Topic: Rant on Tor (Read 818 times)

Reading into this, I realize there will be more complications. For instance, I often link to a topic by using an absolute URL instead of a relative URL (update: and even relative links get stored as absolute links after posting). All those links need to be replaced to avoid sending users from the .onion forum to the clearnet forum. The image proxy should also get a .onion entry.
Unfortunately, it's not as straight forward as I initially expected.

Yep, but it might be quite a while before it gets released, officially. I was following the progress of it and the documentation is still in the progress I think. Bitcointalk over Tor is still somewhat usable, not really totally inaccessible.

Anyhow, CloudFlare actually allows for Onion routing as well. Allowing the site to be served over onion while still allowing for the site to piggyback on CloudFlare's CDN. I assume that there is a very good reason why this isn't used currently.

A couple months back the PoW requirement was merged into the next, forthcoming Tor update. This should work a lot of wonders as far as mitigating DDOS attacks is concerned. I think a Bitcointalk onion would be pretty useful for those who are using BTC in jurisdictions where it is frowned upon or heavily monitored... probably a safer approach than using a regular 'ol VPN, who probably keeps logs and may or may not turn them over to certain governments when requested.

Of course, and I'm sure theymos is more than capable of generating a suitable .onion address. Just pointing out it is easily done.

The shorter v2 addresses can't be used anymore, now 56 characters (v3) is the default.

As always: "not your keys, not your coins address" applies here too.

I've just generated the following, which theymos can have for free.

btctalkhfmnva2746gkwhsxpirz3w7bu3ocut7uzjlszsxlou4naruyd.onion

As far as I know, the .onion domain cannot be that short, and certainly not easy to remember. I think 16 random strings is the minimum (up to 56), plus if you want to add something at least a little recognizable. (like btctalk ...)

Check Sinbad for example: sinbadiovkigdbafpqvwfwjh2tfrisahtxmrskiovt62nirragcnkcad.onion 56 characters.

Interesting.
I am reading more about it now and I see there is a way of generating vanity address similar like for Bitcoin, so maybe we could create btctalk... btctlk, or something similar that doesn't have a lot of characters.
Maybe what I saw before with people selling onion addresses was for this vanity addresses.

Nothing. Onion domains are more or less like Bitcoin addresses, created from a private key.

You mean that using Bitcointalk with onion address would remove all cloudflare and any similar boxes that needs to be checked?
That would certainly speed things up, and in theory it should improve privacy, but I think it would increase cost of purchasing and maintaining another domain.
Does anyone know how much needs to be paid for long term .onion domain address?

Quoting myself here too.

Tor can't completely mitigate all abuse, but it does make it a lot harder for an attacker tough:

https://support.torproject.org/abuse/what-about-ddos/

I've ran hidden services in the past, it's actually quite easy to setup and maintain... But in the end it's up to Theymos to see if he has the time and resources, since i can only assume that the time investment in setting up a hidden service for bitcointalk is a different magnitude than the time to setup a hidden service for a testnet faucet

The core of the issue is how susceptible onion addresses are to DDOS, which is arguably harder to block due to the nature of anonymity. There's some progress with trying to resolve this issues (PoW requirement, etc) , presumably due to the massive DDOS a while back.

I assume theymos doesn't want to mess with Tor for now, and sacrifice having to deal with tons of DDOS coming in from Tor at the expense of having the user jump through loops using CloudFlare.

I'll quote myself here: Can the forum get a .onion domain for Tor users? That doesn't stop DDOS entirely, but at least it leaves an option without Cloudflare.

I think a bump is really necessary considering the discussions already on my last topic which you can find on this url https://bitcointalksearch.org/topic/cf-keeps-banning-tor-connection-5460048

I have no use of that topic, hopefully the extended discussions on this topic will bring a new idea against CF.

Thank you.

I just managed to log in now, but couldn't use the site at all yesterday.  Even today it took me way too long because of the captcha (wasted so much time training Google AI to improve its spying capability  ).

The initial Cloulflare page with the captcha isn't the problem, it's the log in page with the issues.  I think some sort of creative solution as suggested by some is possible here.  Maybe a whitelist of PGP keys?  Users can put their public key in their account somewhere, and those with enough trust can log in without the captcha by signing some arbitrary text?

Cloudflare is like the defacto standard in anti-ddos services. Also, it's hard to beat free.

Honestly, if the web forum software were designed better, it could be built to be more resistant to DDoS attacks (proper gateways, rate limiting at multiple tiers, etc...).

I don't think the new software is going to solve this issue though. I've been considering trying to build a new forum software myself that allows high horizontal scalability rather than the traditional vertical scaling that we have now.

I'd prefer something like this. I would far prefer trusting theymos than that of the NSA. I'm trying to find the previous discussion on this, but can't seem to find it. If anyone can send it over that would be appreciated. I think it was a discussion related to one of the DDOS attacks we had before on the forum.

Why do we even use it if you think this could possibly be the case? Is it really worth the risk? How effective is CloudFlare at even stopping DDOS attacks or whatever? We've still had a few here whilst we've used it, right?

Is a better Cloudflare-like service something that could be created (I remember you briefly mentioning how you would create one somewhere)? I've suggested in the past that we could use funds that the forum could generate from things like extra ad slots and premium ranks etc for projects that would benefit the community and even the world and this surely could be one, especially with your concerns about it.

I have nothing to show either. It isn't show and tell. What I do is none of anyone's business. The presumption that I do something illegal to want privacy is a fallacy.

For a search warrant there has to be reasonable cause. Internet snooping is done by Governments and big business without any plausible reasons.

None of them have any legitimate reason to snoop on me - yet they still do it. I fully empathize with those that want to keep their privacy.

Yeah, the old text captcha ones were easily outsourced, and several places had around a 99% solve rate. Never used one myself, but know that it was very easily bypassed for cheap as mprep hinted. The way that this particular "exploit" works is by downloading the audio, and then identifying what the audio is saying automatically. This could probably be outsourced, and I would bet there are services offering this. However, what I imagine a lot of them are doing is running through a automatic speech to text. I don't know how accurate these are though, and they may well be outsourcing them.

I think the letter puzzles have an 80% solve rate when ran through several OCR cloud-products. There was a rather interesting paper I read about the bypass.

I've used deathbycaptcha before, and it's a pretty decent service. It provides an API, which makes it nearly automated.

I was being purposely vague. However, there's a method of automatically downloading the sound files when requesting for a audio version rather than the images to help with usually impaired people. Generally, people write a Python script, automatically download it, and then can input it. I haven't tried this myself, but have seen it working on a test site from a friend of mine. He kept on having bots sign up to his website out of nowhere, and he found that this was the method they were using. Basically though, you're coding something that will be able to convert the webpage so you can capture the javascript, and then you are automatically downloading the sound file, and then run it through a text to speech program or something along those lines. Its obviously not going to be 100% accurate, but definitely somewhat automated. We've looked into options to prevent this, but it doesn't seem possible as Google doesn't allow disabling the audio option. Unless, we are missing something. 

Obviously, I haven't checked whether this can be done on Bitcointalk, because I haven't logged out in a few months. But, it shouldn't be any different to what I witnessed a few months ago.

Even if you have nothing to hide, would you walk around nude in public?  Would you live in a house with no window shades?  Would you let everyone listen in on your conversations?

Really, even if you're the most righteous person in the world, would you want everyone to know every fucking detail of your life?  Nobody in their right mind would.  I don't use Tor, but I don't condemn those who do.  Given how much less privacy we have these days because of the internet, using browsers like Tor (and eschewing social media sites like FB, Twitter, and the like) sounds like the smart thing to do.

In regards to Tor's unwillingness to compromise, I'd say it's more so stubbornness than malice. Having read through the discussion on the 2nd ticket (since the link to the first one seems to be broken), quite a few users seem to be opposed to the idea due to their sheer distrust for Cloudflare. Considering the fact that we're talking about a pretty hardcore segment of an already rather niche (at least compared to the widespread usage of the Internet) privacy crowd (of whom probably very few actually had to manage a website with large and resource intensive traffic), them putting their foot down and raising their battle flags against Cloudflare, a service that they perceive as ideologically incompatible, instead of trying to find a compromise is anything but an unexpected reaction.


