[tor-relays] Vodafone Italia blocking traffic from IPs that belong to Tor relays
Julien ROBIN
julien.robin28 at free.fr
Sun Nov 27 14:41:27 UTC 2016
Hi,
Apart from the problem of non-exit relays, I also think there is a
problem with blocking users from exit nodes.
Anyway, whatever the point of view is about Exit Nodes blocking, it's
sure that blocking entry and middle nodes is not useful, it's the
signature of either something that is misunderstood, or something (bad
?) that is done in a very lazy way (!) ... in both case that's
exasperating ! Additionally it's making normal Internet navigation
painful and censored for those who operate relays at home. Getting
censored while fighting against censorship is really depressing.
Even if some webmasters don't care anymore about Tor and online privacy,
because in the past they got pissed of by misuses and don't want to talk
anymore about "what should be done ideally"; I think that others aren't
really aware of possible solutions, and what is at stake about online
right and Internet of tomorrow, because it's not always obvious in their
position.
By blocking fair usages of Tor they are going to make Tor censored and
unable for fair navigation and that's the absolute opposite of what
should be done ! For everybody. I think that a lot of big websites are
aware of this (and it's a chance, otherwise nothing would be available
from Tor, and Tor usage would be prohibited everywhere), but
unfortunately not all website owners are aware of this.
I see 2 things :
* For website owners who have big amount of problems with Tor misuses,
the good approach could be Captcha, for forums / message boards it
can be a moderator approval of first message, in order to make only
"fair" usage possible. Finding that kind of ideas maybe is the only
possible way to make sysadmins and freedom volunteers to agree on
something technically working for everybody. May be we should list
everything that makes a sysadmin banning Tor IP addresses and see
what technical solution could be suggested.
* Also, for raising awareness about this subject at large scale may be
some big organisations like Mozilla could do something significant
enough, but individually it's complicated to convince somebody who
have pretty strong and fixed ideas, and bad experiences in the past.
May be some others discussion already discussed this subject in the
past and got good conclusions about ideal approach for this problem,
and how to ideally handle this kind of situations ?
Julien ROBIN
On 27/11/2016 11:31, fnordomat wrote:
> Ah, the unfathomable depths of human stupidity never cease to amaze.
>
> fr33d0m4all, you did the right thing. In the absence of negative
> reinforcement, the persons responsible will continue thinking they are
> doing the right and sensible thing. Of course, the pessimistic
> standpoint is that words never convinced anyone, but I for one believe
> in trying.
>
> We are still documenting sites whose wannabe admins discriminate against
> Tor btw:
>
> https://pad.systemli.org/p/noncloudflare-torblocks
> http://j7652k4sod2azfu6.onion/p/noncloudflare-torblocks
>
> I added ricarica.vodafone.it to it.
>
> As a Tor-only user, I'm accustomed to seeing this kind of stupidity -
> fed up with it - but I know for sure that it's hardly going to stop
> anytime soon. Many trends point in the opposite direction - the
> apperception that it's OK to discriminate against people who value their
> privacy and security, the idea that it's OK to paint us as criminals,
> and tools like Tor as impractical for daily use.
>
> The kindest thing I'm prepared to say about Tor blockers is that they're
> mediocre individuals who never bothered to look behind the FUD. The best
> thing about Tor blockers is that they're not out there burning actual
> witches, but sitting somewhere burning virtual ones and jerking off to
> their own friggin' feeling of comforting normalcy in unnormal times.
>
> It's discrimination, pure and simple.
>
> But the inconvenience of having to find ways around a block - sometimes
> after some important transaction fails - is a minor thing: not everyone
> knows how to do that, or manages quickly to find a proxy that is
> unblocked. Novice users could very well give up at this point. No one
> should be comfortable thinking that sabotaging public perception of the
> practicality of casual anonymity, in times of mass surveillance, is
> acceptable.
>
> And yet here we are - a whole industry offers the snake-oil "security"
> of Tor blocking lists, or blocking and MitM as an infrastructure. And
> there's plenty of wannabe webadmins out there who implement such things,
> mistakenly thinking three things:
>
> a) they need that for "security"
>
> b) it buys them anything in terms of real security, rather than being a
> quick fix to temporarily reduce the volume of "suspicious" or fraudulent
> events
>
> c) their classification of traffic into "mostly legit" from outside Tor,
> and "mostly crooked" from Tor is correct.
>
> Reality is more complex and panopticon-style surveillance of course
> drives any activity that is crooked or merely "suspicious" - and there
> it starts to get muddy - faster "underground" than any docile activity.
