Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Website blacklists Tor exits #1

Open
JeremyRand opened this issue Sep 8, 2015 · 2 comments
Open

Website blacklists Tor exits #1

JeremyRand opened this issue Sep 8, 2015 · 2 comments

Comments

@JeremyRand
Copy link

Hi,

I'm not sure if this is the right place to post this, but it seems that http://www.openbitcoinprivacyproject.org/ is blacklisting Tor exits. When visiting in TorBrowser I get the following message:

Access denied. Your IP address [149.202.42.188] is blacklisted. If you feel this is in error please contact your hosting providers abuse department.

Switching circuits doesn't help. I assume this is not an intentional policy of OBPP and rather some kind of misconfiguration... any chance someone could look into this?

Thanks.
@kristovatlas
Copy link
Member

This is an excellent place to report the issue, thanks for letting us know.

Our simple-minded hosting service responds to excessive failed login attempts to web panels by blocking the IP address, so now a variety of Tor exit nodes are blocked. They can also only add whitelisted IP addresses one at a time. sigh I'll work on a resolution this.

@JeremyRand
Copy link
Author

Currently Tor users are not outright blacklisted, but they are required to pass CloudFlare CAPTCHAs, which are bothersome (the CAPTCHAs often take many tries; I've had to solve 6-7 in a row before), unnecessary (I highly doubt that much abusive traffic is coming from GET requests, so whitelisting GET requests would be much less disruptive to Tor users while not resulting in much extra abuse), and a security issue (the CAPTCHAs usually fail when Javascript is disabled, and many people in your target audience disable Javascript in TorBrowser to protect against deanonymization Firefox zero-days). There are also issues with CloudFlare being what in anonymity research is called a "global active adversary", i.e. they can fiddle with traffic in a very large number of connections, which makes a lot of deanonymization attacks easier if CloudFlare is either evil or simply compromised (maybe by an NSL or court order, or maybe by technical attacks).

This is still definitely better than simply blocking all the Tor exits, but improving this situation would be most welcome. I had to read the wallet privacy report by grabbing the PDF from GitHub (which doesn't discriminate against Tor), which I doubt many people will think to do.

Cheers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JeremyRand @kristovatlas