[tor-talk] IBM says Block Tor

cyb3rwr3ck tor at cyb3rwr3ck.net
Thu Aug 27 09:43:40 UTC 2015


On 27.08.2015 10:50, spriver wrote:
> After downloading Tor I just had to set up the proxy
> in the network settings of Tor. It worked right out of the box. I was a
> bit surprised because we have a bit strict access list for websites and
> a really high security standard. (and I do not understand the blocking
> of the Torproject website). (maybe I should try to get an OONI-Test in
> there?)
Obviously they don’t detect tor as an application. Bluecoat and all
major application aware firewall platforms are able to detect tor via
its handshake. The only thing you can do in such a scenario is to use
pluggable transports but even then they could block skype or whatever
your client is trying to look like. So, at the end of the day all this
is the result of a misconfiguration security policy.
> Of course it's every employers own decision to allow or deny certain
> websites since it's their corporate network. But claiming Tor as "bad"
> and malicious (IBM) is not the reality. 
I totally aggree with that, you get payed for working in there and using
tor on a company pc is defiantly not related to a "normal" job. In fact
it must be considered as a security breach - some kind of data leakage
or malware using tor - which exists. The german law is pretty clear
about "spying" on you at your work place and your employer is
responsible to inform you regarding the fact that he is gathering
statistics about surfing behaviour or that he is intercepting ssl.

And - don’t burn me - I understand the fact that a standard website like
a standard webshop or something is facing more problems with tor than it
sees a benefit for its customers. So blocking all exits seems to be
reasonable in the end. Saying that the insecure web-application is the
problem, not tor which is used to attack it is also absolutely true but
its the same discussion as in the field of web application firewalls.
I am tired of hearing stuff like "the developers should do their
homework and fix their shit" in fact web programmers ARE a bit lazy and
they ARE under high work load and they often AREN’T high graded security
experts - so they WONT fix it. So why don’t give them a waf and block
tor in case you have nothing to do with lets say, news, social content
or whatever?

Best regards!
F


More information about the tor-talk mailing list