Re: Changes regarding IETF website CDN settings and TOR networks

Linus Nordberg <linus@nordberg.se> Sat, 02 April 2016 14:52 UTC

Return-Path: <goi-ietf@m.gmane.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A691812D111 for <ietf@ietfa.amsl.com>; Sat, 2 Apr 2016 07:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYFZ_zUY4T9P for <ietf@ietfa.amsl.com>; Sat, 2 Apr 2016 07:52:51 -0700 (PDT)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCB4D12D0A0 for <ietf@ietf.org>; Sat, 2 Apr 2016 07:52:51 -0700 (PDT)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <goi-ietf@m.gmane.org>) id 1amMuu-00005G-Bg for ietf@ietf.org; Sat, 02 Apr 2016 16:52:48 +0200
Received: from smtp.adb-centralen.se ([193.10.5.129]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Sat, 02 Apr 2016 16:52:48 +0200
Received: from linus by smtp.adb-centralen.se with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <ietf@ietf.org>; Sat, 02 Apr 2016 16:52:48 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: ietf@ietf.org
From: Linus Nordberg <linus@nordberg.se>
Subject: Re: Changes regarding IETF website CDN settings and TOR networks
Date: Sat, 02 Apr 2016 16:52:27 +0200
Lines: 59
Message-ID: <87a8lc9i6s.fsf@nordberg.se>
References: <3BD5282D-8E06-4DC5-B64F-D577326E2A5E@ietf.org> <CABtrr-XHZoO9T5hK1piy4y0zW6pxGMXfRFGcccXAMtFDrFg3fw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: smtp.adb-centralen.se
User-Agent: Gnus/5.13 (Gnus v5.13)
Cancel-Lock: sha1:RpnR8O5LRJToW2rg+7iIkZxzaHo=
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/LXES7aNZDelaEkYA6ZYdkSwd42Y>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Apr 2016 14:52:55 -0000

Those of you who read the CloudFlare post might also be interested in
Tor Project's recent post questioning the 94% figure:
https://blog.torproject.org/blog/trouble-cloudflare

Joseph Lorenzo Hall <joe@cdt.org>; wrote
Thu, 31 Mar 2016 22:32:57 -0700:

| IETF folks may be interested in this recent cloudflare post that outlines
| some potential changes to Tor -- SHA-256 hashes for hidden service certs,
| move proof-of-work into TorBrowser -- that could make this a bit more
| robust against automated malicious activity (unfortunate title IMO):
| 
| http://blog.cloudflare.com/the-trouble-with-tor/
| 
| On Monday, March 28, 2016, IETF Chair <chair@ietf.org>; wrote:
| 
| > Based on earlier feedback on IETF discussion list, the IAOC has decided to
| > ask the IETF network admins to make a change with regards to how our CDN
| > serves clients coming from TOR networks.
| >
| > For background, our website uses a number of techniques to help combat
| > denial-of-service attacks.  One of these mechanisms was based on CAPTCHAs
| > that were triggered, in particular, for some users when accessing the IETF
| > web site for the first time and heuristically identified as coming from a
| > TOR exit node.  Once the CAPTCHA is passed, the user was able to browse
| > normally.  However, in the process of performing the CAPTCHA and accessing
| > the IETF website, cookies and scripts are used, which was a concern for
| > some users.
| >
| > Information on the IETF website is meant to be public, and should be
| > openly accessible for as broad consumption as technically and practically
| > possible. When there are groups of people whose access to the website is
| > for some reason problematic, we try to accommodate better access, no matter
| > who makes such request, within the bounds of what is practical, of course,
| > and considering the potential effects of denial-of-service attacks and
| > other issues.
| >
| > The change in our settings is to no longer perform CAPTCHAs or other extra
| > mechanisms for clients coming from TOR networks.  Behaviour for other users
| > should not be affected, though it is an open question whether any
| > significant denial-of-service attacks could be launched from these networks.
| >
| > Please note that the our admins are monitoring the situation, and have the
| > ability to change this configuration at any time. So if the TOR exit nodes
| > are the source of an attack, for instance, the configuration could be
| > adjusted again. And of course, further actions regarding how the IETF
| > website is run are based on our experiences from current and past setups,
| > and your feedback.
| >
| > Jari Arkko, IETF Chair
| >
| 
| 
| -- 
| Joseph Lorenzo Hall
| Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-keyFingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
| 
| CDT's annual dinner, Tech Prom, is April 6, 2016!
| https://cdt.org/annual-dinner