[tor-bugs] #33450 [Webpages/Website]: Create a guide to help web site owners mitigate abuse from Tor without blocking non-abusive Tor users

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 25 16:31:48 UTC 2020


#33450: Create a guide to help web site owners mitigate abuse from Tor without
blocking non-abusive Tor users
----------------------------------+------------------
     Reporter:  jnewsome          |      Owner:  hiro
         Type:  defect            |     Status:  new
     Priority:  Medium            |  Milestone:
    Component:  Webpages/Website  |    Version:
     Severity:  Normal            |   Keywords:
Actual Points:                    |  Parent ID:
       Points:                    |   Reviewer:
      Sponsor:                    |
----------------------------------+------------------
 Specifically we need something that a blocked Tor user can point a
 site/service owner to. Today the most discoverable version of this on the
 main site is https://support.torproject.org/#censorship-2, which
 essentially boils down to just asking the owner to not block Tor out of
 altruism, without offering any technical detail or support.

 Ideally such a page would help the owner determine how they're blocking
 Tor users in the first place (CDN configuration? Firewall? Website
 plugin?), and help them understand what their alternatives are.

 As a first pass, such alternatives might include:

 1) If the traffic isn't known to actually be causing harm, just don't
 block it. This may be the right solution if the exit node(s) were being
 blocked based on volume of traffic rather than any actual problem that
 traffic was causing. If there's a per-IP-address rate limit, consider
 raising it for known exit nodes.

 2) Slowing down abusive Tor users by blocking Tor circuits, e.g. using
 CloudFlare's onion integration or
 https://github.com/alecmuffett/eotk.

 3) PrivacyPass or other proof-of-work per browser rather than per IP
 address.

 4) Application-level mitigations.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33450>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list