Author

Topic: Rant on Tor (Read 861 times)

legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 19, 2023, 02:31:35 AM
#37
Of course, and I'm sure theymos is more than capable of generating a suitable .onion address. Just pointing out it is easily done.
Reading into this, I realize there will be more complications. For instance, I often link to a topic by using an absolute URL instead of a relative URL (update: and even relative links get stored as absolute links after posting). All those links need to be replaced to avoid sending users from the .onion forum to the clearnet forum. The image proxy should also get a .onion entry.
Unfortunately, it's not as straight forward as I initially expected.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
July 19, 2023, 02:25:15 AM
#36
A couple months back the PoW requirement was merged into the next, forthcoming Tor update. This should work a lot of wonders as far as mitigating DDOS attacks is concerned. I think a Bitcointalk onion would be pretty useful for those who are using BTC in jurisdictions where it is frowned upon or heavily monitored... probably a safer approach than using a regular 'ol VPN, who probably keeps logs and may or may not turn them over to certain governments when requested.
Yep, but it might be quite a while before it gets released, officially. I was following the progress of it and the documentation is still in the progress I think. Bitcointalk over Tor is still somewhat usable, not really totally inaccessible.

Anyhow, CloudFlare actually allows for Onion routing as well. Allowing the site to be served over onion while still allowing for the site to piggyback on CloudFlare's CDN. I assume that there is a very good reason why this isn't used currently.
legendary
Activity: 3010
Merit: 8114
July 19, 2023, 02:06:02 AM
#35
The core of the issue is how susceptible onion addresses are to DDOS, which is arguably harder to block due to the nature of anonymity. There's some progress with trying to resolve this issues (PoW requirement, etc) , presumably due to the massive DDOS a while back.

A couple months back the PoW requirement was merged into the next, forthcoming Tor update. This should work a lot of wonders as far as mitigating DDOS attacks is concerned. I think a Bitcointalk onion would be pretty useful for those who are using BTC in jurisdictions where it is frowned upon or heavily monitored... probably a safer approach than using a regular 'ol VPN, who probably keeps logs and may or may not turn them over to certain governments when requested.
legendary
Activity: 2268
Merit: 18748
July 19, 2023, 01:40:41 AM
#34
Of course, and I'm sure theymos is more than capable of generating a suitable .onion address. Just pointing out it is easily done.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 19, 2023, 01:30:20 AM
#33
I think 16 random strings is the minimum (up to 56)
The shorter v2 addresses can't be used anymore, now 56 characters (v3) is the default.

I've just generated the following, which theymos can have for free. Smiley

btctalkhfmnva2746gkwhsxpirz3w7bu3ocut7uzjlszsxlou4naruyd.onion
As always: "not your keys, not your coins address" applies here too.
legendary
Activity: 2268
Merit: 18748
July 19, 2023, 01:07:43 AM
#32
I've just generated the following, which theymos can have for free. Smiley

btctalkhfmnva2746gkwhsxpirz3w7bu3ocut7uzjlszsxlou4naruyd.onion
legendary
Activity: 3472
Merit: 3507
Crypto Swap Exchange
July 18, 2023, 05:34:02 PM
#31
I am reading more about it now and I see there is a way of generating vanity address similar like for Bitcoin, so maybe we could create btctalk... btctlk, or something similar that doesn't have a lot of characters.

As far as I know, the .onion domain cannot be that short, and certainly not easy to remember. I think 16 random strings is the minimum (up to 56), plus if you want to add something at least a little recognizable. (like btctalk ...)

Check Sinbad for example: sinbadiovkigdbafpqvwfwjh2tfrisahtxmrskiovt62nirragcnkcad.onion 56 characters.
legendary
Activity: 2212
Merit: 7064
July 18, 2023, 02:43:08 PM
#30
Nothing. Onion domains are more or less like Bitcoin addresses, created from a private key.
Interesting.
I am reading more about it now and I see there is a way of generating vanity address similar like for Bitcoin, so maybe we could create btctalk... btctlk, or something similar that doesn't have a lot of characters.
Maybe what I saw before with people selling onion addresses was for this vanity addresses.
hero member
Activity: 1659
Merit: 687
LoyceV on the road. Or couch.
July 18, 2023, 12:29:26 PM
#29
Does anyone know how much needs to be paid for long term .onion domain address?
Nothing. Onion domains are more or less like Bitcoin addresses, created from a private key.
legendary
Activity: 2212
Merit: 7064
July 18, 2023, 12:14:56 PM
#28
I'll quote myself here: Can the forum get a .onion domain for Tor users? That doesn't stop DDOS entirely, but at least it leaves an option without Cloudflare.
You mean that using Bitcointalk with onion address would remove all cloudflare and any similar boxes that needs to be checked?
That would certainly speed things up, and in theory it should improve privacy, but I think it would increase cost of purchasing and maintaining another domain.
Does anyone know how much needs to be paid for long term .onion domain address?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 18, 2023, 06:21:15 AM
#27
I'll quote myself here: Can the forum get a .onion domain for Tor users? That doesn't stop DDOS entirely, but at least it leaves an option without Cloudflare.

