[tor-talk] CloudFlare

Jacob Appelbaum jacob at appelbaum.net
Thu Apr 18 21:57:06 UTC 2013


Matthew Finkel:
> On Thu, Apr 18, 2013 at 09:01:21AM +0000, Matt Pagan wrote:
>>> They're based in San Francisco, along with Craigslist (which
>>> is another misguided arbitrary blocker of Tor exits).
>>> Any other SF based companies that could benefit from
>>> a visit or hackerspace talk about why they should not
>>> be blocking Tor?
>>
>> Yelp is based in San Francisco. So is Pinterest. Getting the Wikimedia
>> Foundation (also based in San Francisco) to come over would be a huge
>> victory, IMO.
>>
> 
> Wikimedia is actually willing to discuss an alternative setup if a
> usable one is found. Their current implementation is not really
> acceptable, but there also isn't really a working/implemented alternative
> solution, at this point (and it's not exactly at the top of their list
> to implement their own).

I was involved in writing the DNSBulkExitList program specifically for
Wikipedia at the request of Tim S. At the time, I believe that it was
better than simply blocking every Tor node - it only blocks exit nodes
that allow exiting to Wikipedia.

It is possible to request a special flag on a Wikipedia account that is
granted by way of some special handshake. It is possible to take an
already created account and use it for edits as the flag overrides the
Tor block.

A workable solution would be to continue to use such a list to detect
Tor usage and then to ensure that we now allow new accounts to be
created over Tor. The MediaWiki should ensure that HSTS is sent to the
user and that the user only ever uses HTTPS to connect to Wikipedia.

I think we should ensure that Wikipedia understands that the account was
created with Tor and that the user may be using this to circumvent
censorship, to protect what they are reading or editing from their local
network censors or surveillance regime as well as to protect IP address
information that the US currently doesn't really protect (see USA vs.
Appelbaum; re: my Twitter case). Since the US can see a lot of the
traffic to Wikipedia, I'd guess that this is important worldwide.

If the user is abusive and an IP block would normally apply, Wikipedia
would not block by IP but would rather use the normal Wikipedia process
to resolve disputes (in edits, discussions, etc) and if the account is
just being used for automated jerk behavior, I think it would be
reasonable to lock the account, perhaps even forcing the user to solve a
captcha, or whatever other process is used when accounts are abused in
an automated fashion.

Most of that isn't technical - it is a matter of accepting that some of
us are not free. Some of us who are not free require systems like Tor to
participate in the Free Culture community curated by the Wikipedia
community on Wikipedia. Some of us will then be free to be part of that
community and perhaps, if we work smartly, other freedoms will follow
from the knowledge of the community.

All the best,
Jacob


More information about the tor-talk mailing list