Re: unaccessible for Tor users

Randy Bush <> Tue, 15 March 2016 14:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BD14B12DC2F for <>; Tue, 15 Mar 2016 07:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JAdpLX7xyCVf for <>; Tue, 15 Mar 2016 07:23:23 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B828412DC2A for <>; Tue, 15 Mar 2016 07:23:22 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.82) (envelope-from <>) id 1afpsX-0006H6-ES; Tue, 15 Mar 2016 14:23:21 +0000
Date: Tue, 15 Mar 2016 23:23:19 +0900
Message-ID: <>
From: Randy Bush <>
To: Alec Muffett <>
Subject: Re: unaccessible for Tor users
In-Reply-To: <>
References: <20160313143521.GC26841@Hirasawa> <> <> <> <> <> <> <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Cc: IETF Disgust List <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Mar 2016 14:23:24 -0000

> The thread so far seems to be regards "People who use Browsers over
> Tor have problems accessing IETF because CAPTCHA from IETF's Hosting
> Provider".

i would add

   cloudflare breaking what should be end to end encryption opens the
   user to a mitm.  no, i am not saying cloudflare are bad folk.  but,
   for example, 
     o they could be served with a fisa order to see my traffic
     o they could be served with a fisa order to serve subtly different
       documents to queries from <name your favorite regime>
     o and all the other problems of having monkeys in the middle

   in these more privacy conscious days, we should be setting an example
   of how our own technology (and those of our friends in other sdos)
   can be used to maximize privacy and integrity.  client blocking,
   discrimination, and breaking e2e encryption are not what i consider
   nice examples.

my threat model for our data and services is much more about integrity
and privacy than availability.  i.e. i will put up with some degree of
ddos (after all i read this list:-) to be more assured that i am getting
an unaltered copy of rfc1925 and no one else knows i am reading it.

as with anything else, this point can be stretched to extremes that are
silly; no i probably will be unhappy with a one week outage.  but what
attacks have we actually experienced?  i know what we, a backbone isp,
get, and they're tens of g/s.  but does anyone throw gigs at

and another of my lives is as a measurement researcher.  so please spare
me "most of tor traffic is malicious" without citation, or the rfc
archive gets a 50g ddos every few weeks without actual measurement.

The plural of anecdote is not data.
-- Roger Brinner, economist
The plural of anecdote is not evidence.
-- Bill Lockyer, California Attorney General