2010-03-11
2013-07-29
I'm running a Tor exit node (torproject.org). It's an open network that fights against traffic analysis which threatens personal freedom and privacy.
I almost never have an issue with that: no cops knocking on my door, no complaint from my ISP, no issues with online payments -- so no issue to report so far, except for a couple particular cases below.
Conclusion: I encourage you to install a Tor exit node and spread the network :)
FreeNode provides free IRC chatrooms, which is used a lot by free software development teams and user communities.
The FreeNode maintainers decided that Tor users were mostly people who made troubles using their anonymous status, so they forced Tor users (and hence Tor providers) to use a non-anonymous, complex and slow setup to log-in. (I was told they were historically targetted through Tor by evil people).
* Beuc_!yo@gnu/savannah/team/Beuc Beuc :You are now logged in as Beuc. * SASL authentication successful * You are banned from this server- Due to abuse we currently accept tor connections via our tor-sasl service only. See freenode.net/irc_servers.shtml - questions can be directed to klines@freenode.net
I cannot access irc.freenode.net from my IP address, except by using a complex setup that has poor performance. Even then, this access suddently broke and has stayed that way since April 20th 2010. I repeatedly tried to discuss the issue with Freenode but no success so far: nobody is able to fix the access and maintainers are difficult to reach (only through IRC).
Technically Tor exit node providers (and users of Tor) are blocked from normal access to irc.gnu.org, and have to register and SASL-authenticate via a (slow) Tor hidden service, which suddently started to rejects me as well.
* Recherche de p4fsi4ockecnea7l.onion * Recherche de 127.0.0.1 * Connexion à 127.0.0.1 (127.0.0.1) port 9050... Commande inconnue. Essayez /help * Connecté. Identification en cours... * *** Looking up your hostname... * *** Checking Ident * *** Got Ident response * *** Couldn't look up your hostname * SASL authentication failed * SASL authentication failed * *** Notice -- You need to identify via SASL to use this server * Closing Link: gateway/tor-sasl/account (SASL access only) * Déconnecté (L'hôte distant a fermé la socket).
This access is poorly documented: in addition to enabling SASL authentication, it also requires Tor nodes to connect through Tor (hidden service) rather than directly, which is quite slow, and inefficient because, as a Tor exit node, I'm supposed to connect directly to services. From what I could gather on #freenode, they want to configure anti-Tor policies on only one box, and require every Tor users and nodes to connect through it. #freenode people recommended that I just stop relaying to FreeNode - this is not supportive at all.
XChat SASL configuration:
~/.xchat2/
./sasl -set freenode your_nick your_password
in the text line.irssi SASL configuration:
socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:p4fsi4ockecnea7l.onion:6667,socksport=9050
mkdir -p ~/.irssi/scripts/autorun wget http://www.freenode.net/sasl/cap_sasl.pl -P ~/.irssi/scripts/autorun/
/server add -auto -ssl -network freenode localhost 4242 /sasl set freenode your_nick your_password DH-BLOWFISH /sasl save /save
~/.irssi/config
:
{ address = "localhost"; chatnet = "freenode"; port = "4242"; use_ssl = "no"; ssl_verify = "no"; autoconnect = "yes"; }
As you can see it's pretty tedious.
Links:
FreeNode is the official service for the GNU project and consequently this is bugging me off.
irc.gnu.org points to the FreeNode IRC servers (i.e. it's an alias).
It's worth noting that GNUnet uses a similar anonymity design, which means this kind of issues will prevent the deployment of GNUnet-based software if this reaches other areas than IRC. And it's already in progress: professionnal hosting companing who rent dedicated servers often forbid running services that may relay network traffic, including Tor and FreeNet (see below).
In case you're interested in the raw log for debugging:
<< CAP LS << CAP LS << NICK Beuc USER a a p4fsi4ockecnea7l.onion :b >> :anthony.freenode.net NOTICE * :*** Looking up your hostname... >> :anthony.freenode.net NOTICE * :*** Checking Ident >> :anthony.freenode.net NOTICE * :*** Couldn't look up your hostname >> :anthony.freenode.net NOTICE * :*** Got Ident response >> :anthony.freenode.net CAP * LS :identify-msg multi-prefix sasl << CAP REQ :multi-prefix sasl >> :anthony.freenode.net CAP * LS :identify-msg multi-prefix sasl << CAP REQ :multi-prefix sasl >> :anthony.freenode.net CAP Beuc ACK :multi-prefix sasl << AUTHENTICATE PLAIN >> :anthony.freenode.net CAP Beuc ACK :multi-prefix sasl << AUTHENTICATE PLAIN >> AUTHENTICATE + << AUTHENTICATE XXXXXXX= >> :anthony.freenode.net 904 Beuc :SASL authentication failed << CAP END >> :anthony.freenode.net 904 Beuc :SASL authentication failed << CAP END >> :anthony.freenode.net NOTICE Beuc :*** Notice -- You need to identify via SASL to use this server >> ERROR :Closing Link: gateway/tor-sasl/account (SASL access only)
OFTC don't impose this limitation, recognizes me as a Tor node and possibly implements some anti-Tor policies, but don't prevent me from connecting directly.
