To make Tor work better on the web, we need to be honest about it

Posted by   Martijn Grooten on   May 6, 2016

If you regularly browse the web through the Tor network, you will have noticed that many websites are either inaccessible, or have strong barriers (in the form of difficult CAPTCHAs) put in front of them.

In a blog post, 'The Trouble with Tor', CloudFlare CEO Matthew Prince, whose company is responsible for many of these CAPTCHAs, explains that this isn't a deliberate measure against Tor, but that his company is in the business of protecting websites from abuse, and CAPTCHAs are automatically put in place if a lot of abuse is seen from a particular IP address. Apparently, 94% of the requests CloudFlare sees through the Tor network are malicious.

Although it is not clear what exactly is measured to derive this figure, last year Akamai came to a similar conclusion in its State of the Internet report (pdf), in which it said that HTTP requests made through Tor were 30 times as likely to be malicious as those not made through the Tor network. Anecdotal evidence from people whose job it is to protect websites confirms this: blocking Tor is often a simple and effective way to stop certain attacks.


The problem for Tor here is that the Internet is still largely built on IPv4, whose size of roughly four billion addresses is small enough to be stored in a blacklist, yet large enough to ensure that different people almost always use different IP addresses. And thus, whether it is for blocking spam or malicious web traffic, keeping a list of IP addresses that have engaged in abuse and putting barriers in front of subsequent requests from those addresses is an effective way to mitigate a lot of abuse.

Tor routes traffic through a small number of exit nodes, which means that websites can't track users by their IP address, while the Tor Browser (the recommended way to use Tor on the web) removes most other ways of tracking users. A consequence of this is that Tor users share each other's reputation. Unfortunately, many people use Tor to do bad things, so this reputation often isn't particularly good.

Tor, understandably, doesn't concern itself with the content of the traffic; it would be impossible for it do so without compromising its security. From Tor's point of view, therefore, no traffic is 'bad'. However, in the case of website security, it is fair to say that bad traffic is that which the site owner doesn't want to receive.

It is often suggested that websites that put barriers in front of Tor traffic don't care about privacy or anonymity. With perhaps a few exceptions, this misses the point. For a website owner, putting such barriers in place is often a sensible security decision that stops a lot of abuse while hurting relatively few people.

If we want to make the web more accessible through Tor — and I think this is something worth striving for — we should at least acknowledge this.

We could make the argument that anonymity and privacy are so vital that they make it worth trying to deal with the bad Tor traffic in other ways; I have seen this argument work in individual cases. There may also be technical ways to mitigate some of the abuse, for instance by building some kind of proof-of-work into the Tor Browser, which might make it less attractive to use in automated attacks.

But we could also try to solve the problem in another way: by making more people use Tor.

Tor is often said to be very useful for journalists wanting to protect their sources and for opposition activists under repressive regimes. This is certainly true, but it is fair to say that most people fall into neither category. At worst, they suffer from government censorship — a problem which is just as well solved by VPNs.

But Tor can be useful for average Internet users too, even those that aren't particularly concerned about privacy. It is, for instance, a great way to check prices in online shops, to ensure you aren't quoted a higher price based on your past browsing activity. It can also be useful to login to social media when on a trip you don't want everyone to know about; this prevents you from accidentally leaking your location. Indeed, the fact that a million people used Facebook's .onion site last month suggests that there is certainly an interest in doing so.

Of course, while increasing the 'good' Tor traffic will make it less attractive for websites to put barriers in place, it won't stop the bad traffic. But it will force website owners and those tasked with protecting their websites to look for other solutions to deal with this problem.




Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.