[tor-talk] Pissed off about Blacklists, and what to do?

Paul Syverson paul.syverson at nrl.navy.mil
Sat Mar 8 19:39:20 UTC 2014

On Sat, Mar 08, 2014 at 08:06:11PM +0100, Fabio Pietrosanti (naif) wrote:
> Il 2/7/14, 4:46 AM, grarpamp ha scritto:
> > What can we do, as a collective social entity, to put an end to
> > this madness? 
> >From a "Security-Wise" point of view, if i was the IT Security Manager
> of a company, i would definitively block Tor's access to my IT
> infrastructure.
> I would also block most of spamhaus, VPN's, etc, unless there is a clear
> and evident "business need" to allow that source of traffic.
> It's very reasonable and effective from an IT Security Practice point of
> view to block IPs that are common source of IP attacks.
> Doing it from an anti-fraud point of view it's even more effective,
> preventing any kind of economic transaction from public proxy service,
> increase the cost and complexity for the "poor's fraudster".
> So i think that we cannot do anything.
> I think that the IT Security guys are right in blocking or restricting
> access to most services when coming from public proxy services.

If you naively view Tor as Yet Another Pulbic Proxy, I agree. But this
is the same thinking that leads you to block all encrypted traffic you
aren't MITMing. There may be environments where it makes sense, but
most of the time you are hurting yourself more than you are helping,
And enough places have learned that preventing encrypted traffic hurts
them that many people reading this probably don't remember when it was
commonly argumed that the opposite was preferable.  If you have
customers or employees that could benefit from personal defense in
depth or if your corporate operations do, then you are unnecessarily
hurting yourself. As Andrew noted, if you just buy a box and use its
defaults, you probably aren't getting what you want.  Directing
incoming Tor traffic appropriately, possibly requiring extra
authentication steps for anything where you don't need to permit
anonymous-from-you access to your services, makes much more sense.

> You can "push" the big dotcoms in order to manage in a better way the
> traffic coming from dirty IP addresses, and that's happening.
> Probably having "specialized Exit Node" for the most common services
> (facebook, google, etc) , in order not-to-mix dirty traffic with
> very-reasonably-good-traffic, could be one of the path to work on.

Or encouraging corporations to run the same, e.g., allowing exit only
to their servers/ports and only for appropriate classes of
traffic. This is something we suggested early on, I think in the JSAC
1998 paper, or possibly in 2000 "Onion Routing Access Configurations".


More information about the tor-talk mailing list