>
> I could rant on and on (at the peril of turning into an armchair
> sociologist), because this simplification of reality ties in with the
> complaints about "hacking" coming from Tor exits, even culminating in
> massive attempts to intimidate exit operators and attack the very
> infrastructure in a futile attempt to deflect responsibility - one could
> call it scapegoating.
>
> (I would like to add the following - sadly non-operational - comment to
> all the abuse complaint discussions:
>
> One who runs a server should accept the responsibility for securing
> one's own service - the responsibility for securing one's service rests
> with the endpoint, not the carrier. It can't really be fully delegated.
> At least that's the philosophical standpoint I stand firmly convinced of
> - espousing the opposite one, I believe, lands one in a make-believe
> world where problems are solved by looking up to "authority" and no one
> has any agency and competence left.)
>
> Those who venture into Tor blocking on their own, believing in points
> (a, b, c) above, are likewise deluding themselves.
>
> The only thing that really can be done is try and convince people who do
> it wrong, one by one, and let them see the light. I do this too (under
> my "real" name), but so far never got a reply that betrayed any inkling
> of understanding.
>
> We're up against just too much FUD.
>
>
> Tristan:
>> They obviously don't know what they're doing since they "aren't checking
>> the reject policy" on your non-exit relay. Hopefully they'll sort it out.
>> Netflix had the same thing for a while.
>>
>> On Nov 26, 2016 2:55 PM, "fr33d0m4all" <fr33d0m4all at riseup.net> wrote:
>>
>>> Hi,
>>> I just want to share my recent time experience with Vodafone Italia
>>> (mobile carrier). Some days ago, for the first time, I was surfing
>>> Vodafone.it site from my home network where I run a Tor non-exit relay,
>>> and when I surfed "https://ricarica.vodafone.it/" I've got the following
>>> error page:
>>>
>>> Access denied (403)
>>>
>>> Active policy for this site prohibits access from TOR Network.
>>>
>>> For further information, do not hesitate to contact us.
>>>
>>> Contact us: support+vodafone at reblaze.com
>>>
>>> For a reference, please provide the following paragraph:
>>>
>>> [MyIPAddress]://vodafone-rbzr2313438303139323634335aee0f47488438e0
>>> [1480192643]
>>>
>>> I wrote to reblaze.com, I've explained that I'm running a non-exit relay
>>> and that even if Vodafone is saying that traffic from Tor (they say TOR
>>> -__- ) Network, no traffic from Tor network can reach the public network
>>> (and so their site) from my own relay. This was my email:
>>>
>>> Hi,
>>> today I've received the attached error when trying to pay on
>>> Vodafone Italia site and I want to point out that it is a false
>>> positive.
>>>
>>> The error is "Active policy for this site prohibits access from Tor
>>> Network." and I was surfing the web directly from my public IP
>>> address X.X.X.X. As you can see on ExoneraTor this IP address
>>> also hosts a Tor <<middle>> relay:
>>> https://exonerator.torproject.org/?ip=X.X.X.X×tamp=2016-11-24
>>>
>>> If you gave a close look to that Tor Relay, you can see that it is
>>> DEFINITELY NOT A TOR EXIT RELAY, so you/Vodafone can't receive any
>>> traffic from Tor Network from my relay, since it is only a transit
>>> Tor relay:
>>>
>>> https://atlas.torproject.org/#details/xxxxxxx
>>>
>>> (Exit policy is reject, so it is not an Exit relay).
>>>
>>> So, I understand that you want to block sessions coming from Tor
>>> network, but you should definitely get a list of Tor exit relays
>>> only, not the full list of Tor relays that includes Tor relays that
>>> will NEVER send traffic from Tor network to public network.
>>>
>>> I'd like to understand why you're blocking sessions coming from an
>>> IP address that hosts a non-exit relay.
>>>
>>> And this is their reply:
>>>
>>> Hi
>>> currently this web site policy is to block any IP that is
>>> identified as TOR Relay:
>>>
>>> "Looking up IP address X.X.X.X on or within one day of 2016-11-24.
>>> Tor clients could have selected this or these Tor relays to build
>>> circuits." we are not checking the "Reject Policy"
>>>
>>> we will check the issue with the web site administrators
>>>
>>> Thanks
>>>
>>> Reblaze Support .
>>>
>>> I think I won't receive any further info from Vodafone, BTW if they
>>> reply, I'll share their answer with you.
>>>
>>> Have a nice weekend,
>>> Fr33d0m4all
>>>
>>> --
>>>
>>> _____________________________________________________________
>>>
>>> PGP Key: 0DA8 7293 D561 3AEE A3C0 7F63 101F 316A F30E ECB4
>>> IRC Nick: fr33d0m4all (OFTC & Freenode)
>>> _____________________________________________________________
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161127/bc8513b1/attachment.html>
More information about the tor-relays
mailing list