Michael Eriksson's Blog

A Swede in Germany

How to handle Tor

leave a comment »

I am a frequent user of the anonymization tool Tor. Regrettably, some websites are in the bad habit of blocking requests from Tor without a valid reason—and those that do have a valid reason (e.g. related to spam or malicious attacks) rarely handle the situation appropriately.

Bearing in mind that most Tor users are perfectly legitimate, these are the main errors:

  1. Never telling the user that or why the request was blocked.

  2. Blocking only parts of a page, creating the impression that something unrelated to Tor is not working, that something unrelated to the website is not working (e.g. a proxy), or that things are working (while they are not).

  3. Excluding the user from functionality that is unrelated to the problem. For instance, many forums block Tor with the claim that they are afraid of spam. Well, if so, they may have a legitimate reason to block postings—but not reading! Further, if spam is the problem, then this is probably the wrong solution to begin with: Some combination of registration and verification (CAPTCHA, manual reply to an email, e.g.) would be more effective.

As a natural pendant, the following advice:

  1. Do not block Tor (and similar services) unless you absolutely have too—or without bothering to find out what Tor is.

  2. Explicitly tell the users that they were blocked and why. Use a message that takes into account that this is a blanket ban of a user group—not an individual misbehaving user.

  3. Exclude pages in their entirety or not all. (Some special cases may exist, but none occurs to me at the moment.)

  4. Never block users from functionality that does not enhance the effects of the ban (e.g. reading posts, when the purpose of the ban is to prevent writing posts).

Advertisements

Written by michaeleriksson

May 15, 2011 at 8:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s