Open source
  • Bandwidth benchmark
  • TouchWidgets UI lib
  • Diviner big number math
  • Documentation
  • x86 instructions ref
  • GIT quick ref
  • GPG quick ref
  • Avoid Ubuntu
  • Android malware risks
  • iOS malware risks
  • OS/X security tips
  • Who blocks Tor
  • Software engineering
  • BASH aliases
  • I.B. pro/con
  • Nutrition
  • Other apps
  • Blog
  • Contact
    1 at zsmith dot co

    Sites that block Tor

    Revision 18
    © by
    All rights reserved.

    Analysis of possible rationales for blocking Tor users

    The justifications websites have for block Tor users are sometimes obvious and sometimes mysterious, but interesting to ruminate on.

    Argument 0

    Because some companies make money by selling information about you to advertisers and governments, they want to block or impede Tor users because they can't figure out who you are.

    Known to be blocking:

    Google search requires entering a Captcha (sometimes many times).
    Pinterest prevents any use of the site.
    CloudFlare requires Captcha: could it be they are selling out visitors to CloudFlare-hosted sites?

    The CloudFlare impediment affects many websites that might not normally choose to block anonymous users, including:

    • Voat
    • AKA floor64
    • ;;

    It appears the website owner can require an arbitrary number of captchas.

    CloudFlare hosts Hacking Team, which is an Italian company that provides tools for dictators allowing them to oppress dissidents and minorities.

    Argument 1

    Because scammers will be inclined to use Tor to access free email services in order to perpetrate phishing attacks, or to lure their marks toward drive-by hacking attack sites, or other nefarious purposes, it is not unreasonable to block Tor users from accessing free online email accounts.

    Known to be blocking:

    AOL mail prevents login
    Gmail prevents sign-up without mobile phone number-- not just for two-factor, it is to identify you
    GMX mail prevents sign-up altogether
    Yahoo mail prevents sign-up without mobile phone number
    Yandex mail does not respond to click on Create Account button can create account but prevented from viewing the inbox. the Captcha no longer works.
    Note that does not always enforce HTTPS, so your email contents may be visible to others in a public Wifi situation.

    Argument 2

    Because it is proven that people are being paid to post fake reviews of businesses and products (ads for such gigs are visible online), it is not unreasonable for online services that depend on accurate reviews to block Tor users.

    Known to be blocking:

    Yelp no access whatsoever a message says it is blocking robots...
    but not paid reviewers?

    Note that businesses have many ways to manipulate Yelp and Amazon reviews, regardless of Tor access, the chief among them being to pay large numbers of individuals to write phony reviews. Ads for such gigs are visible online.

    Tangential comment:
    The fact that Amazon does not use SSL for web users is a bit suspicious and disturbing and means Amazon is ensuring its users are at risk of government surveillance of shopping habits e.g. what books they read, as well as profitable surveillance by ISPs and public-Wifi services.

    Argument 3

    Because online dating users are the target of scammers who induce gullible victims to, for instance, send money abroad, it is not unreasonable to block Tor users from online dating sites because dating sites may want to block scammers by region (Nigeria) or ISP (e.g. Kyivstar).

    Known to be blocking:

    OKCupid they also do not provide
    non-Tor users with HTTPS connections
    for non-login browsing they also do not provide
    non-Tor users with HTTPS connections
    at all AKA Meetic they pretend to be down for maintenance to Tor users

    The fact that these two companies traffic in users' information and do not use SSL for web users is a bit suspicious and disturbing and could mean they are willingly complicit with government profiling of citizens. If that is the case, it would certainly explain the personality profiling questions that companies claim are meant to help users meet just the right bots love interests.

    Argument 4

    Because grassroots-commerce like Craigslist and freelancer websites like Elance are sometimes used by scammers to induce people into sending money abroad and performing free labor, respectively, it's reasonable to block Tor users.

    The commonest housing scam is perhaps one that fools Craigslist users into sending money to a landlord who has recently moved overseas. In reality, the scammer is not a landlord and has nothing to do with the property in question.

    One example of a free-labor labor scam involves translation companies that request prospective translators to prove that they are capable translators by translating a paragraph or two of sample text. In reality the scammer took a document, broke it into several pieces and sent each one to a wannabe translator, none of whom will ever be paid.

    Craigslist prevents viewing ads
    TaskRabbit cannot sign up
    Elance perhaps to block scammers looking for
    free labor from desperate people

    Argument 5

    Because website scrapers are using retail websites to obtain pricing data that consumers could use to compare prices at different retailers to find the best deals e.g. using apps that scan barcodes, retailers are inclined to block Tor users lest it be used by scrapers. This is bad for consumers and good for retailers. perhaps to prevent scraping via Tor perhaps to prevent scraping via Tor complete blockage perhaps to prevent scraping via Tor presumably due to online reviews
    or to prevent scraping

    Argument 6

    Because a website is providing paid-for data that competitors would like to scrape and thereby use without paying for it, websites will be inclined on principle to block Tor users. Real estate data is the prime example.

    Or perhaps the company that provided the data is requiring that Tor users be blocked.

    This justification for blocking Tor users would not prevent people from scraping at an Internet café, or via a borrowed Wifi connection, or at a university, or from overseas. Therefore blocking Tor users is somewhat futile. complete blockage complete blockage i.e. Move complete blockage

    Argument 7

    Because governments want to know which citizens are concerned about corrupt politics and government wrongdoing, they want to block or undermine Tor users, who unlike non-Tor users can't be identified.

    Known to be blocking: says Access Denied to

    Argument 8

    Because some people might try to attempt attacks such as SQL injection via Tor, and website owners are much too lazy or ignorant to secure our systems, or we are newbies. Therefore let us simply block Tor, and force all such attacks to be done without Tor.

    Related: IBM Tells Companies To Block Tor On Security Grounds.

    Unrelated: IBM's Role in the Holocaust -- What the New Documents Reveal

    Argument 9

    Because package shipment information can in theory be intercepted which can then be used to track and steal delivered packages, it may be reasonable to block Tor users from obtaining package delivery status, so that information about thieves accessing delivery info can be recorded.

    How do they get access to delivery info?

    • reading (increasingly rare) unencrypted mail traffic on public Wifi
    • or after hacking into mail servers to read emails
    • or providing bogus Wifi hotspots that decrypt traffic e.g. mail or Fedex/UPS/DHL site visits intermittent blocking

    Somewhat murkier

    Some websites have instituted blockage of Tor users for less clear reasons.

    Wikimedia downloads page Perhaps to limit Tor traffic. This could mean they wish to help spooks track what you read. They dislike or do not want anonymous commenters in their chat for some reason. This could mean they wish to help spooks track what you scan. who knows?

    Useful Tor-friendly services

    • TorBirdy: The Thunderbird plugin that sends all email through Tor. But what about the Tor<-->server connection?
    • A place to receive emails that is bizarrely not available as HTTPS.


    © Zack Smith