> 5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).
This point seems rather odd. I'm not following the connection between a large percentage of Tor requests being malicious and the fact that Tor users have almost the same conversion rate. Malicious requests are coming from botnets and/or fraudsters. They're, for the most part, not in the subset of Tor users which click ads or do anything else that would be tracked as part of a site's conversion rate. What's funny about this is that the linked report even confirms that requests from exit nodes are far more likely to be malicious:
Tor exit nodes were far more likely to contain malicious requests:
• 1:11,500 non-Tor IPs contained malicious requests
• 1:380 Tor exit nodes contained malicious requests
I'm a huge supporter of Tor and have been running a relay node for years, but it seems their stance on this topic is quite fundamentalist and they chose to ignore any arguments or facts that they don't like while basically grasping at straws in their counterarguments.
It's okay to be concerned about CloudFlare having such a huge market share. They're a huge target for nation states and others alike. Global passive¹ adversaries are a problem for things like Tor, and they might very well be forced to become one at some point. It's essential to have more competition in this area, and that's a fair argument to make. However, with regards to how they're handling Tor, I don't think there's anything wrong with what they're doing, and the explanations presented in their blog post seemed sound to me.
> Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses
So when seeing actual web traffic things are identical. That only measures real web traffic. It doesn't measure all the SSH attacks, SPAM being sent, possibly checking for vulnerabilities and unpatched software/etc.
> I'm not following the connection between a large percentage of Tor requests being malicious and the fact that Tor users have almost the same conversion rate.
The point is that blocking or de facto blocking an IP address which is shared by many different users just because one is malicious is costing CloudFlare's customers money.
The reason some e-commerce sites are blocking Tor is not because of low conversion rates (that would be silly), but because of fraud (and attacks) coming from Tor users. Those two numbers are not related, and it has nothing to do with why CloudFlare shows captchas for Tor users. The argument doesn't address the fact that a large percentage of Tor traffic is malicious at all. It's a straw man argument, really.
On top of that, it's not as easy as "blocking some legitimate users = losing money". The cost of fraud caused by Tor users might very well exceed the additional revenue Tor users generate - or not.
The point of the argument is that preventing fraud using IP blocking is costing you money that you could have in your pocket if you would instead prevent fraud using signature detection or some other method.
With signature detection, you're referring to browser fingerprinting? Because that's not going to work for Tor users (or, more specifically, TBB users).
I'm talking about, people who commit credit card fraud have a credit card whose billing address is in New York City but try to get the product shipped to Nigeria.
Thats only one type of credit card fraud. There's fraud against digital goods and gift cards. There's even carders who test credit cards online with real information before coding them to magnetic strip or selling them off. Heuristic based detection is very limited if there is no ip reputation or Javascript to do fingerprinting and other tricks to umask the user.
Ecommerce knows full well the cost of not supporting TOR. Just like we know the full cost when they deprecate browsers like IE9. Opportunity cost of building out more advanced systems to detect fraud compared to just blank banning open relays and TOR. I didn't even factor in the cost towards hardware when ecommerce site get hit with a bot running through a TOR endpoint or Open Relay.
Tor is not the only IPs get blocked. Ecommerce site frequently blacklist Azure, AWS and other hosting providers. They have the data they crunch and know full well who they will affect and what the cost is. There is always collateral damage.
You don't have the right to use any ecommerce site while using TOR much like you don't have the right to walk into a bank with a ski mask on and get service.
It's also only one type of bad act. Yet no others exist for which IP blacklisting is the only possible solution.
> There's fraud against digital goods and gift cards.
So treat gift cards as passthrough. Don't ship something to Nigeria if it was paid for with a gift card purchased with a credit card with a billing address in NYC.
And the idea that any meaningful number of people are going to use stolen credit cards to buy digital goods instead of just torrenting them is ridiculous.
> You don't have the right to use any ecommerce site while using TOR much like you don't have the right to walk into a bank with a ski mask on and get service.
Yet I can use an ATM or online banking while wearing a ski mask or using coffee house wifi with no trouble at all for either me or the bank, because we know how to solve that problem and it doesn't require IP blacklisting.
This point seems rather odd. I'm not following the connection between a large percentage of Tor requests being malicious and the fact that Tor users have almost the same conversion rate. Malicious requests are coming from botnets and/or fraudsters. They're, for the most part, not in the subset of Tor users which click ads or do anything else that would be tracked as part of a site's conversion rate. What's funny about this is that the linked report even confirms that requests from exit nodes are far more likely to be malicious:
I'm a huge supporter of Tor and have been running a relay node for years, but it seems their stance on this topic is quite fundamentalist and they chose to ignore any arguments or facts that they don't like while basically grasping at straws in their counterarguments.It's okay to be concerned about CloudFlare having such a huge market share. They're a huge target for nation states and others alike. Global passive¹ adversaries are a problem for things like Tor, and they might very well be forced to become one at some point. It's essential to have more competition in this area, and that's a fair argument to make. However, with regards to how they're handling Tor, I don't think there's anything wrong with what they're doing, and the explanations presented in their blog post seemed sound to me.
¹ Or, rather, possibly an active adversary too?