Comment by shadowgovt
5 years ago
Unfortunately, enabling TOR basically makes your traffic "malicious-shaped" these days. One of the largest users of privacy services are users (bot or human) who don't want their traffic easily traced because they're doing something malicious.
It's definitely not the only use case for such services, but if a service provider sees that 90% of traffic shaped a certain way is malicious traffic, it's understandable they will take steps to mitigate that traffic.
ETA: I'm not happy about it because I believe in the value of anonymity, but it is what it is. Here's a Cloudflare blog post talking about the challenges handling Tor traffic, which to their estimate is (a) 94% malicious "per se," so any tooling you do that tries to estimate intent based on origin IP address is gummed up by the malicious signal emanating from the same Tor exit node as your legit traffic and (b) anonymized by design, therefore any attempts you might make to build a reptutation signal for a given client are intended to be thwarted. The result is that a Tor user's traffic looks reputationless to a service like Cloudflare, and you can't just assume reputationless signal is benign (so, CAPTACHAs and "bot-like behavior suspected" walls).
Interesting article, thanks, and especially at the end of the article:
> (Some cloudflare people) have proposed a solution to the Tor Project that moves part of the process of distinguishing between automated and human traffic to the Tor browser itself. The Tor browser could allow users to do a sort of proof-of-work problem and then send a cryptographically secure but anonymous token to services like CloudFlare in order to verify that the request is not coming from an automated system.
> By moving the proof-of-work test to the client side, the Tor browser could send confirmation to every site visited so that users wouldn’t be asked to prove they are human repeatedly
(+ Link to the suggestion)
The onion site Https cert idea is also interesting