On Sat, Mar 08, 2014 at 08:06:11PM +0100, Fabio Pietrosanti (naif) wrote: > Il 2/7/14, 4:46 AM, grarpamp ha scritto: > > What can we do, as a collective social entity, to put an end to > > this madness? > >From a "Security-Wise" point of view, if i was the IT Security Manager > of a company, i would definitively block Tor's access to my IT > infrastructure. > I would also block most of spamhaus, VPN's, etc, unless there is a clear > and evident "business need" to allow that source of traffic. > It's very reasonable and effective from an IT Security Practice point of > view to block IPs that are common source of IP attacks. > Doing it from an anti-fraud point of view it's even more effective, > preventing any kind of economic transaction from public proxy service, > increase the cost and complexity for the "poor's fraudster". > > So i think that we cannot do anything. > > I think that the IT Security guys are right in blocking or restricting > access to most services when coming from public proxy services.
If you naively view Tor as Yet Another Pulbic Proxy, I agree. But this is the same thinking that leads you to block all encrypted traffic you aren't MITMing. There may be environments where it makes sense, but most of the time you are hurting yourself more than you are helping, And enough places have learned that preventing encrypted traffic hurts them that many people reading this probably don't remember when it was commonly argumed that the opposite was preferable. If you have customers or employees that could benefit from personal defense in depth or if your corporate operations do, then you are unnecessarily hurting yourself. As Andrew noted, if you just buy a box and use its defaults, you probably aren't getting what you want. Directing incoming Tor traffic appropriately, possibly requiring extra authentication steps for anything where you don't need to permit anonymous-from-you access to your services, makes much more sense. > > You can "push" the big dotcoms in order to manage in a better way the > traffic coming from dirty IP addresses, and that's happening. > > Probably having "specialized Exit Node" for the most common services > (facebook, google, etc) , in order not-to-mix dirty traffic with > very-reasonably-good-traffic, could be one of the path to work on. Or encouraging corporations to run the same, e.g., allowing exit only to their servers/ports and only for appropriate classes of traffic. This is something we suggested early on, I think in the JSAC 1998 paper, or possibly in 2000 "Onion Routing Access Configurations". aloha, Paul -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
