Tor, Tor, Tor, what am I to do with you?
The name Tor is derived from a project called “The Onion Router”. Onion routing was developed by the U.S Department of Defense in the 1990s. It enables anonymity on the interwebs. So, it must be awesome for privacy and freedom, right?
Well, yes and no.
There are legitimate reasons to want to use the web without fear of being tracked. Privacy and freedom are fundamental human values and deserve my unqualified support.
But freedom can be abused. For example by evil bullies who hide behind anonymity to attack others with impunity. Also by hackers, haters, terrorists, communists, Hillary Clinton and other nefarious lowlifes. Cloudflare reports that 94% of Tor traffic is intrinsically malicious.
So, Tor creates an intractable dilemma between supporting freedom and battling evil. Can I do both? Cloudflare gives me the tools to at least try. (I did try, and failed. See update at the end of this post.)
Cloudflare automatically assigns a threat score based on the IP reputation and browser history of each visitor. Tor cloaks the browser history, and Tor end nodes often have a high percentage of malicious traffic, so even benevolent Tor users are likely to be automatically served a Captcha.
Cloudflare also assigns a Tor country code that I can use to take additional action using a firewall rule. I could simply block all Tor traffic, and I did for a while, but I noticed I was blocking a few seemingly legitimate requests. So, I set a JavaScript challenge instead of an outright block.
On the other hand Cloudflare allows me to enable Onion Routing, which “allows routing traffic from legitimate users on the Tor network through Cloudflare’s onion services rather than exit nodes, thereby improving privacy of the users and enabling more fine-grained protection.”
How well do these two measures work together to block malicious Tor traffic while allowing as-convenient-as-practical access to legitimate privacy enthusiasts? I’m not sure. But I feel like I’ve done what I can.
Update (2020-03-21): Checking my firewall event log, I found a steady swarm of obviously malicious traffic from Tor, and almost no legitimate traffic. So, I changed my approach and now, once again, block all traffic from Tor. I sympathize with those who use Tor for legitimate privacy reasons, and I wish I could accommodate them. But there is just way too much evil, malicious abuse coming from Tor for me to deal with.