Quoting myself here too.
legendary
Activity: 3584
Merit: 5248
https://merel.mobi => buy facemasks with BTC/LTC
July 18, 2023, 02:39:20 AM
#26
Tor can't completely mitigate all abuse, but it does make it a lot harder for an attacker tough:

https://support.torproject.org/abuse/what-about-ddos/

I've ran hidden services in the past, it's actually quite easy to setup and maintain... But in the end it's up to Theymos to see if he has the time and resources, since i can only assume that the time investment in setting up a hidden service for bitcointalk is a different magnitude than the time to setup a hidden service for a testnet faucet Smiley
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
July 18, 2023, 02:23:29 AM
#25
I'll quote myself here: Can the forum get a .onion domain for Tor users? That doesn't stop DDOS entirely, but at least it leaves an option without Cloudflare.
The core of the issue is how susceptible onion addresses are to DDOS, which is arguably harder to block due to the nature of anonymity. There's some progress with trying to resolve this issues (PoW requirement, etc) , presumably due to the massive DDOS a while back.

I assume theymos doesn't want to mess with Tor for now, and sacrifice having to deal with tons of DDOS coming in from Tor at the expense of having the user jump through loops using CloudFlare.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 18, 2023, 02:04:49 AM
#24
I'll quote myself here: Can the forum get a .onion domain for Tor users? That doesn't stop DDOS entirely, but at least it leaves an option without Cloudflare.
full member
Activity: 756
Merit: 133
- hello doctor who box
July 17, 2023, 03:17:48 PM
#23
I think a bump is really necessary considering the discussions already on my last topic which you can find on this url https://bitcointalksearch.org/topic/cf-keeps-banning-tor-connection-5460048

I have no use of that topic, hopefully the extended discussions on this topic will bring a new idea against CF.

Thank you.
full member
Activity: 123
Merit: 474
October 02, 2018, 05:51:39 PM
#22
I just managed to log in now, but couldn't use the site at all yesterday.  Even today it took me way too long because of the captcha (wasted so much time training Google AI to improve its spying capability  Undecided).

The initial Cloulflare page with the captcha isn't the problem, it's the log in page with the issues.  I think some sort of creative solution as suggested by some is possible here.  Maybe a whitelist of PGP keys?  Users can put their public key in their account somewhere, and those with enough trust can log in without the captcha by signing some arbitrary text?
full member
Activity: 574
Merit: 152
October 01, 2018, 09:37:05 AM
#21
I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

Why do we even use it if you think this could possibly be the case? Is it really worth the risk? How effective is CloudFlare at even stopping DDOS attacks or whatever? We've still had a few here whilst we've used it, right?

Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.



Cloudflare is like the defacto standard in anti-ddos services. Also, it's hard to beat free.

Honestly, if the web forum software were designed better, it could be built to be more resistant to DDoS attacks (proper gateways, rate limiting at multiple tiers, etc...).

I don't think the new software is going to solve this issue though. I've been considering trying to build a new forum software myself that allows high horizontal scalability rather than the traditional vertical scaling that we have now.
staff
Activity: 3304
Merit: 4115
October 01, 2018, 09:32:22 AM
#20
Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.


I'd prefer something like this. I would far prefer trusting theymos than that of the NSA. I'm trying to find the previous discussion on this, but can't seem to find it. If anyone can send it over that would be appreciated. I think it was a discussion related to one of the DDOS attacks we had before on the forum.
legendary
Activity: 2968
Merit: 3061
Join the world-leading crypto sportsbook NOW!
October 01, 2018, 05:13:55 AM
#19
I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

Why do we even use it if you think this could possibly be the case? Is it really worth the risk? How effective is CloudFlare at even stopping DDOS attacks or whatever? We've still had a few here whilst we've used it, right?

Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.

legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
October 01, 2018, 04:32:48 AM
#18
I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".
Even if you have nothing to hide, would you walk around nude in public?  Would you live in a house with no window shades?  Would you let everyone listen in on your conversations?

Really, even if you're the most righteous person in the world, would you want everyone to know every fucking detail of your life?  Nobody in their right mind would.  I don't use Tor, but I don't condemn those who do.  Given how much less privacy we have these days because of the internet, using browsers like Tor (and eschewing social media sites like FB, Twitter, and the like) sounds like the smart thing to do.

I have nothing to show either. It isn't show and tell. What I do is none of anyone's business. The presumption that I do something illegal to want privacy is a fallacy.

For a search warrant there has to be reasonable cause. Internet snooping is done by Governments and big business without any plausible reasons.

None of them have any legitimate reason to snoop on me - yet they still do it. I fully empathize with those that want to keep their privacy.
staff
Activity: 3304
Merit: 4115
September 30, 2018, 10:08:16 PM
#17

I think the letter puzzles have an 80% solve rate when ran through several OCR cloud-products. There was a rather interesting paper I read about the bypass.

I've used deathbycaptcha before, and it's a pretty decent service.
Yeah, the old text captcha ones were easily outsourced, and several places had around a 99% solve rate. Never used one myself, but know that it was very easily bypassed for cheap as mprep hinted. The way that this particular "exploit" works is by downloading the audio, and then identifying what the audio is saying automatically. This could probably be outsourced, and I would bet there are services offering this. However, what I imagine a lot of them are doing is running through a automatic speech to text. I don't know how accurate these are though, and they may well be outsourcing them.
full member
Activity: 574
Merit: 152
September 30, 2018, 10:04:06 PM
#16
I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).
I was being purposely vague. However, there's a method of automatically downloading the sound files when requesting for a audio version rather than the images to help with usually impaired people. Generally, people write a Python script, automatically download it, and then can input it. I haven't tried this myself, but have seen it working on a test site from a friend of mine. He kept on having bots sign up to his website out of nowhere, and he found that this was the method they were using.

Obviously, I haven't checked whether this can be done on Bitcointalk, because I haven't logged out in a few months. But, it shouldn't be any different to what I witnessed a few months ago.

I think the letter puzzles have an 80% solve rate when ran through several OCR cloud-products. There was a rather interesting paper I read about the bypass.

I've used deathbycaptcha before, and it's a pretty decent service. It provides an API, which makes it nearly automated.
staff
Activity: 3304
Merit: 4115
September 30, 2018, 10:00:46 PM
#15
I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).
I was being purposely vague. However, there's a method of automatically downloading the sound files when requesting for a audio version rather than the images to help with usually impaired people. Generally, people write a Python script, automatically download it, and then can input it. I haven't tried this myself, but have seen it working on a test site from a friend of mine. He kept on having bots sign up to his website out of nowhere, and he found that this was the method they were using. Basically though, you're coding something that will be able to convert the webpage so you can capture the javascript, and then you are automatically downloading the sound file, and then run it through a text to speech program or something along those lines. Its obviously not going to be 100% accurate, but definitely somewhat automated. We've looked into options to prevent this, but it doesn't seem possible as Google doesn't allow disabling the audio option. Unless, we are missing something. 

Obviously, I haven't checked whether this can be done on Bitcointalk, because I haven't logged out in a few months. But, it shouldn't be any different to what I witnessed a few months ago.
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
September 30, 2018, 09:46:48 PM
#14
I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".
Even if you have nothing to hide, would you walk around nude in public?  Would you live in a house with no window shades?  Would you let everyone listen in on your conversations?

Really, even if you're the most righteous person in the world, would you want everyone to know every fucking detail of your life?  Nobody in their right mind would.  I don't use Tor, but I don't condemn those who do.  Given how much less privacy we have these days because of the internet, using browsers like Tor (and eschewing social media sites like FB, Twitter, and the like) sounds like the smart thing to do.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
September 30, 2018, 08:44:03 PM
#13
In regards to Tor's unwillingness to compromise, I'd say it's more so stubbornness than malice. Having read through the discussion on the 2nd ticket (since the link to the first one seems to be broken), quite a few users seem to be opposed to the idea due to their sheer distrust for Cloudflare. Considering the fact that we're talking about a pretty hardcore segment of an already rather niche (at least compared to the widespread usage of the Internet) privacy crowd (of whom probably very few actually had to manage a website with large and resource intensive traffic), them putting their foot down and raising their battle flags against Cloudflare, a service that they perceive as ideologically incompatible, instead of trying to find a compromise is anything but an unexpected reaction.


