from.
Please watch "The Net" and other such funny movies where they "hack into each IP" and "trace the user around the world".
Please read up on Mix Networks, eg https://en.wikipedia.org/wiki/Mix_network
That explains the background concept of Tor and that if you have a 1000 users you will not know which source belongs to which.
As I noted, 'getting out', or better 'who allows Tor nodes to connect to their sites' is a decision to be made by those operators.
Yes, and they can still make those decisions. We're just making them think more about it.
Indeed, you will make sure that they will never want to have any Tor users at all, as clearly their intent is to circumvent their blocks.
On clearnet you as a service op when you block an ip are usually taking out just one user.
Ever heard of NAT? Especially with 3G exit IPs or the fun with DSLITE, there will be a lot more than one single person behind it.
You should have just deleted their account, but whatever.
So that they can sign up again and start the abusive behavior from the start?
When you block a tor ip you are stupidly taking out many many users who have nothing to do with the account that caused you grief.
Because for most operators there is no difference.
In your proposal those "extra" IPs will just be blocked next.
That, in my opinion, is WRONG.
While you might think that, it is THEIR site, thus for them to decide.
[.. moved up..]
You clearly do not understand why the DNSEL is published. Please read up on it.
I know exactly why DNSEL is published. On one hand it is great, on the other it is abused by clearnet service operators who, in my and others opinions, are not giving enough thought and effort into other ways they can address 'abuse'. I also know Tor Project has a budget for outreach, in part of which is meant to educate about some of these other local abuse management ways besides blocking access to services via tor. Maybe it's time that budget proportion and time allocation was increased.
Please read: https://www.torproject.org/about/sponsors.html.en
and contribute. If you make a large enough donation you can ask for your own milestones:
https://trac.torproject.org/projects/tor/wiki/org/sponsors
OpenVPN, especially in crypted mode, requires quite a lot more CPU power on the nodes running OpenVPN node.
Obviously. AES-NI helps. However it does not necessarily need to be encrypted (or even heavily) since the user still has a full tor-cli to tor-exit path established. See the diagram. It is the exit that is their security, the ovpn is just adding a new ip/protocol service.
Instead of OpenVPN, which is Raw-IP, just specify the exit IP or use a TCP-proxy if you don't want them to show up in the TORBL. Saves on the overhead and avoids losing anonimity features.