Re: Changes regarding IETF website CDN settings and TOR networks

Joseph Lorenzo Hall <joe@cdt.org> Fri, 01 April 2016 05:33 UTC

Return-Path: <jhall@cdt.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1856A12D0A3 for <ietf@ietfa.amsl.com>; Thu, 31 Mar 2016 22:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccI7ICgQ8BNZ for <ietf@ietfa.amsl.com>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A345912D0B3 for <ietf@ietf.org>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id g127so135372575ywf.2 for <ietf@ietf.org>; Thu, 31 Mar 2016 22:32:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=LaTbIEzUUyo4D4j564tkfEjFgx8b5EhMk6givYeBwoY=; b=Jjoo4uo/Qj/CJf8tEpHEE6JrO2cWr3Xud2K/zD0pkWV/QoLnhBsClQQIBZ9yhv3YOb +qJ6W3+k6KT4eNyJuoDHWg+Fs9OanzA4IBC50PzTLMOzhdkrNSmsCVdaNbQbqbzq89ya KDXpTwiWIVRheIjLYwLcoB4IigPUeEC+XIT7w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=LaTbIEzUUyo4D4j564tkfEjFgx8b5EhMk6givYeBwoY=; b=PVZp2BRzqxVYzZIDLWx8uqtqBvKXMo2qCMiEuXC09e12Sbboce/4z1nVUttdIxdXaD juiX3no1aLDh9E7N7HxpQvFsalx3dPQ+UgtIZnPsduEJwMqQko7JD7e22ZZ8dXCC4zeZ jueesArZgjhpkz5blBGmpWWeuVSFzybUABEjupI7zmm1jg2q71JO4k7hcaLVEgA0jjHB AanUBG5CY0CRqkYaPRqQbpUz3+cipM7Sv4Xg5tZsvLTcGn5N7pKkyDLxM8NB0xGuaysx s2xHmOXoxXyDscaynyfiuz+9cj9BdNSkK9paC+96SDWl0a72MHfxgYDGvUrMFHIPFTAz Re6A==
X-Gm-Message-State: AD7BkJLUEteMXtuChGS1uXzIZQXL/BasT0AcIOdNTNnr/3E8IssnDav5O4x4UU4S2bAVXL5FyrXN95S9XPTbAbzu
MIME-Version: 1.0
X-Received: by 10.159.40.4 with SMTP id c4mr3528502uac.84.1459488777858; Thu, 31 Mar 2016 22:32:57 -0700 (PDT)
Received: by 10.103.94.3 with HTTP; Thu, 31 Mar 2016 22:32:57 -0700 (PDT)
In-Reply-To: <3BD5282D-8E06-4DC5-B64F-D577326E2A5E@ietf.org>
References: <3BD5282D-8E06-4DC5-B64F-D577326E2A5E@ietf.org>
Date: Thu, 31 Mar 2016 22:32:57 -0700
Message-ID: <CABtrr-XHZoO9T5hK1piy4y0zW6pxGMXfRFGcccXAMtFDrFg3fw@mail.gmail.com>
Subject: Re: Changes regarding IETF website CDN settings and TOR networks
From: Joseph Lorenzo Hall <joe@cdt.org>
To: "chair@ietf.org" <chair@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c123fdc288a42052f65b69d
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/zDwwkhiiBO6e-M-rWRfA2izqY_g>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2016 05:33:02 -0000

IETF folks may be interested in this recent cloudflare post that outlines
some potential changes to Tor -- SHA-256 hashes for hidden service certs,
move proof-of-work into TorBrowser -- that could make this a bit more
robust against automated malicious activity (unfortunate title IMO):

http://blog.cloudflare.com/the-trouble-with-tor/

On Monday, March 28, 2016, IETF Chair <chair@ietf.org> wrote:

> Based on earlier feedback on IETF discussion list, the IAOC has decided to
> ask the IETF network admins to make a change with regards to how our CDN
> serves clients coming from TOR networks.
>
> For background, our website uses a number of techniques to help combat
> denial-of-service attacks.  One of these mechanisms was based on CAPTCHAs
> that were triggered, in particular, for some users when accessing the IETF
> web site for the first time and heuristically identified as coming from a
> TOR exit node.  Once the CAPTCHA is passed, the user was able to browse
> normally.  However, in the process of performing the CAPTCHA and accessing
> the IETF website, cookies and scripts are used, which was a concern for
> some users.
>
> Information on the IETF website is meant to be public, and should be
> openly accessible for as broad consumption as technically and practically
> possible. When there are groups of people whose access to the website is
> for some reason problematic, we try to accommodate better access, no matter
> who makes such request, within the bounds of what is practical, of course,
> and considering the potential effects of denial-of-service attacks and
> other issues.
>
> The change in our settings is to no longer perform CAPTCHAs or other extra
> mechanisms for clients coming from TOR networks.  Behaviour for other users
> should not be affected, though it is an open question whether any
> significant denial-of-service attacks could be launched from these networks.
>
> Please note that the our admins are monitoring the situation, and have the
> ability to change this configuration at any time. So if the TOR exit nodes
> are the source of an attack, for instance, the configuration could be
> adjusted again. And of course, further actions regarding how the IETF
> website is run are based on our experiences from current and past setups,
> and your feedback.
>
> Jari Arkko, IETF Chair
>


-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

CDT's annual dinner, Tech Prom, is April 6, 2016!
https://cdt.org/annual-dinner