
Ask HN: Why block Tor? - ffggvv
Didn&#x27;t we like privacy?
======
dang
We changed the title from "Why HN Blocks Tor?" because HN doesn't block Tor.
Plenty of users read HN and post to HN using Tor every day, including some in
this thread.

There have been issues in the past with Cloudflare and Tor, but I don't know
what the current status of that is. Certainly they aren't blocking everybody,
or we wouldn't see them.

The one thing HN itself does is moderate comments from brand new accounts that
are posted using Tor. We do this because of past abuses by trolls. However,
when such comments are good they routinely get restored by users using the
'vouch' feature, or, failing that, we often restore them ourselves. So even
this isn't much of a restriction. The main problem is that it makes for a time
delay between when a (good) comment gets posted and when other users get to
see it.

~~~
guilhas
How can HN identify they are behind Tor?

~~~
Godel_unicode
You might be interested in this listing from the Tor project:

[https://check.torproject.org/exit-
addresses](https://check.torproject.org/exit-addresses)

------
tiernano
Is it not a cloud flare issue? Hn is behind cloudflare, and cloudflare thinks
it's a problem... last time I tried, it's requests verification each time, as
do other cloudflare backed sites (my own included)

~~~
anexprogrammer
Cloudflare is horrifically hostile to users, triggering blocks and Captchas
all the damn time, but I've never once had an issue, or cloudflare
interruption, with HN.

It'd give me an interesting conflict if I ever had, as I take Cloudflare
captchas as a huge negative indicator of trust.

~~~
curiousgal
In fairness, Cloudflare's CTO did engage with the Tor folks for quite some
time.
[https://trac.torproject.org/projects/tor/ticket/18361](https://trac.torproject.org/projects/tor/ticket/18361)

~~~
anexprogrammer
Well there was something on Github of a browser addon to mitigate the worst of
the challenges, back in summer. I remember it hitting front page here. Seemed
hopeful a solution was on the horizon. It seems to have been untouched since,
and no sign of an actual solution...

Now the UK is stepping up surveillance silliness I use the VPN rather more,
and expect many others are, or will. Which today just means _endless_
unintelligently implemented CAPTCHAs.

~~~
garrettr_
> It seems to have been untouched since, and no sign of an actual solution...

They're working on it! There will be a talk about this about Real World Crypto
2017 in January, see "Solving the Cloudflare CAPTCHA" on the RWC program:
[http://www.realworldcrypto.com/rwc2017/program](http://www.realworldcrypto.com/rwc2017/program).

~~~
anexprogrammer
Great. I hope we'll see some movement soon - it's sorely needed. CAPTCHAs seem
to trigger more and more often lately.

Shame RWC don't put out videos of past talks - there's a couple of others look
pretty interesting too.

------
tor_lurker
As a non-logged in lurker, I always get "prove you're legit" when using TBB. I
usually hit the "new tor circuit for this site" button a few times until it
goes away.

It is really annoying how to even _read_ HN you need to jump through hoops. I
can possibly understand commenting and posting being restricted, but there's
not reason to block simple views, it's not like anyone is going to use tor for
ddos.

~~~
LeifCarrotson
> it's not like anyone is going to use tor for ddos.

Perhaps not DDOS, but yes, tor is absolutely used maliciously:

> Based on data across the CloudFlare network, 94% of requests that we see
> across the Tor network are per se malicious. That doesn’t mean they are
> visiting controversial content, but instead that they are automated requests
> designed to harm our customers. A large percentage of the comment spam,
> vulnerability scanning, ad click fraud, content scraping, and login scanning
> comes via the Tor network. To give you some sense, based on data from
> Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion
> unwanted messages per year, begin with an automated bot harvesting email
> addresses via the Tor network.

Source: [https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

Counterpoint: [https://blog.torproject.org/blog/trouble-
cloudflare](https://blog.torproject.org/blog/trouble-cloudflare)

------
gus_massa
IIRC HN only blocks Tor for recently created accounts, but perhaps HN has a
more complex criteria.

