To make Tor work better on the web, we need to be honest about it

Posted by   Martijn Grooten on   May 6, 2016

If you regularly browse the web through the Tor network, you will have noticed that many websites are either inaccessible, or have strong barriers (in the form of difficult CAPTCHAs) put in front of them.

In a blog post, 'The Trouble with Tor', CloudFlare CEO Matthew Prince, whose company is responsible for many of these CAPTCHAs, explains that this isn't a deliberate measure against Tor, but that his company is in the business of protecting websites from abuse, and CAPTCHAs are automatically put in place if a lot of abuse is seen from a particular IP address. Apparently, 94% of the requests CloudFlare sees through the Tor network are malicious.

Although it is not clear what exactly is measured to derive this figure, last year Akamai came to a similar conclusion in its State of the Internet report (pdf), in which it said that HTTP requests made through Tor were 30 times as likely to be malicious as those not made through the Tor network. Anecdotal evidence from people whose job it is to protect websites confirms this: blocking Tor is often a simple and effective way to stop certain attacks.


The problem for Tor here is that the Internet is still largely built on IPv4, whose size of roughly four billion addresses is small enough to be stored in a blacklist, yet large enough to ensure that different people almost always use different IP addresses. And thus, whether it is for blocking spam or malicious web traffic, keeping a list of IP addresses that have engaged in abuse and putting barriers in front of subsequent requests from those addresses is an effective way to mitigate a lot of abuse.

Tor routes traffic through a small number of exit nodes, which means that websites can't track users by their IP address, while the Tor Browser (the recommended way to use Tor on the web) removes most other ways of tracking users. A consequence of this is that Tor users share each other's reputation. Unfortunately, many people use Tor to do bad things, so this reputation often isn't particularly good.

Tor, understandably, doesn't concern itself with the content of the traffic; it would be impossible for it do so without compromising its security. From Tor's point of view, therefore, no traffic is 'bad'. However, in the case of website security, it is fair to say that bad traffic is that which the site owner doesn't want to receive.

It is often suggested that websites that put barriers in front of Tor traffic don't care about privacy or anonymity. With perhaps a few exceptions, this misses the point. For a website owner, putting such barriers in place is often a sensible security decision that stops a lot of abuse while hurting relatively few people.

If we want to make the web more accessible through Tor — and I think this is something worth striving for — we should at least acknowledge this.

We could make the argument that anonymity and privacy are so vital that they make it worth trying to deal with the bad Tor traffic in other ways; I have seen this argument work in individual cases. There may also be technical ways to mitigate some of the abuse, for instance by building some kind of proof-of-work into the Tor Browser, which might make it less attractive to use in automated attacks.

But we could also try to solve the problem in another way: by making more people use Tor.

Tor is often said to be very useful for journalists wanting to protect their sources and for opposition activists under repressive regimes. This is certainly true, but it is fair to say that most people fall into neither category. At worst, they suffer from government censorship — a problem which is just as well solved by VPNs.

But Tor can be useful for average Internet users too, even those that aren't particularly concerned about privacy. It is, for instance, a great way to check prices in online shops, to ensure you aren't quoted a higher price based on your past browsing activity. It can also be useful to login to social media when on a trip you don't want everyone to know about; this prevents you from accidentally leaking your location. Indeed, the fact that a million people used Facebook's .onion site last month suggests that there is certainly an interest in doing so.

Of course, while increasing the 'good' Tor traffic will make it less attractive for websites to put barriers in place, it won't stop the bad traffic. But it will force website owners and those tasked with protecting their websites to look for other solutions to deal with this problem.




Latest posts:

NCSC gives important advice on lateral movement

The UK's National Cyber Security Centre (NCSC) has provided helpful and practical advice on preventing and detecting lateral movement by an attacker within a network.

What kind of people attend Virus Bulletin conferences?

If you are considering submitting a proposal for a talk to VB2018 and you're not familiar with the event, you may find it useful to know what kind of people attend the conference.

Olympic Games target of malware, again

An unattributed malware attack has disrupted some computer systems of the 2018 Winter Olympics. In 1994, a computer virus also targeted the Winter Olympics.

There are lessons to be learned from government websites serving cryptocurrency miners

Thousands of websites, including many sites of government organisations in the UK, the US and Sweden, were recently found to have been serving a cryptocurrency miner. More interesting than the incident itself, though, are the lessons that can be…

We need to continue the debate on the ethics and perils of publishing security research

An article by security researcher Collin Anderson reopens the debate on whether publishing threat analyses is always in the public interest.