
Tor use is now forbidden on Kimsufi's OVH - gallypette
http://forum.ovh.com/showthread.php?t=89685
======
jeremysmyth
Tor can be used for good and for bad. It's the very same problem that Cory
Doctorow talks about in his lectures about the War on General Purpose
Computing, and it's not an easy problem to solve.

I'm an admin on a social/gaming site (a MUD with appendant forum, blogs, and
other community elements), and we have had to make a few decisions about Tor
in the last couple of years.

Some background: the site is quite old, and we have historically encouraged
users to sign up without needing to provide a unique ID such as email address.
They _can_ provide one, but don't have to. In the last few years we have had
the problem of occasional griefers log on and cause whatever social havoc they
can.

Now, my personal feelings about Tor are generally quite positive, and I like
the freedoms it provides people who are otherwise restricted by their ISPs or
governments from accessing legitimate resources. Like many others have said,
Tor is a tool that, while it can be used to do illegal things, is also used to
provide a very useful service to people who need it to get on with things you
and I take for granted.

Now, back to our griefers: We have a number of banning mechanisms based on IP
or domain, and they tend to be successful because griefers usually get bored
when they can't access the site for a couple of hours. However, because a tiny
minority of griefers are more persistent, more technically adept, and figured
they could use Tor to damage our community, we did a little bit of analysis
and found that few if any legitimate users of our site came from Tor exit
points, and we chose to block them. The alternative was to require a unique
identity during the sign-up process, and frankly we wanted as few hurdles as
possible to new users (anyone who knows the MUD community knows that it's in
decline, and low-friction signups are pretty desirable). So we blacklist Tor
exit points from our signup process. The unfortunate fact is that some Tor
users do bad things with the fantastic tool at their disposal, and end up
spoiling it for the legitimate (and extremely valuable) use cases that make it
such an amazing tool. Yet its very anonymity means that there is no easy way
to allow one set of uses while disallowing others. This is a hard problem, and
one I'm not smart enough to solve.

~~~
mst
Assuming you have the technical capability, requiring an email address and
confirmation for only tor users could work.

Freenode does something similar - tor and other problematic traffic sources
can connect but must use connect time SASL to authenticate to a previously
created account, which is sufficient to exclude the vast majority of the
griefers.

~~~
Tuna-Fish
What good would email address confirmation do? You do know about mailinator,
right?

~~~
JohnTHaller
Most sites that have issues with trolls and find IP blocks insufficient can
also block on mailinator and similar domains.

~~~
Tuna-Fish
No, they _attempt_ to block similar domains. And completely fail at it.

I never use my main email for anything I don't feel requires it, and while
maininator.com is often blocked, I've never in my life had to refresh the
mailinator page more than twice for an alternate domain that works. Since
mailinator accepts email from any domain that has it's MX record set to it, if
you own a domain you can set it to be an alternate name to mailinator in
seconds. Enough people have done this.

~~~
devicenull
No, it's actually super easy to block it if you're clever enough ;)

~~~
Tuna-Fish
Could you point me to a site that does successfully block it?

------
pktgen
I have a hard time blaming them for this. They're a budget provider, so any
extra cost handling subpoenas and legal documents (which, let's not kid
ourselves, is going to happen 100x more on a Tor node than on the majority of
their other customers) quite possibly means a loss for them on a server.

------
rst
The relevant French: "depuis quelques mois, nous avons eu plusieurs affaires
juridiques lié à l'utilisation de plusieurs réseaux TOR dans le cas de la pedo
et on va désormais l'interdire au même titre que tous les systèmes
d'anonymisation."

My (amateur) translation, cleaning up Google translate (which doesn't
recognize Tor as a proper name): "For several months, we've had many legal
matters related to the use of TOR networks in pedo cases, and from now on, it
is forbidden along with all systems of anonymization."

Doesn't sound like they want any part of it.

~~~
devcpp
Weird, the French part looks like the output of a translator. There are a few
faults of vocabulary, grammar and sentence structure.

Your translation is correct though.

~~~
norswap
French is my mother tongue, and I think it sounds alright. It's everyday
speech though, not something you'd write in a press statement.

~~~
GuiA
Fellow Frenchie here- it does look like it was written by a high schooler
rather than a CEO- awkward phrasing ("dans le cas de la pedo", wtf?!?),
conjugation mistake ("liées"), use of "on va" instead of "nous allons" in a
formal written statement...

~~~
norswap
Seems commonplace in the French IT sphere. On the new "42" school forums, the
mods are downright trolling.

------
gallypette
"Pour des raisons de sécurité, l’ensemble des services IRC (à titre non-
exhaustif : bots, proxy, bouncer, etc.), services de navigation anonyme
(généralement appelés proxy), nœuds TOR, ne sont pas autorisés sur le réseau
OVH sauf autorisation écrite d’OVH. OVH se réserve le droit de suspendre tout
serveur sur lequel ces éléments seraient utilisés sans autorisation préalable
d’OVH."

It looks like anything looking like a proxy is forbidden now. Including tor
nodes :/

~~~
valinor4
Proxies were already forbidden since 2010 (I think).

~~~
anonymous
I hope you mean open proxies, because even ssh allows you to establish a (for
you only) socks 5 proxy.

------
lechevalierd3on
OVH used to be one of the top host provider. Last year they removed the
unmetered bandwidth and now TOR, VPN too ? (it's unclear to me). What's next ?
no HTTPS, European traffic only ? seriously this sadden me, lucky for us
Online.net is a good challenger.

~~~
PaperclipTaken
OVH is still the cheapest host I've ever seen. 1 TB disk space, 100mbps
connection speed, 5TB bandwidth, all for $20/mo?

I'm not complaining, nor have I seen better.

