Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why block Tor?
84 points by ffggvv on Dec 18, 2016 | hide | past | web | favorite | 49 comments
Didn't we like privacy?



We changed the title from "Why HN Blocks Tor?" because HN doesn't block Tor. Plenty of users read HN and post to HN using Tor every day, including some in this thread.

There have been issues in the past with Cloudflare and Tor, but I don't know what the current status of that is. Certainly they aren't blocking everybody, or we wouldn't see them.

The one thing HN itself does is moderate comments from brand new accounts that are posted using Tor. We do this because of past abuses by trolls. However, when such comments are good they routinely get restored by users using the 'vouch' feature, or, failing that, we often restore them ourselves. So even this isn't much of a restriction. The main problem is that it makes for a time delay between when a (good) comment gets posted and when other users get to see it.


What is the Tor .onion address for hacker news?

That's what I'm interested in, I'll add it to my bookmarks and use it by default. I don't see why we want to involve exit nodes at all.


Sometimes I get roadblocked from viewing Hackernews when using TOR. I say sometimes, because I normally have to change my identity/location to view HN's frontpage (whilst logged out). It can become a hit or miss type scenario where the HN servers are not as strict upon my third, or usually fourth identity and allow TOR traffic through.


How can HN identify they are behind Tor?


You might be interested in this listing from the Tor project:

https://check.torproject.org/exit-addresses


The IP addresses of Tor exit nodes are publicly available.


Is it not a cloud flare issue? Hn is behind cloudflare, and cloudflare thinks it's a problem... last time I tried, it's requests verification each time, as do other cloudflare backed sites (my own included)


I don't get the usual cloudflare captcha when I visit HN via Tor. Maybe the problem is something else?

You can disable CloudFlare's tor-blocking [1] - I do on my static blog, as I don't see much value in putting a captcha in front of static content.

[1] https://support.cloudflare.com/hc/en-us/articles/203306930-D...


Cloudflare is horrifically hostile to users, triggering blocks and Captchas all the damn time, but I've never once had an issue, or cloudflare interruption, with HN.

It'd give me an interesting conflict if I ever had, as I take Cloudflare captchas as a huge negative indicator of trust.


In fairness, Cloudflare's CTO did engage with the Tor folks for quite some time. https://trac.torproject.org/projects/tor/ticket/18361


Well there was something on Github of a browser addon to mitigate the worst of the challenges, back in summer. I remember it hitting front page here. Seemed hopeful a solution was on the horizon. It seems to have been untouched since, and no sign of an actual solution...

Now the UK is stepping up surveillance silliness I use the VPN rather more, and expect many others are, or will. Which today just means endless unintelligently implemented CAPTCHAs.


> It seems to have been untouched since, and no sign of an actual solution...

They're working on it! There will be a talk about this about Real World Crypto 2017 in January, see "Solving the Cloudflare CAPTCHA" on the RWC program: http://www.realworldcrypto.com/rwc2017/program.


Great. I hope we'll see some movement soon - it's sorely needed. CAPTCHAs seem to trigger more and more often lately.

Shame RWC don't put out videos of past talks - there's a couple of others look pretty interesting too.


Gotta admit, I've never seen a cloudflare captcha anywhere. Not since the SEO guy who had a desk in our office left 2 years ago.

(Funnily enough, Google stopped giving us captchas at the same time ;))


As a non-logged in lurker, I always get "prove you're legit" when using TBB. I usually hit the "new tor circuit for this site" button a few times until it goes away.

It is really annoying how to even read HN you need to jump through hoops. I can possibly understand commenting and posting being restricted, but there's not reason to block simple views, it's not like anyone is going to use tor for ddos.


> it's not like anyone is going to use tor for ddos.

Perhaps not DDOS, but yes, tor is absolutely used maliciously:

> Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Source: https://blog.cloudflare.com/the-trouble-with-tor/

Counterpoint: https://blog.torproject.org/blog/trouble-cloudflare


IIRC HN only blocks Tor for recently created accounts, but perhaps HN has a more complex criteria.

For more details, you can try contacting the mods hn@ycombinator.com (from a throwaway email?)


I thought it was a shadow ban on new accounts. You need people to vouch for you to get out, right?


Not for most new accounts, no. A small minority of new accounts' comments get autokilled because of past abuse by trolls, and those often get rescued by vouches.


I've posted on HN via Tor without issue in the recent past.


I block tor from many of my servers. I started noticing that whenever I had an issue with someone attacking a server the source traced back to an exit node. What I found when I looked at the traffic coming from the exit nodes was that the vast majority of it was malicious. There was a massive amount of automated password guessing, exploit attempts, and attempt to connect to botnet controllers/backdoors.

I'm all for anonymity. However, until the tor project puts some effort into outbound traffic filtering for exit nodes it is too much of a time sink and headache not to just blackhole it all on servers that either do not serve public content or where anonymity really isn't needed/justifiable.

I put the code I use to block tor exit nodes in the public domain. You can download it here: https://github.com/vab/torblock


There's underblocking and overblocking. Underblocking is allowing TOR traffic through, but also letting TOR traffic flood your servers.

