Prevent automated access through tor2web node

[Bysmyyr]

We had some problem after some banktrojan used our node(tor2web.fi) to communicate(and we got disconnected from network). Because we already have this landing page(https://github.com/globaleaks/Tor2web-3.0/issues/15), we can use captcha or javascript to prevent automated access.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/3803057-prevent-automated-access-through-tor2web-node?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F318575&utm_medium=issues&utm_source=github).

[fpietrosanti]

Do you have any trace and/or debugging information on "how the banktrojan" automated his communications?

We never had such a requirement, to prevent automated access trough tor2web, but sounds like it's needed also to prevent such kind of abuse of Bots.

I would suggest to goes with an approach based on Javascript Proof of Work based on HashCash as we'll have to implement it too in GlobaLeaks: https://github.com/globaleaks/GlobaLeaks/issues/799

Captcha are probably best when using an external service such as Re-Captcha that's much harder to be bypassed and easy to be integrated, while it does imply important privacy related issues.

[juhanurmi]

This will be problematic mostly because captcha is annoying. Is this breaking the web surfing experience when you are clicking a new page?

I don't know what is the right solution to these take downs. Anyway, now we are trying to solve a non-technical problem with coding.

[fpietrosanti]

@juhanurmi Well, once we've started working on Tor2web moving from a bunch of Apache scripts to a piece of software we realized that most of the takedown issue could be solved by technical means (removing google indexing, disabling image cross-linking, disabling image caching, introducing disclaimer banner, introducing abuse reporting, introducing fine tuned blocklist, etc).

Now this is a new issue (bot communicating with C&C trough Tor2web), i feel it's just a new issue that we must manage so that "this specific problem" can be considered fixed.

Together with the additional improvement of this ticket, #15 to be finished and with additional improvements to blacklist management such as #151 #145 #146 i really feel we're making some major step-towards in the resiliency against takedown?

[juhanurmi]

@fpietrosanti thanks! Good points there! :)

Sometimes I just feel frustrated because people seem to ignore the banner that clearly says "we are not hosting this content".

[fpietrosanti]

@juhanurmi let's see if @kaepora could do a very good/valuable styling of the Tor2web access disclaimer page, so that it will be "extremely clear" what Tor2web does and what does not from the abuse perspective.

[fpietrosanti]

I also added idea #153 to further improve the abuse flow

[lastknight]

How about enabling captcha only for specific hosts or regent and enabling in these cases and upon abuse request? Il 19/ago/2014 12:47 "Fabio (naif) Pietrosanti" notifications@github.com ha scritto:

@juhanurmi https://github.com/juhanurmi let's see if @kaepora https://github.com/kaepora could do a very good/valuable styling of the Tor2web access disclaimer page, so that it will be "extremely clear" what Tor2web does and what does not from the abuse perspective.

— Reply to this email directly or view it on GitHub https://github.com/globaleaks/Tor2web-3.0/issues/152#issuecomment-52617117 .

[fpietrosanti]

@lastknight The effective problem of this issue is to "prevent automated bot" to communicated with TorHS trough Tor2web, because a single abuse-request of this type (banking malware), is so powerful that server is being taken down. So we shall prevent bot from easily using Tor2web in order to "prevent" tor2web.

[evilaliv3]

damn. i was not convinced about adding the disclaimer as it was going to block for example torrent's uses of tor2web, that is good for my point of view. so i'm not so convinced to going on implementing als o proofs of works and whatever else like captcha.

any different ideas?

[fpietrosanti]

@evilaliv3 I'm totally fine in preventing anything but humans to access Tor2web. When Tor2web will be diffused, resilient and widely accessible i feel we'll be able to consider an "improvement" enabling torrent software to use Tor2web. Now the priority is IMHO making it resilient against takedown, learning takedown-by-takedown, what we shall do to stop them!