I'm curious: what method specifically are you referring to? I've seen talks on getting through Google's new NoCatpcha Recaptcha a small percentage of the time (which is worrying but nowhere near as troubling as the susceptibility to OCR most other captchas suffer from) but I wasn't aware of any reliable and automated way to bypass it (since outsourcing them to human captcha solvers via a paid (~2 bucks per 1k captchas) API isn't exactly automated).

I don't think there's any great solution for allowing perfect anonymity that's resistant to prevent a distributed denial of service.

There's no solution to the problem without artificially limiting the ability to create anonymous profiles.

The only solution I can come up to fix the underlying problem is requiring some level of work to be done to generate a private profile. Seems like a silly solution though.


If you think about who built the TOR network, and think about the purpose behind it, it really just gives the exit-nodes plausible deniability within our legal framework. Overall, I'm not sure it actually gives anonymity at a nation-state level.

With captcha the last days a very big problem. Directly go as before did not work even once. Login directly through the Tor in 10 cases out of 10 all ends with the inscription:


Entry is possible only through the passage of 2 step captcha:

There's a sneaky little way of bypassing (automating) Google's captcha, but requires coding a script, and using that. It's likely how all of these newbie accounts are being created automatically, and being used for malicious purposes. I'm not sure how we would combat this either as removing Google's image verification would result in a lot more spam than we already have. Unfortunately, the way to bypass the google image captcha is fairly well known, and seems like Google don't have any plans on changing it.

AFAIK there just isn't a better solution than the current implementation. I've seen people suggest implementing a captcha per post, but honestly they don't care, because they can automate it with a script. I'm sure theymos is well aware of this issue too, and requiring a captcha per post would affect legitimate users more than that of the spammers. Implementing a simpler approach wouldn't really benefit the forum. In regards to the Tor issue, and how long it can take sometimes. Then, we need to weigh up the pros, and cons, and see if we want usability over forum readability. If it were removed then it would certainly lead to mass amounts of spamming, but the current implementation isn't foolproof either. At least, I don't think so. I haven't had to log on in months, but I'm sure its exploitable like all the other captchas on other sites.

AFAIK, smart bots can solve 9+2=?. This is the reason big websites are increasingly placing trust on Google's Re-CAPTCHA. Unfortunately, Google's Re-CAPTCHA does not provide word challenge anymore. All are just images and they dont get solved even if you are correctly pointing them. The reason behind this is Google's machine learning AI is far from perfect as of yet. They assume, good IP will always correctly solve the captcha. But, they dont. Hence, the irritating problem we face with Tor.

Personally I think TOR is not the perfect solution for privacy, However you should consider implementing proof of work captchas for tor traffic.

I think bypass isn't possible if CloudFlare is active. Because if you use CloudFlare than you have to change original DNS ( Domain Name Server) to CloudFlare DNS. So you must enter domain in order to visit website. If you want to skip than you have to deactive ClouFlare from Name Server.


Adding new subdomain will redirect you on main doamin. Once you click loging page than same thing will happen. But I think for reCAPTCHA problem could solve by CAPTCHA.
For Example 9+2=?
If use this kind of CAPTCHA I think Tor browser will not face problem.

One possible solution to accepting certain TOR traffic that you know is "perfectly-good traffic" would be to setup a hidden service as a reverse proxy for a specific person, possibly for a cost, and possibly that will only support a pre-determined amount of traffic.

For example, I could ask you to setup a hidden service that I can use to connect to the forum. I would pay you $xx for you to do this. You would then spin up a VPS that runs a hidden service that connects to the "real" IP address of the forum (it bypasses cloud flare) that is intended for only me to access. Our agreement could be that once the hidden service receives xx GB worth of traffic, then it will be shut down -- this will more or less prevent me from using the hidden service to DDoS the forum, or otherwise making the hidden service address public.

