© 2015-2018 by Zack Smith. All rights reserved.
The justifications that website owners might have for blocking TOR users can often be deduced. There are actually many good reasons for blocking TOR users. Some instances of TOR blockage however remain mysterious but are interesting to ruminate on.
Argument 0: To protect you from yourself.
The TOR infrastructure and related applications like the Firefox-based TOR Browser were originally intended by its creators in the US government for use by spies to protect their identities and activities in the field and by dissidents to protect them from oppressive regimes.
If users of TOR are assumed to be doing espionage or activism, it follows that governments and others will be recording their activities in the hope of determining what they were doing. That is very difficult. But equally importantly, they will want to know who and where TOR users are. If you're using TOR from a fixed IP address at home, mapping that IP to whoever pays the Internet access bill is trivial for a government. In addition, other non-TOR web traffic from that IP will reveal much about the residents. Ergo, you should not use TOR from home.
You may have heard the TOR developers encouraging average people to use the TOR service
for commonplace, innocuous activities such as watching Youtube videos,
shopping, reading Wikipedia or what have you.
Their stated goal is to add harmless noise to the existing TOR traffic
to make detecting actual spying and dissident activities harder.
Your traffic would be extra hay
to make finding the needle
in the haystack harder.
Well, because of what TOR is intended for and given the origin of TOR, I might point out that this remains a hazard for you.
- If the TOR project is paid for by the government, it may be hard for TOR programmers to resist putting spyware in the TOR Browser executable.
- Even if they resist doing that for ethical reasons, a key person within the TOR project may be compromised, and he/she could be required to add spyware to the TOR Browser.
- Even if no one in the TOR project does anything wrong, if government agents obtain undetected access to the TOR development computers on which they TOR Browser is compiled, they could embed spyware into the TOR Browser.
- If the TOR Browser incorporates externally compiled software into the browser, they could embed spyware in those, and therefore into the TOR Browser.
- If Pod files or other precompiled frameworks are used, these can have embedded spyware.
- If the developer installed MacPorts or Brew, many binaries will have been downloaded, any of which could have included exploits.
- While reproducible builds are a stated goal of the project, so few people succeed in building the browser that discrepancies between the distributed browser and an independently built one may exist but never be detected.
- People commonly believe they can trust Microsoft, Apple, Canonical etc. but there is no reason to think this, especially given the revelations about the PRISM program and so on, and in fact their compilers may be reproducibly adding backdoors and spyware to the TOR code, similar to the famous Ken Thompson hack.
Read more about the Ken Thompson hack
Conclusion: You should at a minimum only ever use the TOR software after building it yourself from source code. Don't use it from home. Ideally you would use the simplest possible independent compiler, not the ones from Microsoft, Apple, Canonical, or whoever supplied your OS.
I suggest never running the prebuilt TOR Browser except:
- In a virtual machine.
- Running virtualization or emulation software that you built from source.
- Running all of it in a separate account.
Additionally, there's a catch: Compiling the TOR Browser is an elaborate process and not the sort of undertaking that a hobbyist would undertake. The build process is brittle and likely to fail and sufficiently grueling that only a paid software engineer would attempt it.
Therefore it's better to focus on the TOR daemon, which is quite easy to compile.
git clone https://git.torproject.org/tor.git
git clone https://git.torproject.org/torsocks.git
Argument 1: You are the product.
Because many companies make money by selling information about you to advertisers and governments, they want to block or at least frustrate both TOR and VPN users because they can't figure out who you are.
Known to be blocking:
Google search | requires entering a Captcha (sometimes many times) |
prevents any use of the site | |
CloudFlare sites | requires Captcha: could it be they are selling out visitors to CloudFlare-hosted sites? |
The CloudFlare impediment affects many websites that might not normally choose to block anonymous users, including:
- TechDirt.com AKA floor64
- www.GlobalResearch.ca
- Voat
- Wireshark.org
- SuperUser.com, ServerFault.com, StackExchange.com
It appears the website owner can require an arbitrary number of captchas.
CloudFlare hosts or protects Hacking Team, which is an Italian company that provides tools for dictators allowing them to oppress dissidents and minorities.
Argument 2: Protection against email scammers.
Because scammers will be inclined to use TOR to access free email services in order to perpetrate phishing attacks, or to lure their victims toward drive-by hacking attack sites, or other nefarious purposes, it is not unreasonable to block TOR users from accessing free online email accounts.
Known to be blocking:
AOL mail | prevents login |
Gmail | prevents sign-up without mobile phone number-- not just for two-factor, it is to identify you |
GMX mail | prevents sign-up altogether |
Yahoo mail | prevents sign-up without mobile phone number |
Yandex mail | does not respond to click on Create Account button |
Inbox.com | can create account but prevented from viewing the inbox. |
Note that inbox.com
does not always enforce HTTPS, so your email contents may be visible to
others in a public Wifi situation.
Argument 3: Protection against bogus reviews.
