Hacker News new | past | comments | ask | show | jobs | submit login
HTTPS and Tor: Working Together to Protect Your Privacy and Security Online (eff.org)
66 points by Garbage on March 2, 2012 | hide | past | favorite | 11 comments




Every other site now is either directly blocking Tor users or at least make its use problematic.

I know it's mainly because of abusers, but once every bigger site doesn't allow Tor users, it makes the Tor use too complicated.


By blocking a Tor exit you do not block the Tor network, as new exits are created all the time. Also the person doing the abusive behaviour, can continue without restriction, but you then frustrate users in regimes that do not have free speech.

So if you know an abusive user came from a Tor exit node, support freedom and don't block it. Block the user.

You may be running a forum, or some other way users can post to a site. Consider that while you might block an abusive user, you are also blocking people in countries that do not have a first amendment and speech is an issue of life or death.

Support free speech: allow Tor exit nodes. :-)


I have no choice: i block Tor exits by IP. Why? Scammers use Tor to pass country filtering...

One of our customer found out that his ip was in our fraud log because his exit was use by African/Eastern European scammers. He suddenly realised that Tor was not only a free speach vector but also a tool used to scammers. Also that in case of ip identification he would have to deal with the police... He shut his exit down...


I'm curious: how do they block Tor users? I don't know much about Tor, but I thought that the whole point was that one Tor user should be indistinguishable from another and that they all should be indistinguishable from "normal" users.


This is actually something which the infographic gets wrong as well. At the very least the sysadmin at Site.com should have the line "Tor" when you're using Tor, and probably also the Lawyer and the Police (assuming that the sysadmin logs IP addresses for requests, which is not too uncommon).


It is indisguishable in a sense that all Tor users share the same exit nodes, so you don't know who that was.

However, list of exit nodes is available online and a lot of of sites auto-block it, because abusers like to use Tor.


edit: see below

Tor isn't indistinguishable from normal use, that's a big reason why they want as many people using it for everyday browsing as possible.

They are trying as much as possible to minimize the distinctiveness, currently making it very similar to https traffic, and with Obfsproxy recently introduced.

So they can know that you are using Tor if they try hard enough, but not what you are doing with it, which is the important part.

edit:

The previous comment was about what a state can determine about you. Websites can just download the list of exit nodes and block access from those IPs.


Ah, so that's where I was wrong: I thought everyone would be an exit node, too. Thanks for clearing it up!


Everyone could be if they wanted, but obviously it makes it look like someone else's traffic came from your home, so only a good idea if you're prepared for dealing with any complaints that could arise from that.


SSL is essential for any site that requires logins to protect your username/password and session to protect it from being hijacked. Tor only needs to be used if anonymity is necessary.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: