
HN is penalizing Tor users - lrvick
I am unable to use mobile apps for HN since I use Tor full time and HN wants me to constantly complete captchas to prove I am human.<p>I am human. Thanks.
======
jgrahamc
What browser are you using? We fixed our Tor handling long ago. Would like to
understand what you are seeing.

~~~
torthrow123123
(Not the OP.) I'm using Tor Browser on a desktop/laptop. I'm seeing different
problems:

(1) Rate-limiting: My regular account (this is a throwaway) has thousands in
karma, but after around 4 comments I still get the 'you're posting too fast'
rate limiter. Perhaps HN could disable rate-limiting after the Tor user has a
certain amount of karma.

(2) Comments seem penalized, starting in the middle of threads instead of at
the top. This issue has come and gone a couple of times (it's happening now on
my regular account). It seems to stop when I have had an interaction with the
mods; I wonder if they notice and disable it. It seems to restart after I get
several downvotes in a short period; perhaps that triggers some algorithm
which decides that comments over Tor are shady.

(3) Registering accounts requires a captcha and is frustrating, though
something I rarely have to deal with. To register this throwaway account I got
a captcha, completed it, approved. HN said the username as taken, and when I
entered another username the process started over - another captcha. Then the
username was too long, so I started over again.

~~~
ocdtrekkie
I suspect these are not related to your use of Tor. Note that jgrahamc is at
Cloudflare, not HN, and was asking about the Cloudflare interactions people on
Tor are having, as the CAPTCHA the OP is speaking about is implemented by
Cloudflare.

I am currently rate-limited, I have been on rate-limiting before, and I've had
my rate-limiting disappear. This has more to do with how happy (or unhappy, as
the case is) the mods are with your commenting habits than what browser you
are using. I do not know if your rate limit penalty has an expiration date or
if they manually remove you, HN mods rarely if ever discuss rate limiting, but
it is almost surely to curb what HN mods consider poor quality comments and
ensure they don't overwhelm a discussion.

~~~
dang
It's not so uncommon that we discuss rate limiting. We do that all the time
when people email us and I've posted not infrequently about it:
[https://hn.algolia.com/?query=by:dang%20rate%20limit&sort=by...](https://hn.algolia.com/?query=by:dang%20rate%20limit&sort=byDate&dateRange=all&type=comment&storyText=false&prefix=false&page=0).
People are welcome to ask questions, though as the site guidelines ask, it's
better to do that by emailing us.

Being rate limited is annoying, so I appreciate the even-handedness in what
you wrote.

------
ocdtrekkie
HN isn't "penalizing Tor users", but HN does use Cloudflare.

94% of the requests Cloudflare saw over Tor were malicious[1], but rather than
block Tor, they implemented a couple of ways to prove you are part of the 6%,
including a browser extension[2] that can get you out of the CAPTCHAs.

[1] [https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

[2] [https://blog.cloudflare.com/cloudflare-supports-privacy-
pass...](https://blog.cloudflare.com/cloudflare-supports-privacy-pass/)

~~~
lrvick
Malicious how? No one is going to stop bots scraping the site so why penalize
humans?

~~~
blakesterz
I wrote a little script to watch Tor traffic to my servers and way more than
94% is either clearly malicious or probably malicious. Malicious is clearly
scans, bruteforcing attempts, and so on. Malicious is obvious most of the time
when I look at the web logs. "Probably Malicious" is something like an odd
single hit to an index page, really not quite sure what they're doing, but
it's clearly not a person looking at the site. Tor traffic is almost never a
person looking at a website based on what I see in my Apache logs.

Most clearly malicious traffic to my servers is not Tor, but most Tor traffic
is malicious. This is what I see to my servers, you may see different traffic
on your servers.

~~~
lrvick
Sweeping bans of users based on shared IP addresses should never be more than
a very short term stopgap solution.

There are other ways to solve these problems. As just one example you could
support protocols like U2F or FIDO2 that take brute forcing off the table, and
the brute forcers go away.

As another example I offer free unix shell services to the general public.
Lots of people were using Tor to create accounts for cryptocurrency mining.
Instead of banning Tor I blocked all outgoing traffic to all major mining
pools. The mining abuse stopped.

Try to find ways to remove the incentive for bad behaviour, rather than
throwing out the good with the bad.

~~~
ada1981
I appreciate the way you think. I’d love to hear you brainstorm on social
problems using the same approach.

------
imhoguy
Well, I think there may be too many peers using pretty limited number of exit
nodes to access HN (or any other popular site), currently 1109 hosts, source:
[https://www.dan.me.uk/tornodes](https://www.dan.me.uk/tornodes)

------
gus_massa
Send an email to the mods hn@ycombinator.com Perhaps they can solve your
problem.

