Re: ietf.org unaccessible for Tor users

[Michael StJohns <mstjohns@comcast.net>]

On 3/16/2016 5:49 PM, Stephen Farrell wrote:
> Mike,
>
> On 16/03/16 20:49, Michael StJohns wrote:
>> Fair enough - so you're asking me to take it on faith that there is a
>> real problem and that it effects sufficient numbers of folks that the
>> IETF should spend *its* money and effort to fix?
> Did you miss the mail upthread where it was pointed out that
> removing the restriction is a simple checkbox which I assume
> costs no more money than we're giving CF already?

I didn't miss that.  Did you miss that turning it off may allow 
malicious traffic?  That malicious traffic may have a cost?  Or that 
this isn't targeted specifically against TOR, but against any site with 
a sufficiently bad reputation? Or that many TOR sites have a bad 
reputation?  My guess is that you didn't miss any of this, but I 
repeated it just in case.

That said, I think your next paragraph is a reasonable way forward. But 
that I do think there will be a cost to turn it off because someone will 
have to monitor and evaluate (and possibly remediate) if there is a 
problem.

To be clear, are you arguing for turning off Captcha in in 
circumstances?  Or just giving TOR a pass?  Can we leave it on for 
anything that requires an IETF login?


>
> If we allow Tor access and that turns out to be a source of
> problems, then I do think we ought re-evaluate, but I don't
> think there's any cost here to the IETF to turn off the
> restriction.
>
> And to clarify another thing: this is not only about the captcha,
> in testing today using TBB sometimes one gets access, sometimes
> one gets a captcha and sometimes access is denied with no captca.
> It seems to depend on the exit node IP.
As I understand it, CF scores IP addresses based on reported "badness".  
If you're on TOR and you pick (or have picked for you) an exit router 
that's got a high badness score, then you get a Captcha at the IETF (and 
other CF sites).  My understanding is that if you come from non Tor 
sites with high badness scores you will also get a Captcha.  The 
specific problem( for us)/benefit(for the TOR users) is that you can't 
differentiate from the good TOR connections (if any) vs the bad TOR 
connections coming from the same tor exit router.  Captcha is there to 
try and establish there is some sort of human behind the connection and 
to provide some protection against automated attacks.

What's interesting about your comment is that there is enough 
differentiation in TOR output that different nodes score differently at 
CF.  It suggests to me that TOR may not be cleaning up it's fingerprints 
as well as it would like.

Later, Mike


>
> Cheers,
> S.
>