Re: Changes regarding IETF website CDN settings and TOR networks

Joseph Lorenzo Hall <> Fri, 01 April 2016 05:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1856A12D0A3 for <>; Thu, 31 Mar 2016 22:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ccI7ICgQ8BNZ for <>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A345912D0B3 for <>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
Received: by with SMTP id g127so135372575ywf.2 for <>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=LaTbIEzUUyo4D4j564tkfEjFgx8b5EhMk6givYeBwoY=; b=Jjoo4uo/Qj/CJf8tEpHEE6JrO2cWr3Xud2K/zD0pkWV/QoLnhBsClQQIBZ9yhv3YOb +qJ6W3+k6KT4eNyJuoDHWg+Fs9OanzA4IBC50PzTLMOzhdkrNSmsCVdaNbQbqbzq89ya KDXpTwiWIVRheIjLYwLcoB4IigPUeEC+XIT7w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=LaTbIEzUUyo4D4j564tkfEjFgx8b5EhMk6givYeBwoY=; b=PVZp2BRzqxVYzZIDLWx8uqtqBvKXMo2qCMiEuXC09e12Sbboce/4z1nVUttdIxdXaD juiX3no1aLDh9E7N7HxpQvFsalx3dPQ+UgtIZnPsduEJwMqQko7JD7e22ZZ8dXCC4zeZ jueesArZgjhpkz5blBGmpWWeuVSFzybUABEjupI7zmm1jg2q71JO4k7hcaLVEgA0jjHB AanUBG5CY0CRqkYaPRqQbpUz3+cipM7Sv4Xg5tZsvLTcGn5N7pKkyDLxM8NB0xGuaysx s2xHmOXoxXyDscaynyfiuz+9cj9BdNSkK9paC+96SDWl0a72MHfxgYDGvUrMFHIPFTAz Re6A==
X-Gm-Message-State: AD7BkJLUEteMXtuChGS1uXzIZQXL/BasT0AcIOdNTNnr/3E8IssnDav5O4x4UU4S2bAVXL5FyrXN95S9XPTbAbzu
MIME-Version: 1.0
X-Received: by with SMTP id c4mr3528502uac.84.1459488777858; Thu, 31 Mar 2016 22:32:57 -0700 (PDT)
Received: by with HTTP; Thu, 31 Mar 2016 22:32:57 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Thu, 31 Mar 2016 22:32:57 -0700
Message-ID: <>
Subject: Re: Changes regarding IETF website CDN settings and TOR networks
From: Joseph Lorenzo Hall <>
To: "" <>, IETF discussion list <>
Content-Type: multipart/alternative; boundary=94eb2c123fdc288a42052f65b69d
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Apr 2016 05:33:02 -0000

IETF folks may be interested in this recent cloudflare post that outlines
some potential changes to Tor -- SHA-256 hashes for hidden service certs,
move proof-of-work into TorBrowser -- that could make this a bit more
robust against automated malicious activity (unfortunate title IMO):

On Monday, March 28, 2016, IETF Chair <> wrote:

> Based on earlier feedback on IETF discussion list, the IAOC has decided to
> ask the IETF network admins to make a change with regards to how our CDN
> serves clients coming from TOR networks.
> For background, our website uses a number of techniques to help combat
> denial-of-service attacks.  One of these mechanisms was based on CAPTCHAs
> that were triggered, in particular, for some users when accessing the IETF
> web site for the first time and heuristically identified as coming from a
> TOR exit node.  Once the CAPTCHA is passed, the user was able to browse
> normally.  However, in the process of performing the CAPTCHA and accessing
> the IETF website, cookies and scripts are used, which was a concern for
> some users.
> Information on the IETF website is meant to be public, and should be
> openly accessible for as broad consumption as technically and practically
> possible. When there are groups of people whose access to the website is
> for some reason problematic, we try to accommodate better access, no matter
> who makes such request, within the bounds of what is practical, of course,
> and considering the potential effects of denial-of-service attacks and
> other issues.
> The change in our settings is to no longer perform CAPTCHAs or other extra
> mechanisms for clients coming from TOR networks.  Behaviour for other users
> should not be affected, though it is an open question whether any
> significant denial-of-service attacks could be launched from these networks.
> Please note that the our admins are monitoring the situation, and have the
> ability to change this configuration at any time. So if the TOR exit nodes
> are the source of an attack, for instance, the configuration could be
> adjusted again. And of course, further actions regarding how the IETF
> website is run are based on our experiences from current and past setups,
> and your feedback.
> Jari Arkko, IETF Chair

Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology []
e:, p: 202.407.8825, pgp:
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

CDT's annual dinner, Tech Prom, is April 6, 2016!