zsmith.co

Good reasons to block TOR users

Revision 25
© 2015-2018 by Zack Smith. All rights reserved.

The justifications that website owners might have for blocking TOR users can often be deduced. There are actually many good reasons for blocking TOR users. Some instances of TOR blockage however remain mysterious but are interesting to ruminate on.

Argument 0: To protect you from yourself.

The TOR infrastructure and related applications like the Firefox-based TOR Browser were originally intended by its creators in the US government for use by spies to protect their identities and activities in the field and by dissidents to protect them from oppressive regimes.

If users of TOR are assumed to be doing espionage or activism, it follows that governments and others will be recording their activities in the hope of determining what they were doing. That is very difficult. But equally importantly, they will want to know who and where TOR users are. If you're using TOR from a fixed IP address at home, mapping that IP to whoever pays the Internet access bill is trivial for a government. In addition, other non-TOR web traffic from that IP will reveal much about the residents. Ergo, you should not use TOR from home.

You may have heard the TOR developers encouraging average people to use the TOR service for commonplace, innocuous activities such as watching Youtube videos, shopping, reading Wikipedia or what have you. Their stated goal is to add harmless noise to the existing TOR traffic to make detecting actual spying and dissident activities harder. Your traffic would be extra hay to make finding the needle in the haystack harder.

Well, because of what TOR is intended for and given the origin of TOR, I might point out that this remains a hazard for you.

  1. If the TOR project is paid for by the government, it may be hard for TOR programmers to resist putting spyware in the TOR Browser executable.
  2. Even if they resist doing that for ethical reasons, a key person within the TOR project may be compromised, and he/she could be required to add spyware to the TOR Browser.
  3. Even if no one in the TOR project does anything wrong, if government agents obtain undetected access to the TOR development computers on which they TOR Browser is compiled, they could embed spyware into the TOR Browser.
  4. If the TOR Browser incorporates externally compiled software into the browser, they could embed spyware in those, and therefore into the TOR Browser.
    • If Pod files or other precompiled frameworks are used, these can have embedded spyware.
    • If the developer installed MacPorts or Brew, many binaries will have been downloaded, any of which could have included exploits.
  5. While reproducible builds are a stated goal of the project, so few people succeed in building the browser that discrepancies between the distributed browser and an independently built one may exist but never be detected.
  6. People commonly believe they can trust Microsoft, Apple, Canonical etc. but there is no reason to think this, especially given the revelations about the PRISM program and so on, and in fact their compilers may be reproducibly adding backdoors and spyware to the TOR code, similar to the famous Ken Thompson hack.

Read more about the Ken Thompson hack

Conclusion: You should at a minimum only ever use the TOR software after building it yourself from source code. Don't use it from home. Ideally you would use the simplest possible independent compiler, not the ones from Microsoft, Apple, Canonical, or whoever supplied your OS.

I suggest never running the prebuilt TOR Browser except:

  • In a virtual machine.
  • Running virtualization or emulation software that you built from source.
  • Running all of it in a separate account.

Additionally, there's a catch: Compiling the TOR Browser is an elaborate process and not the sort of undertaking that a hobbyist would undertake. The build process is brittle and likely to fail and sufficiently grueling that only a paid software engineer would attempt it.

Therefore it's better to focus on the TOR daemon, which is quite easy to compile.

 git clone https://git.torproject.org/tor.git
 git clone https://git.torproject.org/torsocks.git

Argument 1: You are the product.

Because many companies make money by selling information about you to advertisers and governments, they want to block or at least frustrate both TOR and VPN users because they can't figure out who you are.

Known to be blocking:

Google search requires entering a Captcha (sometimes many times)
Pinterest prevents any use of the site
CloudFlare sites requires Captcha: could it be they are selling out visitors to CloudFlare-hosted sites?

The CloudFlare impediment affects many websites that might not normally choose to block anonymous users, including:

  • TechDirt.com AKA floor64
  • www.GlobalResearch.ca
  • Voat
  • Wireshark.org
  • SuperUser.com, ServerFault.com, StackExchange.com

It appears the website owner can require an arbitrary number of captchas.

CloudFlare hosts or protects Hacking Team, which is an Italian company that provides tools for dictators allowing them to oppress dissidents and minorities.

Argument 2: Protection against email scammers.

Because scammers will be inclined to use TOR to access free email services in order to perpetrate phishing attacks, or to lure their victims toward drive-by hacking attack sites, or other nefarious purposes, it is not unreasonable to block TOR users from accessing free online email accounts.

Known to be blocking:

AOL mail prevents login
Gmail prevents sign-up without mobile phone number-- not just for two-factor, it is to identify you
GMX mail prevents sign-up altogether
Yahoo mail prevents sign-up without mobile phone number
Yandex mail does not respond to click on Create Account button
Inbox.com can create account but prevented from viewing the inbox.

Note that inbox.com does not always enforce HTTPS, so your email contents may be visible to others in a public Wifi situation.