There's a sneaky little way of bypassing Googles captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.

AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.
I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).
full member
Activity: 574
Merit: 152
September 30, 2018, 06:41:58 PM
#12
I don't think there's any great solution for allowing perfect anonymity that's resistant to prevent a distributed denial of service.

There's no solution to the problem without artificially limiting the ability to create anonymous profiles.

The only solution I can come up to fix the underlying problem is requiring some level of work to be done to generate a private profile. Seems like a silly solution though.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.

If you think about who built the TOR network, and think about the purpose behind it, it really just gives the exit-nodes plausible deniability within our legal framework. Overall, I'm not sure it actually gives anonymity at a nation-state level.
full member
Activity: 383
Merit: 149
September 30, 2018, 10:18:56 AM
#11
With captcha the last days a very big problem. Directly go as before did not work even once. Login directly through the Tor in 10 cases out of 10 all ends with the inscription:

Quote
reCAPTCHA has apparently marked your IP address as suspicious, and refuses to tell me whether you actually solved the CAPTCHA. If you go back and retry it several times, it will eventually work. If you are using Tor, going to Onion->New Identity might immediately fix it.

Entry is possible only through the passage of 2 step captcha:

Quote
One more step
Please complete the security check to access bitcointalk.org



staff
Activity: 3304
Merit: 4115
September 30, 2018, 09:48:15 AM
#10
AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.

There's a sneaky little way of bypassing (automating) Google's captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.

AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.
legendary
Activity: 1662
Merit: 1050
September 30, 2018, 09:21:02 AM
#9
I forget to mention there should be another domain (preferable .onion), but normally user only can see login page with input field signed message/PGP signature/certificate and register page which force copper membership.
To prevent spam, there should reCAPTCHA, but configured to allow JS-disabled browser to solve it.

Adding new subdomain will redirect you on main doamin. Once you click loging page than same thing will happen. But I think for reCAPTCHA problem could solve by CAPTCHA.
For Example 9+2=?
If use this kind of CAPTCHA I think Tor browser will not face problem.

AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.
legendary
Activity: 1274
Merit: 1004
September 30, 2018, 06:42:31 AM
#8
Personally I think TOR is not the perfect solution for privacy, However you should consider implementing proof of work captchas for tor traffic.
legendary
Activity: 2408
Merit: 2226
Signature space for rent
September 30, 2018, 12:05:35 AM
#7
2. Do you have plan feature which allow copper membership/registered user to bypass CloudFlare by present signed message with linked their Bitcoin address, show their linked certificate or confirm with their PGP signature?

I think bypass isn't possible if CloudFlare is active. Because if you use CloudFlare than you have to change original DNS ( Domain Name Server) to CloudFlare DNS. So you must enter domain in order to visit website. If you want to skip than you have to deactive ClouFlare from Name Server.

I forget to mention there should be another domain (preferable .onion), but normally user only can see login page with input field signed message/PGP signature/certificate and register page which force copper membership.
To prevent spam, there should reCAPTCHA, but configured to allow JS-disabled browser to solve it.

Adding new subdomain will redirect you on main doamin. Once you click loging page than same thing will happen. But I think for reCAPTCHA problem could solve by CAPTCHA.
For Example 9+2=?
If use this kind of CAPTCHA I think Tor browser will not face problem.
copper member
Activity: 2996
Merit: 2374
September 29, 2018, 09:29:23 PM
#6
One possible solution to accepting certain TOR traffic that you know is "perfectly-good traffic" would be to setup a hidden service as a reverse proxy for a specific person, possibly for a cost, and possibly that will only support a pre-determined amount of traffic.

For example, I could ask you to setup a hidden service that I can use to connect to the forum. I would pay you $xx for you to do this. You would then spin up a VPS that runs a hidden service that connects to the "real" IP address of the forum (it bypasses cloud flare) that is intended for only me to access. Our agreement could be that once the hidden service receives xx GB worth of traffic, then it will be shut down -- this will more or less prevent me from using the hidden service to DDoS the forum, or otherwise making the hidden service address public.

