No announcement yet.

Why Does Cryptovillage Stop TOR?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Why Does Cryptovillage Stop TOR?

    I'm brand new to this forum but I was very surprised when I tried to go to using TOR and I was given the captcha run-around. Isn't crypto and privacy village all about PRIVACY? Isn't that why we use TOR? What gives? Seems contradictory to me. If this is addressed somewhere else, just direct me. No flaming please.

  • #2
    Originally posted by user_33 View Post
    I'm brand new to this forum but I was very surprised when I tried to go to using TOR and I was given the captcha run-around. Isn't crypto and privacy village all about PRIVACY? Isn't that why we use TOR? What gives? Seems contradictory to me. If this is addressed somewhere else, just direct me. No flaming please.
    I am not affiliated with the crypto and privacy village, but I do know people that run services available through the"Tor" (TOR) network.

    When responsibility and accountability are decoupled from actions in any space, results often include actions that are not tolerated. In order to create a space where a goal is to protect users from each other, and government persecution or prosecution or elimination, a side-effect is protection of criminals and other criminal activity. This includes finding exploits and security weaknesses, exploiting them, and gaining control of remote servers, and posting of "spam".

    Services that run with resolution and access using .onion TLD have greater risk for being attacked without ever identifying the attacker. Spam published through access to a service also available with an .onion name-to-address is also harder to block, and keep your services loaded with useful content and not spam.

    Services on the public Internet access via Tor exit nodes have similar risks, so service providers now consider using lookups to find present exit nodes, and demand extra work on behalf of the client to verify the client really is a human.

    Next, some providers of content have limited choices for where to collocate their their service due to money, or laws, or legal risk, and some collocation providers impose extra checks for traffic coming from Tor exit nodes.

    Next, some service software will consult "blacklists" and then demand users confirm they are human when content requests or posts come from a blacklisted IP. The blacklists may not even be looking for Tor Exit Nodes, but may just be looking at source of spam or what is categorized as malicious traffic, coming from an IP address which also happens to be a Tor Exit Node IP. (Why can't we have nice things?)

    Lastly, though there are probably more reasons, a default behaviour in many services, especially web-services run by large news organizations, is to rely on cookie information to store "captcha" and human validation requests in a shared UUID/token, that is passed to the server with every page request. Yes, cookies can be used for tracking, and marketing, but they can also be used be a web server and client to confirm, "hey, have I verified you are a human? yeah? ok, I won't show you this CAPTCHA thing again." When "Tor" software, with the best intentions on user privacy choose to destroy or break or block cookies, all advantages in cookies, and all services that rely on cookies are at risk. (Before cookies, and widely-available cookie-support, such things were handled as arguments within each GET request as variables with values being passed. This dual support for cookies and non-cookie access seemed to vanish in the late 90's from what I remember. Products just don't seem to support that anymore, probably because advertisers want cookies, and advertisers pay for info to help pay for client page-loads, and cookies can help with tracking, commerce and get details on users. Cookies also distribute the storage of client data with persistence across all client machines, taking processing load off of server and decreasing risk of exceeding GET length requests in URI.)

    There are many reasons for having issues when connecting to a website when using Tor, and some are beyond the control of content provides when using their selected software, collocation service or internet provider.

    To help with your report, would you be willing to provide more information?
    1) When you were connecting to their website, were you using a Tor-capable client, if so, which one, and which versions?
    2) When you connected to the service in question, was it to a ".onion" TLD? (In the URL, did the fully qualified name of the host include a ".onion" at the end?)
    3) Was this a connection to a public, on-the-Internet service, where you were using an exit node?
    4) Was this just passive browsing, or were you trying to post content?
    5) What was/were the URL(s) that you were using when you entered the problems?

    More information may help them to better identify the cause of the trouble and find a solution.

    Last edited by TheCotMan; May 18, 2016, 23:00.


    • #3
      Originally posted by user_33 View Post
      I'm brand new to this forum but I was very surprised when I tried to go to using TOR and I was given the captcha run-around. Isn't crypto and privacy village all about PRIVACY? Isn't that why we use TOR? What gives? Seems contradictory to me. If this is addressed somewhere else, just direct me. No flaming please.
      Hi user_33. Sorry for the trouble. Our site is accessible through to Tor clients but by default our hosting provider enables CAPTCHA. What TheCotMan said with regard to CAPTCHA and cookies is accurate. We will look into options that our provider offers and consider making a change if possible. I want to assure you that we at CPV do not use cookies for any profiling, marketing, or other unsavory purpose. We have also enabled TLS by default on our site to protect your connection from snooping on the wire.


