Pale Moon services and anonymity

About this bulletin board and the Pale Moon website

Moderators: satrow, Lootyhoof, FranklinDM

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24195
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Pale Moon services and anonymity

Unread post by Moonchild » 2016-04-08, 12:36

squarefractal wrote:I don't think it's right to block all Tor users just because of the actions of a few.
I don't think it's right to make everyone suffer the abuse just because of the tor usage of a few, either.

And as long as the official TOR site lists us as "blocking" based on the actions of a few with no verification, it's quite fair to treat them the same, IMHO. I'm also more than willing to lift the forum ban given good, objective reasons that properly address the facts outlined in this thread as regards it not being needed for us.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
eskaton023
Lunatic
Lunatic
Posts: 464
Joined: 2013-08-23, 19:54

Re: Pale Moon services and anonymity

Unread post by eskaton023 » 2016-04-08, 13:47

Can you share the link to where it shows you're blocking TOR? The only page or reference I found was one stating that CF presented users with a CAPTCHA.

Here's where I see PM listed:
https://trac.torproject.org/projects/to ... gTechnical

And the 'One More Step' listing refers to this, further up the page:
https://trac.torproject.org/projects/to ... CloudFlare

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24195
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Pale Moon services and anonymity

Unread post by Moonchild » 2016-04-08, 14:58

I looked at that list the first time it was pointed out to me in https://github.com/MoonchildProductions ... issues/413 and it was listed on the blocked page which definitely is disproportionate of a response for using CloudFlare. See also: https://trac.torproject.org/projects/tor/ticket/18697

It's currently not listed as actually blocked, but indeed as "one more step" but I still find it unnecessary to highlight us out of all CloudFlare-backed sites (millions) to be listed there; someone clearly wanted to get all my personal/related domains listed there (fossamail.org, moonchildproductions.info, palemoon.org) for being on CF. Sounds like a vendetta :P With Tor administrators being more than happy to go along with that, it gets this knee-jerk response from me. Not so odd, is it?

In any case, blocking TOR access to the forum has already shown a decrease in spam account creation or attempted creation; even to the point where I could disable the SFS module. That alone is a good indicator of the problem caused by it and once again i don't see a reason yet to reconsider.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

PhilK

Re: Pale Moon services and anonymity

Unread post by PhilK » 2016-04-08, 18:04

I read the Tor blog post where they reputedly rebut Cloudflare's reason for blocking Tor exit nodes.

Now I'm not necessarily a big flag-waver for Cloudflare because I think they've shown some self-serving and poor judgement in the past themselves, eg selling their service as a freebie secure solution because it offers free SSL transit but forgetting to mention that if your site itself isn't talking SSL that's not worth a heck of a lot. Etc.

But one of the links in Tor's response included a link to an Akamai paper/study, and characterized that paper as proving that Tor traffic wasn't malicious. But it was a specious point because Tor only looks non-problematic if you compare it's total abuse traffic with ALL traffic. Well gee, of course Tor traffic is only a small percentage of total internet traffic.

But if you look at the abuse rate per access, it's obvious that the rate of abuse coming from Tor is many times higher than typical, and Akamai even points that out in their study.

PhilK

Re: Pale Moon services and anonymity

Unread post by PhilK » 2016-04-08, 18:09

Moonchild wrote: ...someone clearly wanted to get all my personal/related domains listed there (fossamail.org, moonchildproductions.info, palemoon.org) for being on CF. Sounds like a vendetta :P With Tor administrators being more than happy to go along with that, it gets this knee-jerk response from me. Not so odd, is it?

One thing that may contribute to that: I would surmise that a typical PaleMoon user is far more likely to be security/privacy conscious than, say, a Safari or IE user. Ergo, they are also (I would surmise) much more likely to be, if not regular Tor users, at least "Tor-aware". So that probably puts you on the Tor radar a bit more than what might otherwise be the case.

squarefractal

Re: Pale Moon services and anonymity

Unread post by squarefractal » 2016-04-09, 20:46

Moonchild wrote:In any case, blocking TOR access to the forum has already shown a decrease in spam account creation or attempted creation; even to the point where I could disable the SFS module. That alone is a good indicator of the problem caused by it and once again i don't see a reason yet to reconsider.
If spam is the problem then you could at least give Tor users read only access and prevent all logins by denying access to ucp.php.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24195
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Pale Moon services and anonymity

Unread post by Moonchild » 2016-04-09, 22:25

squarefractal wrote:If spam is the problem then you could at least give Tor users read only access and prevent all logins by denying access to ucp.php.
I'll see what I can do.

EDIT: I think I have it set up correctly now. TOR users still have read access but can't post or login.
I'll still keep an eye on server traffic, though. And as long as CF doesn't change the very logical captcha safeguard, you'll still need to solve a captcha before getting access.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

PhilK

Re: Pale Moon services and anonymity

Unread post by PhilK » 2016-04-10, 00:10

Moonchild wrote:EDIT: I think I have it set up correctly now. TOR users still have read access but can't post or login.
While I have already expressed my support for your reasoning behind restricting Tor users, I also much appreciate your efforts to keep an open mind on such matters regardless, as in this case, and not just be a pure ideologue about it. Admirable and mature POV. :thumbup:

squarefractal

Re: Pale Moon services and anonymity

Unread post by squarefractal » 2016-04-10, 04:41

Moonchild wrote:I think I have it set up correctly now. TOR users still have read access but can't post or login.
Thank you.

You may also want to prevent access to memberlist.php since that also apparently comes up with a login page. An user can't still log in because the authentication is still handled by ucp.php, but at least preventing access to memberlist.php won't give the impression that logins are allowed.

In addition, you may want to state the reason why those IP addresses have been blocked, since many users (me included, had not known about this forum's policy) would be left scratching their heads as to suddenly why a perfectly working website would confront me with a 403 Forbidden:
Logins and posts from this IP have been blocked due to the high volume of abuse and spam received.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24195
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Pale Moon services and anonymity

Unread post by Moonchild » 2016-04-10, 09:50

squarefractal wrote:you may want to state the reason why those IP addresses have been blocked
That's all nice and good, but I don't know of a way off-hand to do this.
If anyone has a good method to handle specific denied IP addresses for specific pages with a custom 403 in nginx, while not impacting fastcgi handling for allowed users or overriding the 403 for legitimate users for other URIs, then I'm all ears.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

member

Re: Pale Moon services and anonymity

Unread post by member » 2016-11-20, 16:44

I understand the blocking of Tor users on the forum, but is there any reason to set the CloudFlare Captcha block for us on the main website at https://www.palemoon.org?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24195
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Pale Moon services and anonymity

Unread post by Moonchild » 2016-11-20, 20:11

The main website uses standard cloudflare protection. If you have an issue with that, please take it up with cloudflare.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Locked