I am not sure if you can run multiple hidden services via one VPS/IP address, although I suspect there is a good chance you can.

This would reduce privacy incrementally, as it would expose sockpuppets that are all used to access this hidden service. However the location of the person accessing the hidden service would remain hidden from you, along with other sensitive information, such as their IP address, and ISP.  

There would still be the problem of how someone would access the forum in the first place, which is more complicated. One option would be to run a separate website with a separate server, whose only purpose is to sell access to these hidden services. This would be easier to maintain then a major forum, and when that website goes down, it would not affect the forum.

edit: you may not like this, however for added privacy, you may accept payment via certain privacy focused altcoins.

edit2:
People using Tor have something to hide, we don't want their kind on this forum.

[...]
Privacy is good. Tor's approach to it is bad, or at least very incomplete.
One reason for this may be that the TOR devs don't want too much privacy when using tor in order to avoid the government regulate, or otherwise entirely break tor because too many serious criminals are hiding behind tor.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
September 29, 2018, 09:27:08 PM
#5
Tor is used as a honeypot since a long time https://www.wired.com/2014/12/fbi-metasploit-tor/ by the institution that likes to know everything about you. Your underwear color included...

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
https://www.schneier.com/blog/archives/2017/03/fbis_exploit_ag.html
https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95
*
]turtletime

Following your logic, you have something to hide so since you use cryptocurrency supposed to give to people a (financial) privacy
Some people use TOR, they do nothing bad, they just want privacy which is a basic right that people stopped to fight for
member
Activity: 83
Merit: 10
September 29, 2018, 09:09:14 PM
#4
People using Tor have something to hide, we don't want their kind on this forum.

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Privacy is good. Tor's approach to it is bad, or at least very incomplete.

I know I deleted that post because I over reacted.  It just makes people look really suspect if they use Tor.

Sorry.
administrator
Activity: 5222
Merit: 13032
September 29, 2018, 09:07:44 PM
#3
People using Tor have something to hide, we don't want their kind on this forum.

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Privacy is good. Tor's approach to it is bad, or at least very incomplete.
member
Activity: 226
Merit: 30
so.. hru?
September 29, 2018, 09:07:14 PM
#2
Just use google chrome or firefox, Who even needs to use Tor? pedophiles? criminals?

why is this even an issue? People using Tor have something to hide, we don't want their kind on this forum.

What do you mean? Everyone, people use Tor because they don't want their privacy to be leaked.

It's because right now, you can literally grab information about a person through any information your computer beams to the internet. Maybe they don't want to be tracked by advertisers too, etc. etc.

I don't personally use Tor but I see the reasoning behind it even though its perceived as what you said they are "pedophiles? criminals?"

edit; back to OP, is there any services except Cloudflare which will block ddosers and other people trying to destroy the forum, or no? I think there is better Tor alternatives like Freenet that people can use.

Though like you said, Tor could a proof-of-work, but I see them as pretty lazy people who work on the Tor project to be honest, which is why I don't use it.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.

edit2: I like how you say this and it could be like 80% true, also why can't the government just run a shit ton of Tor nodes?
administrator
Activity: 5222
Merit: 13032
September 29, 2018, 08:48:12 PM
#1
I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

However, I was just reading a couple of things from the Tor project ([1], [2]) which really annoyed me. The blame for Tor getting blocked everywhere belongs squarely at the feet of the Tor project for their failure to come up with any anti-DDoS solution whatsoever. Large sites cannot function by accepting connections from everyone without any possibility of rate-limiting. Probably this is a core flaw in the design of the Internet itself, but for now we have to live with it. If you say "well, the sites should just accept every Tor connection and treat them all as perfectly-good traffic", then you're actually saying "the sites should spend hundreds of thousands of dollars on handling every attacker as if it was legitimate". It's insane, and it's not going to happen.

There are very obvious ways of handling this while also preserving privacy. One idea is CloudFlare's Privacy Pass, which Tor categorically rejected for no good reason. (Note: I am not so confident in Privacy Pass's exact blind signature scheme, though the Tor people didn't actually use that as their reason for rejecting it. And it is a good idea at its heart.) You could extend the Tor protocol to give hidden services a way of requiring a proof-of-work from the client before handing the connection off to the application, and then sites could at least safely offer a hidden service option to Tor users. You could even think about extending TCP to require a client proof-of-work, which would address the DDoS issue beyond Tor. But instead Tor has done nothing.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.
Jump to: