[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 6 10:01:08 UTC 2016
#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: security, privacy, anonymity | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: None
------------------------------------------+--------------------------
Comment (by jgrahamc):
Replying to [comment:218 tne]:
> Replying to [comment:217 jgrahamc]:
> Sure, I think we all understand that; the decision to block using a
CAPTCHA is based on the reputation of the origin IP only. Can you, in
addition, take into account the status of the destination site? (Similar
to what you do in DDoS situations when you classify sites as "Under
attack" in order to, as I understand it, deploy different
countermeasures.)
We will throw CAPTCHAs in other situations not just for IP reputation.
CAPTCHA is one of a number of countermeasures we have and is used in
different ways.
> So: if the site is "actively observing abuse" and the IP has bad
reputation, block using a CAPTCHA as usual. If the site is not "actively
observing abuse" or the IP reputation is good, let the request go through.
>
> My question (hopefully clarified now) is: How hard would it be to
establish (and remove) this "observing abuse" status (if it makes sense at
all)?
I'm not sure that totally makes sense. It's better to think at an
individual request level and ask "Does this request indicate abuse?" and
then decide what to do. Of course, we can take into account other things
as well, but we wouldn't want to wait around and measure abuse and then
say "OK, now we'll start blocking it" because it might be too late (i.e.
the customer may have been hacked/attacked in some way). I think both Tor
users and our customers will be happy with a solution like that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:219>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list