Imposes an additional login, similar to FreeNode's "NickServ":
/QUOTE PASS /youruser/yourpass
I got blocked only once by a website that was ironicaly saying something against Tor.
Sadly I didn't keep the URL.
It never happened ever since. In particular I didn't have any problem
when ordering things online with a credit card.
The TOS changed recently, but no improvement:
De plus, dans le cas où le Serveur ou l'espace web mis à disposition de l'Usager : [...] − Permet relayer des requêtes Internet par un serveur mandataire «Proxy» installé sur le Serveur de l'Usager sans authentification ni identification de l'internaute, en particulier les réseaux «TOR», «FreeNet», «Hacktisvismo» et «A4Proxy», [...] ONLINE se réserve la possibilité d'interrompre sans préavis les Services mis à disposition de l'Usager. En outre, l'Usager ne pourra prétendre obtenir d'indemnisation pour les éventuelles pertes de données et/ou interruptions de service qui en résulterait.
This contradicts their offer (/serveur-dedie/offre-dedibox-v3.xhtml) that says "Tout usages autorisés (IRC, MAIL ...)" (all uses permitted).
With Dedibox in 2010-03:
Detection within 12h, server rebooted to rescue mode after roughly 24h. Apparently I didn't receive a notification, but since my mail server was hosted on that box, there might have been a conflict. Dedibox spreads fear of lawsuits:
L'expéditeur de l'alerte n'a pas souhaité communiquer son adresse. Serveur concerné: sd-XXXXX (XXX.XXX.XXX.XXX) Date d'emission: mercredi 10 mars 2010 à 10:37 Description: Bonjour, l'utilisation de reseau TOR n'est pas autorisée sur le reseau dedibox. Veuillez desactiver le service dans les plus brefs delais. Il est fort propable que des informations illegales aient transite par votre serveur, nous vous recommandons de conserver les logs de connexion a ce service en cas de requisition judiciaire. Cordialement, -- Le service abuse Dedibox
Cf. CVG:
De plus, dans le cas où le Serveur mis à disposition de l'Usager : [...] - Permet relayer des requetes Internet par un serveur mandataire «Proxy» installé sur le Serveur de l'Usager sans authentification ni identification de l'internaute, en particulier les réseaux «TOR», «FreeNet», «Hacktisvismo» et «A4Proxy» [...] DEDIBOX se réserve la possibilité d'interrompre sans préavis l'Accès à Internet du Serveur jusqu'à réinstallation complète du Serveurs mis à disposition de l'Usager. En outre, l'Usager ne pourra prétendre obtenir indemnisation pour les éventuelles pertes de données et/ou interruptions de service qui en résulterait.
However a friend told me he runs a Tor relay (not an exit node, just a relay) without issues for months.
In the 2010 TOS:
7.6 Pour des raisons de sécurité, l'ensemble des services IRC (à titre non-exhaustif : bots, proxy, bouncer, etc.), services de navigation anonyme (généralement appelés proxy), logiciels de visiochat tels que notamment le logiciel Camfrog doivent faire l'objet d'une inscription préalable. OVH se réservant le droit de refuser certaines inscriptions et de suspendre tout serveur sur lequel ces éléments seraient utilisés sans autorisation préalable de OVH.
A few people were blocked in the past? [1], [2].
The 2013 TOS is even more explicit:
7.4 Pour des raisons de sécurité, l’ensemble des services IRC (à titre non-exhaustif : bots, proxy, bouncer, etc.), services de navigation anonyme (généralement appelés proxy), nœuds TOR, ne sont pas autorisés sur le réseau OVH sauf autorisation écrite d’OVH. OVH se réserve le droit de suspendre tout serveur sur lequel ces éléments seraient utilisés sans autorisation préalable d’OVH.
http://sorry.google.com/sorry/?continue=http://www.google.com/search%3Fq%3Dtor
Google Vérification nécessaire... Merci de votre coopération... ... Il semble que votre ordinateur ou votre réseau envoie des requêtes automatiques. La protection des utilisateurs est notre priorité. Par conséquent, nous ne pouvons pas traiter votre requête immédiatement. Pour continuer à effectuer des recherches, veuillez saisir les caractères que vous voyez affichés ci-dessous : (CAPTCHA) [Je ne suis pas un robot !] Consultez l'aide Google pour plus d'informations. © 2009 Google - Accueil Google
Sorry, Unable to process request at this time -- error 999. Yahoo! Unfortunately we are unable to process your request at this time. This error is usually temporary. Please try again later. If you continue to experience this error, it may be caused by one of the following: * You may want to scan your system for spyware and viruses, as they may interfere with your ability to connect to Yahoo!. For detailed information on spyware and virus protection, please visit the Yahoo! Security Center. * This problem may be due to unusual network activity coming from your Internet Service Provider. We recommend that you report this problem to them. While this error is usually temporary, if it continues and the above solutions don't resolve your problem, please let us know. Return to Yahoo! Please try Yahoo! Help Central if you need more assistance.
I got blocked for editing once as a 'open proxy / zombie'. However I just reloaded the page after a few minutes and my new IP wasn't blocked, so it's not a blink anti-Tor block.
I ran the Tor node mostly from my DSL line, but the Tor legal FAQ recommends not to run Tor from your home, because your hardware might be seized.
If you want to however, there's a list of feedback from people about their ISPs.