Because it is proven that people are being paid to post fake reviews of businesses and products (job ads for such gigs are conspicuous online), it is not unreasonable for online services that depend on accurate reviews to block TOR users.
Known to be blocking:
Yelp | no access whatsoever |
Amazon.com | a message says it is blocking robots... but not paid reviewers? |
Note that businesses have many ways to manipulate Yelp and Amazon reviews, regardless of TOR access, the chief among them being to pay large numbers of contractors to write phony reviews in click farms.
Related
Two websites that perform analysis of reviews to spot the fake ones are:
Argument 4: Protection against dating site scammers.
Because online dating users are the target of scammers who induce gullible victims to, for instance, send money abroad, it is not unreasonable for such sites to block TOR users because dating sites may want to block scammers by region (Africa), country (Romania) or ISP (e.g. Kyivstar).
Known to be blocking:
OKCupid | They also do not provide non-TOR users with HTTPS connections for non-login browsing |
POF.com | They also do not provide non-TOR users with HTTPS connections at all |
Match.com AKA Meetic | They pretend to be down for maintenance to TOR users |
Warning: The fact that dating websites collect users' information and do not always use SSL to protect their users' privacy is very suspicious and could mean they are willingly complicit with government profiling of citizens and the creation of dossiers on every citizen. You should also be suspicious of personality profiling questions.
Argument 5: Protection against freelance site scammers.
Because grassroots-commerce like Craigslist and freelancer websites like Elance are sometimes used by scammers to induce people to perform free labor (Elance) and/or to send money abroad (Craigslist) it is reasonable to block TOR because scammers will use it for these purposes.
However, Craigslist does not block foreigner scammers who don't use TOR. They just block TOR users.
The commonest housing scam is perhaps one that fools Craigslist users into
sending money to a landlord
who claims to have recently moved overseas.
In reality, the scammer is not a landlord and has nothing to do with
the property in question.
A common example of a free-labor labor scam involves translation companies that request prospective translators to prove that they are skilled at translating by doing a translation of just one or two paragraphs of sample text. In reality the scammer took a client's document, broke it into several pieces and sent each one to a wannabe translator. No translator will ever be paid.
Craigslist | prevents viewing ads |
TaskRabbit | cannot sign up |
Elance | perhaps to block scammers looking for free labor from desperate people |
Argument 6: Protection against product pricing scrapers.
Because website scrapers
are using retail websites e.g. Walmart.com to obtain pricing
data, so that consumers can use it to compare prices with the prices of different retailers, to find
the best deals,
retailers are inclined to block TOR users lest it be used by such scrapers.
This is bad for consumers and good for retailers.
Sears.com | perhaps to prevent scraping via TOR |
Frys.com | perhaps to prevent scraping via TOR |
Walmart.com | complete blockage perhaps to prevent scraping via TOR |
Bestbuy.com | presumably also due to fake reviews |
Argument 7: Protection against data theft.
Because a website is providing paid-for data that competitors would like to scrape the site (e.g. with stolen credentials) and thereby grab said data without paying for it, websites are inclined on principle to block TOR users.
Perhaps another company that provided the data to the website is contractually requiring that TOR users be blocked.
This blocking of TOR users would not prevent people from scraping without TOR, which is a separate problem.
Trulia.com | complete blockage |
Redfin.com | complete blockage |
Realtor.com i.e. Move | complete blockage |
Argument 8: Protection against package thieves.
Given that package shipment information can in theory be intercepted, which can then be used to track and steal delivered packages, it is reasonable to block TOR users from obtaining package delivery status, so that:
- Would-be thieves cannot automate the process of finding out where packages will be and when, using just randomly generated tracking numbers.
- Would-be thieves who attempt to automate access of delivery info can at least be recorded.
USPS.com | seems to be blocking |
Bad Reasons to Block TOR Users
Argument A: To avoid securing systems.
Because some attackers might try to attempt attacks such as SQL injection via TOR, and some website owners are much too lazy or ignorant to secure their systems, the website owners may simply block TOR, and force all such attacks to be done without TOR. This is a terrible defense strategy.
Argument B: Taxpayers are the adversary?
Because some corrupt governments want to know which specific citizens are concerned about corrupt politics and government wrongdoing so that they can add that information to said citizens' dossiers, they may seek to block or frustrate TOR users, who unlike non-TOR users can't be identified.
Known to be blocking:
Senate.gov | says Access Denied |
Somewhat murkier, rather suspicious
Some websites have instituted blockage of TOR users for less clear reasons.
Hacker News (Y Combinator) | Paranoia about Reddit scraping them? |
Wikimedia downloads page | Unclear because Wikipedia is in large part censored and fake content. |
Gutenberg.org | Could this mean they wish to help spooks track what you read? |
Webchat.Twit.tv | They dislike or do not want anonymous commenters in their chat for some reason. |
Sitecheck.Sucuri.net | This could mean they wish to help spooks track what you scan. |