More than ever, websites are blocking users of the anonymizing Tor network or degrading the services they receive. Data published today by Web security company CloudFlare suggests why that is.
In a company blog post entitled "The Trouble with Tor," CloudFlare CEO Matthew Prince says that 94 percent of the requests the company sees coming across the Tor network are "per se malicious."
He explains: "That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network."
A graph in the blog post shows that nearly 70 percent of Tor exit nodes were listed as "comment spammer" nodes at some point over the last year. It's difficult to monitor individual browsers that are using Tor. "And that's a good thing," Prince writes. "The promise of Tor is anonymity... while we could probably do things using super cookies or other techniques to try to get around Tor's anonymity protections, we think that would be creepy and choose not to because we believe that anonymity online is important."
Starting last month, CloudFlare began treating Tor users as their own "country" and now gives its customers four options of how to handle traffic coming from Tor. They can whitelist them, test Tor users using CAPTCHA or a JavaScript challenge, or blacklist Tor traffic. The blacklist option is only available for enterprise customers.
As more websites react to the massive amount of harmful Web traffic coming through Tor, the challenge of balancing security with the needs of legitimate anonymous users will grow. The same network being used so effectively by those seeking to avoid censorship or repression has become a favorite of fraudsters and spammers.
The study on Tor published last month shows some of the limits already being placed on Tor users. Wikipedia, for instance, allows them to read but not edit articles. Google allows home page access but increasingly presents CAPTCHAs or block pages to Tor searchers. Bank of America won't allow a login from Tor. Websites like yelp.com, macys.com, and bestbuy.com, which use Akamai and Amazon Web Services, are currently blocking between 60 and 70 percent of Tor exit nodes, according to the same study.