For more details, you can try contacting the mods hn@ycombinator.com (from a
throwaway email?)

~~~
colejohnson66
I thought it was a shadow ban on new accounts. You need people to vouch for
you to get out, right?

~~~
dang
Not for most new accounts, no. A small minority of new accounts' comments get
autokilled because of past abuse by trolls, and those often get rescued by
vouches.

------
3131s
I've posted on HN via Tor without issue in the recent past.

------
vabmit
I block tor from many of my servers. I started noticing that whenever I had an
issue with someone attacking a server the source traced back to an exit node.
What I found when I looked at the traffic coming from the exit nodes was that
the vast majority of it was malicious. There was a massive amount of automated
password guessing, exploit attempts, and attempt to connect to botnet
controllers/backdoors.

I'm all for anonymity. However, until the tor project puts some effort into
outbound traffic filtering for exit nodes it is too much of a time sink and
headache not to just blackhole it all on servers that either do not serve
public content or where anonymity really isn't needed/justifiable.

I put the code I use to block tor exit nodes in the public domain. You can
download it here:
[https://github.com/vab/torblock](https://github.com/vab/torblock)

~~~
maxt
There's underblocking and overblocking. Underblocking is allowing TOR traffic
through, but also letting TOR traffic flood your servers.

It's obvious that if you have a flood of nefarious traffic like this then you
should throttle the TOR traffic. Overblocking is outright blocking TOR with no
reason other than because you can, and it leaves many legitimate users
frustrated and feeling like the site just self-censored itself.

It would be suitable in these cases to strike a happy medium and allow some
TOR traffic through, but throttle suspicious-looking requests like mini
'swarms' of TOR exit IPs hitting the site all at once, which I think HN does,
because some TOR idens work, whilst others do not.

------
curiousgal
To avoid vote manipulation and spam I reckon.

~~~
dbg31415
Who really cares that much about internet points?

~~~
edoceo
I use applicants HN score, and comments as hiring factors.

~~~
dcole2929
That seems like a terrible idea. Unless you're hiring for a user facing role,
one's personal opinions should have very little bearing on their hireablility.
It's a number that literally means nothing. Hell you can get down voted for
having perfectly logical contrary opinions (e.g. any thread involving
politics, diversity or Microsoft). This is something you do if you're just are
looking for people who think exactly the way you do.

Personally I refuse to provide any company with material that can link back to
my personal social sites. It's simply not worth it. I'm not going to sanitize
my digital life for the purposes of getting hired. I don't even provide links
to my github because people read too much into what is or isn't there trying
to parse out some signal that doesn't actually exist.

~~~
edoceo
I'm not asking anyone to sanitize. I look for folks who can clearly argue
their point.

It's the quality of the debate, not the value of the position

~~~
koolba
It's not though. If you're not arguing a pro-groupthink position you'll get
down voted regardless of the quality of your commentary. See just about any
politics related thread for an example of that.

Note that only applies to subjective topics. If you're commenting about a
purely technical topic then the voting system does seem to work more
effectively.

~~~
edoceo
To be clear. If one candidate has an HN rank of 10 and another has a rank of
100 it doesn't automatically place them ahead. That would be stupid.

Nor does having downvotes cause any automatic placement adjustment.

I review their comments manually to tell me about the person. It's a
qualitative evaluation, not purely quantitative.

~~~
koolba
You previously said:

> I use applicants HN score, and comments as hiring factors.

I get reviewing the comments manually, but what could you use the score for
besides a group think filter? Might be great for a sales position ...

------
flashman
Posting via Tor now. I had to complete a reCAPTCHA before I was allowed to see
the page, but no problems on logging in. Exit relay 89.234.157.254.

I don't usually use Tor but I thought I'd test what OP's saying.

------
frantzmiccoli
It works ok here!

------
swyman
90% of our Tor traffic was script kiddies