It's obvious that if you have a flood of nefarious traffic like this then you should throttle the TOR traffic. Overblocking is outright blocking TOR with no reason other than because you can, and it leaves many legitimate users frustrated and feeling like the site just self-censored itself.

It would be suitable in these cases to strike a happy medium and allow some TOR traffic through, but throttle suspicious-looking requests like mini 'swarms' of TOR exit IPs hitting the site all at once, which I think HN does, because some TOR idens work, whilst others do not.


To avoid vote manipulation and spam I reckon.


Aren't new accounts limited?


Who really cares that much about internet points?


Anyone who cares about what's on the front page, which includes many people who aren't even logged in.


Startups that get visitors if they're on the front page? Like there is a clear connection between "internet points", as you call them, and revenue.


Spammers and similar people who want to abuse HN to artificially promote something.


I use applicants HN score, and comments as hiring factors.


That seems like a terrible idea. Unless you're hiring for a user facing role, one's personal opinions should have very little bearing on their hireablility. It's a number that literally means nothing. Hell you can get down voted for having perfectly logical contrary opinions (e.g. any thread involving politics, diversity or Microsoft). This is something you do if you're just are looking for people who think exactly the way you do.

Personally I refuse to provide any company with material that can link back to my personal social sites. It's simply not worth it. I'm not going to sanitize my digital life for the purposes of getting hired. I don't even provide links to my github because people read too much into what is or isn't there trying to parse out some signal that doesn't actually exist.


My posting voice on HN is very different than my professional voice, and I don't want the two spheres connected at all.

(Similarly I don't want my reddit or tumblr accounts connected with my professional space, but I do want my github and linkedin accounts connected with my professional space, and I try to keep my facebook account generally respectable; these days it's mostly shares of 'Old Friends Senior Dog Sanctuary' pictures and if any employer doesn't like that they I don't want to work for them).


I'm not asking anyone to sanitize. I look for folks who can clearly argue their point.

It's the quality of the debate, not the value of the position


It's not though. If you're not arguing a pro-groupthink position you'll get down voted regardless of the quality of your commentary. See just about any politics related thread for an example of that.

Note that only applies to subjective topics. If you're commenting about a purely technical topic then the voting system does seem to work more effectively.


To be clear. If one candidate has an HN rank of 10 and another has a rank of 100 it doesn't automatically place them ahead. That would be stupid.

Nor does having downvotes cause any automatic placement adjustment.

I review their comments manually to tell me about the person. It's a qualitative evaluation, not purely quantitative.


You previously said:

> I use applicants HN score, and comments as hiring factors.

I get reviewing the comments manually, but what could you use the score for besides a group think filter? Might be great for a sales position ...


I'm curious how you go about this. I can't imagine handing out my screenname to an employer. What kind of criteria do you look for in comments?


The application process asks for links to profiles, one of which is HN (also github, Twitter, StackOverflow, others).

Criteria varies. Red flags (such as loads of flagged comments here), name calling, threats, "bad" things.

Once and applicant was dismissed from my process because their comments on social (not just HN) showed a severe distaste for "n00b JS". The position clearly identified use of these tools. The demonstrated attitude would be caustic to my team and my junior devs would suffer.

Since companies always have more applicants than jobs we can be choosy. I filter for social fit first.

I can teach you to code. I don't know how to teach you to be respectful.

Again, HN profile is one of 100s of factors we compare on applicants


What happens if an applicant doesn't supply them ? How do you deal with people who don't have accounts or don't use those services? Are you worried that you maybe missing out on candidates who don't participate in these communities? I totally understand wanting to find strong fits for a company culture, but non-work related social profiles seems like a minefield of a way to screen for how respectful a person will be in an office environment.


It's not an issue if not supplied. Many don't. We've had candidates with no HN or GitHub profiles make it through the process.

HN is a work-related profile for some jobs.

Hiring is already a minefield. HN or social profiles are just one way for either candidates or employers to blow themselves up.


I assume if their score is too high you conclude that they waste time on HN instead of working


It's more than that.

Example: claiming they are active in tech community and having low score.

Claiming they've been around a while and having young profile.

It's about matching claims to reality.

No applicant is obligated to share. The whole tell me details about yourself is the candidates choice.


What insight could you possibly hope to gain by this?

Social media has no relevance to work performance.


It's not a performance measure. It's a social-fit indicator.

There is more to the hiring process than just raw skill.

I mean, I don't even waste time with coding questions. It doesn't matter that you can code circles around someone else if you are a jerk.


... Says the guy with only 162!


I think down votes are toxic, just utterly useless as a signal. Why enable people to be petty?

I think HN has a serious case of "we take ourselves too seriousky" -- there shouldn't be a penalty for making a joke on a website.


I never said they're toxic. Heck I love them and probably use them as much as upvotes.


Posting via Tor now. I had to complete a reCAPTCHA before I was allowed to see the page, but no problems on logging in. Exit relay 89.234.157.254.

I don't usually use Tor but I thought I'd test what OP's saying.


It works ok here!


90% of our Tor traffic was script kiddies




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: