Changes regarding IETF website CDN settings and TOR networks

IETF Chair <> Mon, 28 March 2016 19:41 UTC

Return-Path: <>
Received: from [] (unknown []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 7100612DA92; Mon, 28 Mar 2016 12:41:02 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Subject: Changes regarding IETF website CDN settings and TOR networks
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: IETF Chair <>
Date: Mon, 28 Mar 2016 20:40:59 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
To: IETF Announcement List <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Cc: IETF discussion list <>
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To:, IETF discussion list <>
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Mar 2016 19:41:03 -0000

Based on earlier feedback on IETF discussion list, the IAOC has decided to ask the IETF network admins to make a change with regards to how our CDN serves clients coming from TOR networks.

For background, our website uses a number of techniques to help combat denial-of-service attacks.  One of these mechanisms was based on CAPTCHAs that were triggered, in particular, for some users when accessing the IETF web site for the first time and heuristically identified as coming from a TOR exit node.  Once the CAPTCHA is passed, the user was able to browse normally.  However, in the process of performing the CAPTCHA and accessing the IETF website, cookies and scripts are used, which was a concern for some users.

Information on the IETF website is meant to be public, and should be openly accessible for as broad consumption as technically and practically possible. When there are groups of people whose access to the website is for some reason problematic, we try to accommodate better access, no matter who makes such request, within the bounds of what is practical, of course, and considering the potential effects of denial-of-service attacks and other issues.

The change in our settings is to no longer perform CAPTCHAs or other extra mechanisms for clients coming from TOR networks.  Behaviour for other users should not be affected, though it is an open question whether any significant denial-of-service attacks could be launched from these networks.

Please note that the our admins are monitoring the situation, and have the ability to change this configuration at any time. So if the TOR exit nodes are the source of an attack, for instance, the configuration could be adjusted again. And of course, further actions regarding how the IETF website is run are based on our experiences from current and past setups, and your feedback.

Jari Arkko, IETF Chair