Google is locking Tor users out of Bitcointalk.org! On my current login, I was forced to try
seventeen (17) different circuits before Google deigned to grant me a
CAPTCHA; see below. I didn’t precisely time the whole process, because I didn’t expect this from the beginning; but it took me well over ten minutes. In practical substance, that’s a lockout. How many people would (or should!) spend over ten minutes trying to log into a web forum?
I’m obstinate. I also have sufficient knowledge that I would never
give up in desperation and log in without Tor, thus committing a privacy cardinal sin.
How many inexpert users are deanonymizing themselves because of this?Satoshi was a Tor user. Satoshi would be effectually locked out right now; do you think he would spend over ten minutes trying to log in, with no guarantee of when
or if he would succeed?
I post this to bring the issue to administrative attention. I know that theymos is caught between the proverbial rock and hard place, with damaging abuse on one side and a principled respect for privacy on the other. I appreciate this forum’s general friendliness toward Tor users; and I may have a constructive suggestion to make, suitable for a different thread. Meanwhile, I urge admins to keep a close eye on this situation—and realize that Tor users may be disappearing, or worse, shooting themselves in the foot.
An unavoidable question rises: Is Google doing this specifically to Tor users
on Bitcointalk? That would make a most excellent means of discouraging Bitcoin+Tor use, and also of deaononymizing many people who will give up and log in with their “real” IPs. That last threat is
now worse, since Cloudflare can trivially link IPs to usernames. An anti-Tor deterrent on Bitcointalk.org is bound to compromise many people.
By comparison, is Google also refusing to serve CAPTCHAs to Tor users on other sites generally? I wouldn’t know. I always use Tor, but I usually boycott sites which try to CAPTCHA me.
For the record, this is what happened on my current login.
On circuit { 0 /* initial load */, 1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15 }, Google made the familiar allegation of “automated queries”:
On circuit 2, Google spat at me a bizarre message I had not theretofore seen:
On circuit 14, I probably hit a BadExit:
On circuit 16—the seventeenth circuit, as C programmers will understand—Google finally granted me the high privilege of
driving a self-driving car via
multiple long “challenges”, one after another. Is Google psyching Tor users to be
grateful to get CAPTCHAed?
N.b. that this could in no way be targeted at me, even if Google could somehow XSS out the login form info. I habitually complete the CAPTCHA first, before filling in my username and password.