~~~
kristofferR
Their support is totally abhorrent though, be prepared waiting days/weeks
instead of minutes/hours for any support at all, they abruptly change your TOS
and server specs without telling you, cancel you order for no reason without
telling you or even refunding you etc.

They're totally horrible to deal with, unless you make minimum wage you're
probably going to spend more on packets of Tylenol due to all the headaches
they cause than what you're going to save.

~~~
UVB-76
Indeed. I ordered a Kimsufi server five days ago with a guideline setup time
of 24 hours. Placed the order, made payment, no doubt I'm already paying for
the service, but five days later, I'm still awaiting setup.

Their ordering process is painful. Their online management interface is
atrocious. Communication is poor.

It's true what they say about paying peanuts...

~~~
jul3s
"no doubt I'm already paying for the service, but five days later, I'm still
awaiting setup."

I'm a long time OVH customer and I can ensure you that your contract term will
start only when you get your server.

As far as I know the first 1000 "3euros" servers got sold faster than they
thought. Now they are building new ones. Be patient, your server is coming.
;-)

------
lambada
They've not been Tor friendly for a while - and indeed have forbidden Tor for
some time, at least according to Tors Good Bad ISPs wiki page -
[https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISP...](https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs#France1)

------
computer
My French is not good enough to see if this is only for exit nodes, or also
for internal relays?

Running Tor relays is one of the reasons I use their servers...

~~~
yannickmahe
"depuis quelques mois, nous avons eu plusieurs affaires juridiques lié à
l'utilisation de plusieurs réseaux TOR dans le cas de la pedo et on va
désormais l'interdire au même titre que tous les systèmes d'anonymisation.
Cela augmente l'utilisation frauduleuse de notre réseau et le nombre de
réquisition juridique chaque mois"

"starting a few months back, we've had an number of legal cases regarding the
use of multiple TOR networks for pedo, and we will forbid its use from now on,
the same way we forbid all anonymisation systems. It raises the number of
fraudulent uses of our network and the number of subpoenas each month"

I guess it means both.

~~~
computer
Internal relays would never result in complaints though, since it only
connects to other Tor nodes?

~~~
wmf
The policy is probably just a justification for canceling accounts after they
get the first complaint; if you never generate a complaint they'll probably
never notice.

------
lelf
Google-translated part from
[http://www.ovh.com/fr/support/documents_legaux/Conditions_pa...](http://www.ovh.com/fr/support/documents_legaux/Conditions_particulieres_location_serveur_dedie_2013.pdf):

7.4 For security reasons, all IRC services (for non-exhaustive: bots, proxy,
bouncer, etc..), anonymous browsing services (usually called proxies), TOR
nodes, are not allowed on the OVH network unless written consent of OVH. OVH
reserves the right to suspend any server which these elements are used without
prior permission of OVH.

------
ScottWhigham
How do they detect the use of a proxy though? That's what I don't understand.
Tor's exit nodes are not broadcast, or are they?

~~~
mike-cardwell
The list of Exit nodes is publicly accessible. All you have to do is check if
any of your IPs are in that list.

~~~
dylz
The list of ALL nodes, including ENTRY and MIDDLE are also public.

~~~
mike-cardwell
Excluding bridge nodes

------
aw3c2
Aww, I was running a relay for more than two years on mine. Hopefully it only
means exit nodes.

------
gesman
But i think people can still operate Tor Hidden services from there

~~~
Sprint
Running a hidden services requires running a relay (exit or no-exit), right? I
was planning to provide a hidden service for a site of mine for fun mostly but
would not want to risk losing my server for satisfying my hacker enthusiasm.

~~~
mike-cardwell
You don't need to be any sort of relay in order to host a hidden service. You
can do it when just running as a client.

------
teawithcarl
Here's a related link just 5 days ago.

Server host OVH warns of 'multi-stage' hacking attack.
[http://www.theregister.co.uk/2013/07/23/top_server_host_ovh_...](http://www.theregister.co.uk/2013/07/23/top_server_host_ovh_warns_of_multistage_hacking_attack/)

~~~
aroch
Well...no. This is OVH's own systems being compromised. It has nothing to do
with 'hackers' using OVH servers to attack other people.

------
Nux
Makes sense. Tor's nature (and its many dodgy uses) will eventually lead to
its demise, alas.

~~~
pestaa
I did not downvote but instead invite you to elaborate. Why will Tor cause its
own demise?

~~~
Karunamon
Operating as an exit node exposes you to a great deal of legal issues, if not
liability.

Not to mention annoyance for the user... there will be sites you can't access
since many sites block exit node IPs outright because of abuse.

If some random does something illegal and they happen to be using your node,
guess who gets the knock on the door?

With that in mind, what user would want to operate an exit node?

~~~
Homunculiheaded
What about hidden services? In my opinion that's the real heart of Tor. I
think the value of exit nodes will start to wane as Tor gains a larger and
larger user base and becomes it's own truly viable darknet. As it stands the
majority of security related discussions I've come across regarding Tor
strongly discourage spending any large amount of time on clearnet services
anyway as this create many potential security/privacy risks.

~~~
welterde
If you are more interested in the hidden services aspect, did you also have a
look at I2P [1]? It is more geared toward this aspect (exit nodes = outproxies
in i2p-speak for example are just standard hidden services)

[1] [https://geti2p.net/](https://geti2p.net/)

~~~
Homunculiheaded
Thanks! i2p is on my list of 'privacy stuff to learn' but your comment may
have bumped it up a bit in priority.

