Tuesday, December 16, 2014

Why Do Security Sites Penalize Tor Users?

If you are a regular user of Tor, you are already on an NSA watch list. That came out back in July. OTOH, being on an NSA watch list is not a very exclusive club: all you have to do to qualify is read Linux Journal. That came out in July as well.

Tor development, IIRC, was originally funded by the US Navy, and received additional funding from the State Department. It was useful for dissidents living under repressive governments. You can probably fact-check me at on About Tor, with no additional penalty, because NSA are likely to be targeting most likely readers of this blog.. Systems or network admin? Check. Encrypted mail user? Check. Ad nauseum.

Is startpage.com on the side of light?

Startpage.com bills themselves as  "the world's most private search engine", and are the default search engine of Tor. But if you use Tor, you will be periodically presented with a CAPTCHA. On the page, you will see the following text.
As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.
Thank you,
The StartPage Team
But I have never seen this using Firefox, upon which Tor is based.

What about that symbol of rebellion and hackerdom, BlackHat?

I am not a fan, for reasons that seem good to me. But no security worker can ignore the storied history of this conference. For those with short memories, BlackHat 2009 was when Moxie Marlinspike, Dan Kaminski and Mike Zusman, in separate presentations managed to collectively beat SSL/TLS to death.

Yet Tor users will see something that is probably a bit familiar.
One more step
Please complete the security check to access www.blackhat.com
aaaaand... Another CAPTCHA.

The Worst Thing is Teh Stoopid.

CAPTCHA is far past any sort of relevance. Mechanical Turk CAPTCHA-solving was available years ago. Neither faster timeouts nor more obfuscated puzzles have fixed the problem. At this point, I can only characterize them as both increasingly annoying, and increasingly useless.

Google, whatever you may think of them from a privacy standpoint, recognizes this, and has introduced RECAPTCHA.Though this entire approach is fundamentally flawed, this is at least temporary and partial fix. Now, if only sites that choose to market themselves as either secure Internet tools, or security-focused, would just suck a bit less, I am sure we all appreciate it very much.

No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.