Anonymous users are being treated like second-class citizens, being blocked altogether by many sites, and being fed a degraded service or being forced to jump through hurdles like CAPTCHA on others, according to a recently published research paper.
This isn’t about hacktivists associated with Anonymous.
Rather, it’s about the lower-case version of anonymous, as in those who use Tor to help preserve anonymity.
According to the paper, titled Do You See What I See? Differential Treatment of Anonymous Users, 3.67% of the top 1,000 Alexa sites are blocking people using computers running known Tor exit-node IP addresses.
Anonymity networks – the “king” of which is Tor, to borrow the National Security Agency’s (NSA’s) description – already face a hostile environment that includes deanonymization attacks and government blocks.
This is a different type of threat. It involves giving Tor users crummy service or just blocking them outright.
The researchers, from the Universities of Cambridge and California-Berkeley, University College London, and International Computer Science Institute-Berkeley, said that the problem is amplified if it’s done by particular services:
The problem becomes amplified when ‘bottleneck’ web services (e.g., CloudFlare, Akamai) whose components are used by many other websites block or discriminate against Tor users, or when third-party blacklists used by a large number of websites include Tor infrastructure (in particular, exit node) IP addresses.
BestBuy.com is one example. It’s hosted on Akamai.
Like some other Akamai sites, BestBuy.com blocks over 60% of Tor exit nodes.
The researchers drew on several data sources: comparisons of internet-wide port scans from Tor exit nodes vs. from control hosts; scans of the home pages of top-1,000 Alexa websites through every Tor exit; and analysis of nearly a year of historic HTTP crawls from Tor network and control hosts.
They came up with methodologies to handle a few things: for example, how do you distinguish intentional degradation from incidental failures, such as packet loss or network outages?
For that matter, how do you deal with churn as services blink on and off?
And what about blocks that are aimed at abusive IP addresses – those involved in fraud or other crime – but which sweep up innocent users who just happen to be sharing the same exit node as the bad actors?
The researchers cited CloudFlare, a large content delivery network, as one of the most conspicuous examples of a phenomenon in which automated blocking systems are used.
Such systems don’t target Tor users, per se. They merely react to the consolidated traffic of the many users coming fron an exit node.
CloudFlare assigns a reputational score to each client IP address in terms of how much malicious traffic it sends. If the score’s low enough, some clients are banned outright.
CloudFlare explains it this way on a support page:
CloudFlare does not actively block visitors who use the Tor network.
Due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation.
CloudFlare challenges some low-reputational-score visitors to solve a CAPTCHA.
The CAPTCHAs are “awful,” Tor advocates complained in a sometimes heated discussion with CloudFlare that was sparked by the paper:
[CloudFlare doesn’t] appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.
Akamai-run sites, on the other hand, don’t make Tor users run the awful-CAPTCHA gauntlet. Rather, they often block Tor users outright with a 403 error that can’t be bypassed.
Other sites, such as Yelp and Craigslist, have their own block page.
Some websites, e.g., macys.com, return a redirect error that often leads to an infinite redirect loop.
On average, around 69 of the sites the researchers looked at block over 10-50% of Tor exit nodes. The majority of these websites are hosted on CloudFlare, they said.
To figure out if those sites are blocking Tor visitors because they’re associating them with abuse, vs. the sites blanket-blocking Tor, the team looked at the age and exit probability of exit nodes, going under the assumption that old or high-probability exit nodes have more opportunity to attract abuse.
The results weren’t consistent. Some sites, including CloudFlare sites, didn’t block exit nodes younger than 30 days. Akamai did, though.
There’s not much that can be done with sites that preemptively block all Tor exit traffic, beyond detecting the blockage and publicizing it, the researchers said.
As far as abuse-based blocking goes, harmless Tor users could be helped by more precise filtering, they said.
It’s important to figure out ways to keep innocent users from being lumped in with spammers, malware distributors and cyber attackers, they said, given that users in some countries rely on Tor to get content that hasn’t been scrubbed by the government:
While many websites block Tor to reduce abuse, doing so inadvertently impacts users from censored countries who do not have other ways to access censored internet content.
Anonymous communication on the internet is a critical resource for people whose access to the internet is restricted by governments.
However, the utility of anonymity networks is threatened by services on the internet that block or degrade requests from anonymous users.
Image of Onions courtesy of Shutterstock.com