Tor use is now forbidden on Kimsufi's OVH

Tor use is now forbidden on Kimsufi's OVH(forum.ovh.com)

102 points by gallypette 12 years ago | 78 comments

jeremysmyth 12 years ago |

Tor can be used for good and for bad. It's the very same problem that Cory Doctorow talks about in his lectures about the War on General Purpose Computing, and it's not an easy problem to solve.

I'm an admin on a social/gaming site (a MUD with appendant forum, blogs, and other community elements), and we have had to make a few decisions about Tor in the last couple of years.

Some background: the site is quite old, and we have historically encouraged users to sign up without needing to provide a unique ID such as email address. They can provide one, but don't have to. In the last few years we have had the problem of occasional griefers log on and cause whatever social havoc they can.

Now, my personal feelings about Tor are generally quite positive, and I like the freedoms it provides people who are otherwise restricted by their ISPs or governments from accessing legitimate resources. Like many others have said, Tor is a tool that, while it can be used to do illegal things, is also used to provide a very useful service to people who need it to get on with things you and I take for granted.

Now, back to our griefers: We have a number of banning mechanisms based on IP or domain, and they tend to be successful because griefers usually get bored when they can't access the site for a couple of hours. However, because a tiny minority of griefers are more persistent, more technically adept, and figured they could use Tor to damage our community, we did a little bit of analysis and found that few if any legitimate users of our site came from Tor exit points, and we chose to block them. The alternative was to require a unique identity during the sign-up process, and frankly we wanted as few hurdles as possible to new users (anyone who knows the MUD community knows that it's in decline, and low-friction signups are pretty desirable). So we blacklist Tor exit points from our signup process. The unfortunate fact is that some Tor users do bad things with the fantastic tool at their disposal, and end up spoiling it for the legitimate (and extremely valuable) use cases that make it such an amazing tool. Yet its very anonymity means that there is no easy way to allow one set of uses while disallowing others. This is a hard problem, and one I'm not smart enough to solve.

mst 12 years ago | |

Assuming you have the technical capability, requiring an email address and confirmation for only tor users could work.

Freenode does something similar - tor and other problematic traffic sources can connect but must use connect time SASL to authenticate to a previously created account, which is sufficient to exclude the vast majority of the griefers.

bigiain 12 years ago | | |

At least right now – I suspect the intersection of "TOR users" and "people happy to provide email address confirmation" is so small as to be insignificant. Any development effort aimed at that cohort could almost certainly be better used elsewhere.

Having said that, I'm currently trying to make a point of using TOR for regular and mundane uses - particularly if using government sites - just to increase the amount of "legitimate" tor traffic. I'm also (carefully) intentionally de-anonymising myself while using tor like this - identifying myself to local government websites while doing "ordinary" things while connected over TOR - I booked an extra trash collection recently for example. I don't suppose my local council website managers even notice, but I like to think my local PRISM equivalent operators see traffic like this and think "WTF?" ;-)

(But like the parent-poster, I've suffered forum-trolls, and given the time and skill poor nature of most forum owners, the obvious "just ban free email accounts/tor/cellular-ip signups" is often the right, if overly broad hammer.)

kbuck 12 years ago | | |

FreeNode's use is a bit more extensive than just requiring an email address - you have to create the account from a non-Tor IP, so if you do something bad and get banned, they ban the account (thus preventing further access from you via Tor) and then also have the option of banning the IP that registered the account (preventing it from registering further accounts that will be abused via Tor). If they really want to, they can also ban the email address, but in practice this really isn't worthwhile as it's so easy to get a different one.

Tuna-Fish 12 years ago | | |

What good would email address confirmation do? You do know about mailinator, right?

rogerbinns 12 years ago | |

> We have a number of banning mechanisms ..

Did you try the other approach taken by many sites of making their posts/activity hidden from others? Initially they can't tell the difference between being ignored and being hidden. It also has the advantage that if they were incorrectly hidden you can turn it off and their activity is still present.

jeremysmyth 12 years ago | | |

We did this for social contact (channels, forums, and other forms of communication) for a while, but because it's a MUD, it's a shared world with persistent effects, so it's impractical to make all activity invisible. Blocking social communication just resulted in other forms of griefing as a result. Griefers gonna grief.

im3w1l 12 years ago | |

I think the problem with Tor is that it makes it very easy to create multiple pseudonyms. Fwiw, the approach used to combat spam successfully on freenet based fora, is to artificially increase the effort. This can be done by not activiting an identity for x hours, or requiring that users solve n captchas on signup.

pyre 12 years ago | |

If you provide access to the website as a Tor hidden service, do you get some sort of unique ID for the computer connecting that can be banned? I don't know much about the Tor protocol, but if you're on the receiving end of packets that need a response, you need a way to address them back.

mike-cardwell 12 years ago | | |

No, you do not get any such thing.

Basically, the client and the machine hosting the hidden service both connect to a rendevouz point and communicate via that. The connections to the rendevouz point are not direct. They are bounced through three nodes, with three layers of encryption, each node being able to peal off one layer before passing it on to the next.

This is why hidden services are pretty slow. Every packet has to be routed through 6 other machines, which each can be anywhere in the World.

supergirl 12 years ago | | |

Doesn't matter if his website is a hidden service or not. The communication between the website and the user is done through Tor relays, which are shared. There cannot be any unique ID tied to the user because that would break anonymity.

pktgen 12 years ago |

I have a hard time blaming them for this. They're a budget provider, so any extra cost handling subpoenas and legal documents (which, let's not kid ourselves, is going to happen 100x more on a Tor node than on the majority of their other customers) quite possibly means a loss for them on a server.

rst 12 years ago |

The relevant French: "depuis quelques mois, nous avons eu plusieurs affaires juridiques lié à l'utilisation de plusieurs réseaux TOR dans le cas de la pedo et on va désormais l'interdire au même titre que tous les systèmes d'anonymisation."

My (amateur) translation, cleaning up Google translate (which doesn't recognize Tor as a proper name): "For several months, we've had many legal matters related to the use of TOR networks in pedo cases, and from now on, it is forbidden along with all systems of anonymization."

Doesn't sound like they want any part of it.

devcpp 12 years ago | |

Weird, the French part looks like the output of a translator. There are a few faults of vocabulary, grammar and sentence structure.

Your translation is correct though.

norswap 12 years ago | | |

French is my mother tongue, and I think it sounds alright. It's everyday speech though, not something you'd write in a press statement.

seszett 12 years ago | | |

Oles (Octave Klaba, the CEO)'s French is always terrible. This is probably one of his best written sentences.

hackerboos 12 years ago | |

Just don't use Tor as an exit node with OVH.

nly 12 years ago | | |

It's not just exit nodes that you are forbidden from running. It seems any participation in the Tor network is banned, whether it be a relay, or a personal bridge in to the network.

gallypette 12 years ago |

"Pour des raisons de sécurité, l’ensemble des services IRC (à titre non-exhaustif : bots, proxy, bouncer, etc.), services de navigation anonyme (généralement appelés proxy), nœuds TOR, ne sont pas autorisés sur le réseau OVH sauf autorisation écrite d’OVH. OVH se réserve le droit de suspendre tout serveur sur lequel ces éléments seraient utilisés sans autorisation préalable d’OVH."

It looks like anything looking like a proxy is forbidden now. Including tor nodes :/

herge 12 years ago | |

For security reasons, all IRC services (including bots, proxies, bouncers, etc.), anonymous navigation services (also known as proxies), TOR nodes, are not allowed on the OVH network without written authorization from OVH. OVH reserves the right to suspend any server on which these services are used without prior authorization from OVH.

valinor4 12 years ago | |

Proxies were already forbidden since 2010 (I think).

anonymous 12 years ago | | |

I hope you mean open proxies, because even ssh allows you to establish a (for you only) socks 5 proxy.

lechevalierd3on 12 years ago |

OVH used to be one of the top host provider. Last year they removed the unmetered bandwidth and now TOR, VPN too ? (it's unclear to me). What's next ? no HTTPS, European traffic only ? seriously this sadden me, lucky for us Online.net is a good challenger.

Amfy 12 years ago | |

Online.net a challenger:

Ran a middle (non entry/exit) Tor node on one of their servers, received an automated "Abuse message"...

Wrote a support ticket regarding some network architecture question, got a one-liner "not possible".

bigiain 12 years ago | |

I wonder if this really does include VPN?

I tried but failed to sign up for one of their 3 euro/month servers a few days back in response to other HN discussion (their .uk site wont accept Australian addresses, and their .com site doesn't have those inexpensive 1G servers).

The main reason I would have got the would have been to use as a non-US based VPN endpoint. (I'm somewhat less satisfied with my DigitalOcean droplet as a VPN endpoint since Snowden's revelations.)

PaperclipTaken 12 years ago | |

OVH is still the cheapest host I've ever seen. 1 TB disk space, 100mbps connection speed, 5TB bandwidth, all for $20/mo?

I'm not complaining, nor have I seen better.

kristofferR 12 years ago | | |

Their support is totally abhorrent though, be prepared waiting days/weeks instead of minutes/hours for any support at all, they abruptly change your TOS and server specs without telling you, cancel you order for no reason without telling you or even refunding you etc.

They're totally horrible to deal with, unless you make minimum wage you're probably going to spend more on packets of Tylenol due to all the headaches they cause than what you're going to save.

lechevalierd3on 12 years ago | | |

Bandwidth is more important than space to me, so Online is still much better. And as soon as they will have matched OVH's new prices there are going to be THE best host.

dewey 12 years ago | |

They just removed their traffic limits a few days ago.

aroch 12 years ago | | |

They removed it on their EU-customer only servers, which means they're relying on the fact that 80-90% (at least) of their bandwidth is going over EU IXes and is thus free to OVH.

lechevalierd3on 12 years ago | | |

Do you have any proof of that ? Because I've been looking for info on that matter.

lambada 12 years ago |

They've not been Tor friendly for a while - and indeed have forbidden Tor for some time, at least according to Tors Good Bad ISPs wiki page - https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISP...

computer 12 years ago |

My French is not good enough to see if this is only for exit nodes, or also for internal relays?

Running Tor relays is one of the reasons I use their servers...

yannickmahe 12 years ago | |

"depuis quelques mois, nous avons eu plusieurs affaires juridiques lié à l'utilisation de plusieurs réseaux TOR dans le cas de la pedo et on va désormais l'interdire au même titre que tous les systèmes d'anonymisation. Cela augmente l'utilisation frauduleuse de notre réseau et le nombre de réquisition juridique chaque mois"

"starting a few months back, we've had an number of legal cases regarding the use of multiple TOR networks for pedo, and we will forbid its use from now on, the same way we forbid all anonymisation systems. It raises the number of fraudulent uses of our network and the number of subpoenas each month"

I guess it means both.

computer 12 years ago | | |

Internal relays would never result in complaints though, since it only connects to other Tor nodes?

lelf 12 years ago |

Google-translated part from http://www.ovh.com/fr/support/documents_legaux/Conditions_pa...:

7.4 For security reasons, all IRC services (for non-exhaustive: bots, proxy, bouncer, etc..), anonymous browsing services (usually called proxies), TOR nodes, are not allowed on the OVH network unless written consent of OVH. OVH reserves the right to suspend any server which these elements are used without prior permission of OVH.

ScottWhigham 12 years ago |

How do they detect the use of a proxy though? That's what I don't understand. Tor's exit nodes are not broadcast, or are they?

mike-cardwell 12 years ago | |

The list of Exit nodes is publicly accessible. All you have to do is check if any of your IPs are in that list.

dylz 12 years ago | | |

The list of ALL nodes, including ENTRY and MIDDLE are also public.

aw3c2 12 years ago |

Aww, I was running a relay for more than two years on mine. Hopefully it only means exit nodes.

gesman 12 years ago |

But i think people can still operate Tor Hidden services from there

Sprint 12 years ago | |

Running a hidden services requires running a relay (exit or no-exit), right? I was planning to provide a hidden service for a site of mine for fun mostly but would not want to risk losing my server for satisfying my hacker enthusiasm.

mike-cardwell 12 years ago | | |

You don't need to be any sort of relay in order to host a hidden service. You can do it when just running as a client.

teawithcarl 12 years ago |

Here's a related link just 5 days ago.

Server host OVH warns of 'multi-stage' hacking attack. http://www.theregister.co.uk/2013/07/23/top_server_host_ovh_...

aroch 12 years ago | |

Well...no. This is OVH's own systems being compromised. It has nothing to do with 'hackers' using OVH servers to attack other people.

Nux 12 years ago |

Makes sense. Tor's nature (and its many dodgy uses) will eventually lead to its demise, alas.

pestaa 12 years ago | |

I did not downvote but instead invite you to elaborate. Why will Tor cause its own demise?

Karunamon 12 years ago | | |

Operating as an exit node exposes you to a great deal of legal issues, if not liability.

Not to mention annoyance for the user... there will be sites you can't access since many sites block exit node IPs outright because of abuse.

If some random does something illegal and they happen to be using your node, guess who gets the knock on the door?

With that in mind, what user would want to operate an exit node?

Nux 12 years ago | | |

Tor's cause is a noble one, but I fear it will end up (if it hasn't already) being used mostly by bad people for bad things.

Once you get your home or server IPs connected to black market forums, drugs, human trafficking or kiddie porn sites and your life (and your family's) has suddenly become more complicated, I wonder how many will still be eager to run Tor exit nodes? Maybe a few dreamers and anarchists.

Tor exits will be shut down one by one, either by the owners or by the police/state.

What we need to come up with is a fully encrypted, anonymous, self-contained super-internet of something like Tor "hidden services" only.