      • #4
        Thanks to both of you for helpful and thoughtful replies. I understand the value of cookies but as CotMan stated, they are used by advertisers to track our activities in spite of whether we want to be tracked or not. We, as a society, have traded our privacy for free access to information. I also understand the challenges of TOR for service providers. Just as CotMan said, what gives me privacy gives someone else cover for illegal activity. We won't change anything with this discussion but if the government didn't violate the constitution and spy on Americans without due process along with protecting us from those who wish us ill will, I wouldn't feel such a strong desire to protect my privacy. I use TOR to protect my civil liberties and as a matter of principle. I respect the challenges the village faces and appreciate your efforts to help find a solution here. The probelm I had wasn't that there was a simple CAPTCHA but that it went on and on, forcing me to identify which pictures from a group showed a storefront. Once selected, more pictures would show up. I gave up and wrote my initial post. I think that was the desired effect by the service provider. I'll be back through a different type of connection to check out the village web site. Looking forward to stopping by during the con. Hopefully, some of the folks from EFF will be around.


        • #5
          You are welcome. Hope it helps.

          On the topic of cookies, I wanted to also point out they have help with privacy. Effectively, cookies are a tool which can be used to help you or hurt you.

          One example of this?

          This forum software supports a concept of keeping track of which posts and threads you have read, and which you have not. Up until recently, I configured the forums to push storage of that information into client cookies; for us to keep such information in the forums could be used as evidence if DB records are taken, to show who read what, and when. If we do not save the data, there is little to nothing for law enforcement to gain if they subpoena our disks. (Related to this, this is why we do not keep much logged data, and publish our policies on log retention: )

          Two features desired by many members are found near the top of this page in the "Nav Bar":
          * Recent Activity
          * Unread Content

          Recent activity requires no user history on what has been read by whom or not, but "Unread content" needs to know what each user has read vs. what they have not. Having this in each user's cookie was great! Each user maintained their own private data as they desired. However, since a major upgrade to the forum software, that stopped working for the purpose of finding unread posts. Demand was great enough for this feature that I chose to change it to have the forums keep track of what is read and what is not read. I do not like this, but it is that age-old problem: feature vs, function.

          [Having this in the forum DB means that what is read vs. unread is available across devices: phone, tablet, laptop, desktop, etc. Granularity is per user. Using cookies, means each devices has its own saved list of what has been read and not read. Switching devices when cookies are used for read vs. unread means each device has a different record of what was read with it when logged-in.]

          If/when it does work again with cookies, I do plan to switch back, and have users store all that information on their own devices, instead of on the server in the DB. Then, I can scrub the DB of that old data.

          Anyway, the above is just to point out that cookies can help with privacy, even it is uncommon; any tool can help or harm depending on use.

          If you have other constructive criticism about anything related to DEF CON, please feel free to post; I really try hard to not "flame" people that provide constructive criticism. Every year I ask how DEF CON could be made better to get ideas for attendees. We value constructive criticism!

          Saying what is broken, why it is broken, and what can be done to make it better is a great help!

          Complaining without information on how to fix things? That is whining, and useless.

          Thanks again for sharing your thoughts on what is wrong, why, and how you would like to see things work.

          Thanks to PTzero for the reply and details.

          Good luck!
          Last edited by TheCotMan; May 20, 2016, 11:41.


          • #6
            A tweet from Twitter: @CryptoVillage on this:
            Originally posted by SourceTweet
            TCMBC we are working on whitelisting Tor.


            • #7
              Thanks Cot. Very cool. I like your ideas and they do present another perspective. Unfortunately, cookies aren't used for positive purposes such as yours very often. Very good if TOR can be white listed. If not, I'll keep using my current approach. Not as private as TOR but it works. Keep up the great work and thanks for all the time you spend responding to people like me.


              • #8
                user_33 and TheCotMan We've whitelisted Tor for our site so you should be good now. Let us know if you run into any issues.