[tor-talk] torproject forum hosted by 3rd party?

bo0od bo0od at riseup.net
Fri Oct 29 14:24:22 UTC 2021

 > - no IP logging
 > - no external resources

You shouldnt trust TPO on not doing that either (not because they do 
that but because there is no control on that from user side so you 
should assume the worst when it comes to security/privacy/anonymity).

And allowing JS in order to participate in the forum thats also an 
issue. (Good thing you can read the forum topics while JS disabled, But 
you cant login,type..etc)

At the end user need to trust an entity to make discourse functional, 
TPO or not doesnt matter. (I agree on seeing google or amazon or ..etc 
from shitty corporations thats the worst thing user want to see when 
using Tor or any other anonymity tools and should be prohibited)

> Hi,
> the Torproject is about to launch the new Discourse based forum next 
> week [1]
> https://forum.torproject.net
> With this email I'd like to initiate a discussion on whether it is a 
> good idea to externalize
> hosting of what might become a important platform for the tor community.
> I believe discourse is a great platform, but
> I was surprised to learn that the forum is _not_ self-hosted on 
> torproject infrastructure.
> It is hosted by "Civilized Discourse Construction Kit, Inc." the company 
> behind discourse.org.
> That means the torproject does not have full control over the 
> infrastructure and its security and logging practices.
> Discourse's third party hosting also does not support onion services [2].
> The forum privacy policy mentions that IPs get logged and stored over an 
> extensive amount of time
> https://forum.torproject.net/privacy
> As Jérôme pointed out [5] the forum is also subject to discourse's 
> privacy policy, so maybe it would be good to include a link
> to https://www.discourse.org/privacy on 
> https://forum.torproject.net/privacy.
> Especially since this forum will be used for tor browser support it will 
> also include people's IP addresses
> when they are unable to use tor browser to protect themselves.
> When you open https://forum.torproject.net in a browser it will fetch 
> resources from multiple places:
> fonts.googleapis.com (Google)
> fonts.gstatic.com (Google)
> aws1.discourse-cdn.com
> avatars.discourse-cdn.com (proinity LLC, AS44239)
> forum.torprojec.net/torproject1.hosted-by-discourse.com (CNAME)  
> Hurricane Electric LLC
> To quote Gaba from the gitlab ticket [3]:
>> If there is a risk on running this forum outside TPA infrastructure 
>> then we need to change this and host Discourse in TPA.
> (TPA is the torproject admin team 
> https://gitlab.torproject.org/tpo/tpa/team)
> I agree with Gaba and I'm glad anarcat (torproject admin team) is not 
> totally against self-hosting [4] even though
> discourse is docker based.
> Self-hosting would also allow for:
> - better domain: forum.torproject.org (the torproject.net domain is 
> basically unknown and I guess many people
> will be confused. I agree with anarcat to use the .net domain when it is 
> not run on TPA infrastructure)
> - no IP logging
> - no external resources
> - no troubles for tor browser users should discourse decide to enable 
> CAPTCHA or use a CDN that enforces CAPTCHAs in the future
> What is the main reasoning for using a 3rd party hosted Discourse 
> instance instead of a self-hosted instance?
> (besides the obvious 'so we don't have to patch and maintain it ourselves')
> related gitlab ticket:
> https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183
> https://gitlab.torproject.org/tpo/web/team/-/wikis/Plan-To-Launch-Tor's-Forum 
> kind regards,
> nusenu
> [1] 
> https://lists.torproject.org/pipermail/tor-community-team/2021-October/000423.html 
> [2] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2740700
> [3] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2749919
> [4] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2750060
> [5] https://gitlab.torproject.org/tpo/tpa/team/-/issues/40183#note_2751283

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20211029/7b4fc2da/attachment.sig>

More information about the tor-talk mailing list