On 02.05.2013 05:11, Tom Ritter wrote: > I used to be a big proponent of proof-of-work schemes, but I've scaled > back my preference significantly. There's two problems with them: [...]
My thoughts exactly. But, in this case, I have to say from experience that a few websites that use blacklists that block Tor preemptively, mostly without knowing about it. These types of blocks can be overcome often by just a friendly email that explains Tor. The second and most common type of blocking happens after someone has been "attacked" once, or twice, via Tor, or an active "attack" is ongoing. I use quotation marks here because most things that happen would not be considered real attacks. Many IDS, and nowadays even blog software etc, detects "unlikely behaviour" such as port scanning, crawling, trying some script kiddie SQL injections, looking for common exploitable CMS and the like. Most of these "behaviours" are *not* targetted at specific sites, many are just using some bad or worse scanning tool. This second type of blocking would be very much helped with something like torslap. Sites "under ongoing attack" could easily deploy them, maybe even together with a timeout, and thus get rid of the one attacker without having to block all Tor users (even temporarily, a mechanism which they rarely lift again because they have no incentive to do so). Sites that sometimes get hit by random scans and the like, not currently under active attack, could also obviously benefit from torslap. I haven't read the whole thread, but (Re)CAPTCHA could be considered a cheap and powerful "proof of work", too. I would love to see something as simple as an iptables bucket for Tor users where they can be first sent to a different webserver/site, and after they "do something there" the exit IP is temporarily removed from the bucket. A second interesting approach would be something more specific for the software used, like a Wordpress plugin that blocks admin logins via Tor, puts Tor users under more "supervision" (moderated postings/registration, only "guest Tor post" without the ability to log in at all, read-only access, etc) etc. -- Moritz Bartl https://www.torservers.net/ _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