I am not sure if you can run multiple hidden services via one VPS/IP address, although I suspect there is a good chance you can.

This would reduce privacy incrementally, as it would expose sockpuppets that are all used to access this hidden service. However the location of the person accessing the hidden service would remain hidden from you, along with other sensitive information, such as their IP address, and ISP.  

There would still be the problem of how someone would access the forum in the first place, which is more complicated. One option would be to run a separate website with a separate server, whose only purpose is to sell access to these hidden services. This would be easier to maintain then a major forum, and when that website goes down, it would not affect the forum.

edit: you may not like this, however for added privacy, you may accept payment via certain privacy focused altcoins.

edit2:
One reason for this may be that the TOR devs don't want too much privacy when using tor in order to avoid the government regulate, or otherwise entirely break tor because too many serious criminals are hiding behind tor.

Tor is used as a honeypot since a long time https://www.wired.com/2014/12/fbi-metasploit-tor/ by the institution that likes to know everything about you. Your underwear color included...

https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
https://www.schneier.com/blog/archives/2017/03/fbis_exploit_ag.html
https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95
*
]turtletime

Following your logic, you have something to hide so since you use cryptocurrency supposed to give to people a (financial) privacy
Some people use TOR, they do nothing bad, they just want privacy which is a basic right that people stopped to fight for

I know I deleted that post because I over reacted.  It just makes people look really suspect if they use Tor.

Sorry.

I guess you'd ban Satoshi, then? Feel free to publish your browser history if you "have nothing to hide".

Privacy is good. Tor's approach to it is bad, or at least very incomplete.

What do you mean? Everyone, people use Tor because they don't want their privacy to be leaked.

It's because right now, you can literally grab information about a person through any information your computer beams to the internet. Maybe they don't want to be tracked by advertisers too, etc. etc.

I don't personally use Tor but I see the reasoning behind it even though its perceived as what you said they are "pedophiles? criminals?"

edit; back to OP, is there any services except Cloudflare which will block ddosers and other people trying to destroy the forum, or no? I think there is better Tor alternatives like Freenet that people can use.

Though like you said, Tor could a proof-of-work, but I see them as pretty lazy people who work on the Tor project to be honest, which is why I don't use it.


edit2: I like how you say this and it could be like 80% true, also why can't the government just run a shit ton of Tor nodes?

I don't like CloudFlare. I consider it quite likely to be some sort of government-run honeypot; or if it isn't already, then it could be easily transformed into one. Far too much of the Internet goes through CloudFlare.

However, I was just reading a couple of things from the Tor project ([1], [2]) which really annoyed me. The blame for Tor getting blocked everywhere belongs squarely at the feet of the Tor project for their failure to come up with any anti-DDoS solution whatsoever. Large sites cannot function by accepting connections from everyone without any possibility of rate-limiting. Probably this is a core flaw in the design of the Internet itself, but for now we have to live with it. If you say "well, the sites should just accept every Tor connection and treat them all as perfectly-good traffic", then you're actually saying "the sites should spend hundreds of thousands of dollars on handling every attacker as if it was legitimate". It's insane, and it's not going to happen.

There are very obvious ways of handling this while also preserving privacy. One idea is CloudFlare's Privacy Pass, which Tor categorically rejected for no good reason. (Note: I am not so confident in Privacy Pass's exact blind signature scheme, though the Tor people didn't actually use that as their reason for rejecting it. And it is a good idea at its heart.) You could extend the Tor protocol to give hidden services a way of requiring a proof-of-work from the client before handing the connection off to the application, and then sites could at least safely offer a hidden service option to Tor users. You could even think about extending TCP to require a client proof-of-work, which would address the DDoS issue beyond Tor. But instead Tor has done nothing.

TBH, Tor's unwillingness to handle this, as well as the overall weakness of Tor's anonymity when compared to the cutting edge in academic research, makes me think that Tor may be infiltrated by anti-privacy interests.