Argument 3: Protection against bogus reviews.

Because it is proven that people are being paid to post fake reviews of businesses and products (job ads for such gigs are conspicuous online), it is not unreasonable for online services that depend on accurate reviews to block TOR users.

Known to be blocking:

Yelp no access whatsoever
Amazon.com a message says it is blocking robots... but not paid reviewers?

Note that businesses have many ways to manipulate Yelp and Amazon reviews, regardless of TOR access, the chief among them being to pay large numbers of contractors to write phony reviews in click farms.

Related

Two websites that perform analysis of reviews to spot the fake ones are:

Argument 4: Protection against dating site scammers.

Because online dating users are the target of scammers who induce gullible victims to, for instance, send money abroad, it is not unreasonable for such sites to block TOR users because dating sites may want to block scammers by region (Africa), country (Romania) or ISP (e.g. Kyivstar).

Known to be blocking:

OKCupid They also do not provide non-TOR users with HTTPS connections for non-login browsing
POF.com They also do not provide non-TOR users with HTTPS connections at all
Match.com AKA Meetic They pretend to be down for maintenance to TOR users

Warning: The fact that dating websites collect users' information and do not always use SSL to protect their users' privacy is very suspicious and could mean they are willingly complicit with government profiling of citizens and the creation of dossiers on every citizen. You should also be suspicious of personality profiling questions.

Argument 5: Protection against freelance site scammers.

Because grassroots-commerce like Craigslist and freelancer websites like Elance are sometimes used by scammers to induce people to perform free labor (Elance) and/or to send money abroad (Craigslist) it is reasonable to block TOR because scammers will use it for these purposes.

However, Craigslist does not block foreigner scammers who don't use TOR. They just block TOR users.

The commonest housing scam is perhaps one that fools Craigslist users into sending money to a landlord who claims to have recently moved overseas. In reality, the scammer is not a landlord and has nothing to do with the property in question.

A common example of a free-labor labor scam involves translation companies that request prospective translators to prove that they are skilled at translating by doing a translation of just one or two paragraphs of sample text. In reality the scammer took a client's document, broke it into several pieces and sent each one to a wannabe translator. No translator will ever be paid.

Craigslist prevents viewing ads
TaskRabbit cannot sign up
Elance perhaps to block scammers looking for free labor from desperate people

Argument 6: Protection against product pricing scrapers.

Because website scrapers are using retail websites e.g. Walmart.com to obtain pricing data, so that consumers can use it to compare prices with the prices of different retailers, to find the best deals, retailers are inclined to block TOR users lest it be used by such scrapers. This is bad for consumers and good for retailers.

Sears.com perhaps to prevent scraping via TOR
Frys.com perhaps to prevent scraping via TOR
Walmart.com complete blockage perhaps to prevent scraping via TOR
Bestbuy.com presumably also due to fake reviews

Argument 7: Protection against data theft.

Because a website is providing paid-for data that competitors would like to scrape the site (e.g. with stolen credentials) and thereby grab said data without paying for it, websites are inclined on principle to block TOR users.

Perhaps another company that provided the data to the website is contractually requiring that TOR users be blocked.

This blocking of TOR users would not prevent people from scraping without TOR, which is a separate problem.

Trulia.com complete blockage
Redfin.com complete blockage
Realtor.com i.e. Move complete blockage

Argument 8: Protection against package thieves.

Given that package shipment information can in theory be intercepted, which can then be used to track and steal delivered packages, it is reasonable to block TOR users from obtaining package delivery status, so that:

  1. Would-be thieves cannot automate the process of finding out where packages will be and when, using just randomly generated tracking numbers.
  2. Would-be thieves who attempt to automate access of delivery info can at least be recorded.

USPS.com seems to be blocking

Bad Reasons to Block TOR Users

Argument A: To avoid securing systems.

Because some attackers might try to attempt attacks such as SQL injection via TOR, and some website owners are much too lazy or ignorant to secure their systems, the website owners may simply block TOR, and force all such attacks to be done without TOR. This is a terrible defense strategy.

Argument B: Taxpayers are the adversary?

Because some corrupt governments want to know which specific citizens are concerned about corrupt politics and government wrongdoing so that they can add that information to said citizens' dossiers, they may seek to block or frustrate TOR users, who unlike non-TOR users can't be identified.

Known to be blocking:

Senate.gov says Access Denied

Somewhat murkier, rather suspicious

Some websites have instituted blockage of TOR users for less clear reasons.

Hacker News (Y Combinator) Paranoia about Reddit scraping them?
Wikimedia downloads page Unclear because Wikipedia is in large part censored and fake content.
Gutenberg.org Could this mean they wish to help spooks track what you read?
Webchat.Twit.tv They dislike or do not want anonymous commenters in their chat for some reason.
Sitecheck.Sucuri.net This could mean they wish to help spooks track what you scan.