Don't Block Me

From the Tor Projects WikiPage - The "Don't Block Me" project is "A gathering of affected user communities, the internet at large, TPO speakers, and the central Tor themes and use cases around the ListOfServicesBlockingTor in order to encourage these sites to stop blocking people merely for using Tor. This project also develops, documents, and promotes Best Practices for services to use instead of indiscriminately blocking Tor as a whole. Another subproject works to remove Relays from RBL and other blocklists."

There is a meta ticket for this project (#10099). There is also a list of services that support Tor known as: WeSupportTor.

Speaking Events / Local Visits

  • Speaking at events these services have within their own communities, such as their "panel discussions" and conventions.
  • Gathering local Tor/Service users to visit services that have headquarters/offices in your area for discussion / presentation / humanity check.

Online Crowd/User Campaigns

  • Deal with the rather fundamental opposition (Example mailing list thread) in the Tor community against enhancing the situation.
  • Submitting feedback to services and their formal contacts/principals, blog writing, letter writing, etc.
  • May include links to articles, howto's, competitors, or simply that you wish to use their service.

Use Cases

  • See the Tor front page, etc...
  • Research and document actual incidence and prevalence ratios of Tor vs. Clearnet for abuse, spam, cracking, DMCA, etc. Dispel the "Tor is all just bad things" rumor and innuendo, provide the truth to fact, even if facts are not always pretty.

Best Practices

  • If you use Cloudflare, use their Tor support to avoid blocking Tor exit nodes.
  • Don't use reCaptcha because it often gives you many unsolveable captchas in a row. Or no captcha to solve at all, message: "We're sorry, but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.". Google collect device information.
  • Don't use any other centralised service like CoinHive.
  • Implement standalone self-hosted CAPTCHAs, perhaps one from our list of captcha engines
  • Time-based temporary IP blocks, perhaps from our firewall / Apache module examples
  • Grant users merit-based capabilities (allow them to perform certain actions based on their seniority, participation, or feedback)
  • For problems with sockpuppets, consider charging users a small registration fee (maybe in the form of cryptocurrencies deposits) to be given back to them when they close their account: this method will make it very costly for spammers or potential abusers from registering many sockpuppet accounts en masse
  • As an alternative to fee (it's deanonymizing) use proof-of-work. Don't use CoinHive, implement a standalone solution. PoW script mustn't be obfuscated.
  • Combat trolling: make realistic conduct policies, and enforce them with warnings and penalties
  • Allow users to report other users who demonstrate bad behavior
  • Remind people that (though efforts are made) things do happen. Perfection cannot be achieved.
  • Consider OTP's, keyfobs, two-factor for areas such as banking where authentication matters yet the user has a personal right to location anonymity. Related: implement HTTPS and PFS everywhere by default.
  • Rather than acting on the assumption that people will do bad things, react to the situtation at hand. Act to preserve your own independence, and that of your peers, as well.
  • No solution is foolproof: blocking Tor will not eliminate your problems. Consider deeper, more reliable defenses.

RBL removal

  • Refer to the list of RBL / DNS / Spam blocklists and work to remove Tor Relays from them.
  • Relays / IP's may be able to be claimed as... part of / administered / funded / run / owned by... TPO / other meta orgs (zweibel) / the end operator.
  • Automated RBL search and notification of operator to perform the removal.

Project Needs

  • Submission and Testing Server - It's difficult to distinguish explicit blocking of Tor from manual IP / RBL based "abuse" blocking that does not have specific knowledge of Tor. Users need to submit URI's to a database that will then regularly determine and publish the percent of exits blocked per URI. Higher percent over say 80%, more likely Tor. Under 50%, depublish but continue to monitor for future changes. Perhaps use BadExit scan framework for this.
Last modified 3 months ago Last modified on May 19, 2020, 2:30:56 PM