[tbb-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Feb 28 11:50:14 UTC 2016

#18361: Issues with corporate censorship and mass surveillance
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |

Comment (by aperture):

 As a website owner, I had to take the somewhat difficult decision to block
 Tor on some services in order to minimize disruption. Creating a special
 read-only or restricted mode for Tor users were not feasible as I have
 engineering time constraints. I suspect this is fairly common.

 Fundamentally, site owners typically rely on identifiers like IP, email,
 CAPTCHA, etc to weakly identify users. Each of these resources have a
 small cost, and hence blocking abuse is a possibility as there is a cost
 to abuse. Tor removes these identification vectors, making individual
 blocking unfeasible.

 This is not a question of humanness or the turning test. It's about
 introducing a progressive cost to privileged actions (whether that's
 creating an account, posting on a forum, etc) that has zero monetary cost
 for the user.

 To resolve this problem, there needs to be an easy way (both from a site
 owner, and a user's perspective) of applying a cost to privileged actions,
 when conventional identification methods do not work. One option is
 bitcoin micropayments, which is already being done on many bitcoin-related
 sites with good success. Bitcoin isn't accessible to the vast majority of
 people though.

 Another more promising option is proof of work. Unfortunately PoW heavily
 tilts in the favor of botnets, spammers running a Xeon, etc. Decentralized
 and possibly zero knowledge identity '''is''' what appears to the most
 promising solution.

 In the interim, I think resolving CAPTCHA loop issues on Tor is a good
 fix. 1 CAPTCHA per site is too much, but it's better than nothing.

 As for the read only concept, I just don't think it'd work. Many modern
 web sites submit data with AJAX post requests or websockets; you can't
 intercept that and return a CAPTCHA. `<form>` for POST is getting rarer
 and rarer, and whatever cloudflare does needs to work for almost every
 site; not just "some sites" or even "a majority of sites".

 @jgrahamc: I'm glad to see the whitelist tor option. This has certainly
 made me consider re-subscribing to Cloudflare Business for one of my

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:171>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list