Webmasters: Please, Don't Block Tor

2018-10-05

Mike Gerwitz

Tor is a privacy and anonymity tool that helps users to defend themselves against traffic analysis online. Some people, like me, use it as an important tool to help defend against various online threats to privacy. Others use it to avoid censorship, perhaps by the country in which they live. Others use it because their lives depend on it—they may live under an oppressive regime that forbids access to certain information or means of communication.

Unfortunately, some people also hide behind Tor to do bad things, like attack websites or commit fraud. Because of this, many website owners and network administrators see Tor as a security threat, and choose to block Tor users from accessing their website.

But in doing so, you aren’t just keeping out some of the malicious users: you’re also keeping out those who use Tor for important, legitimate reasons. Malicious users have other means to achieve anonymity and often have the skill and understanding to do so. But average Tor users aren’t necessarily technology experts, and certainly don’t have the extra (often maliciously-acquired) resources that bad actors do, so they are disprortionally affected by blocks.

A particularly unsettling problem I often encounter is that a website will outright prohibit access by Tor users even on read-only resources like articles or information. I’ve even seen this on informational resources on United States Government domains! Blocking access to interactive website features—like posting comments or making purchases—can be understandable, or maybe even necessary sometimes. For example, Wikipedia prohibits page edits over Tor. But Wikipedia does not block reading over Tor.

If you are considering threats that may mask themselves behind Tor and you are running a blog, news site, or other informational resource, please, consider how your actions may affect innocent users. Allow users to read over Tor, even if you decide to prohibit them from interacting.

For users of Tor who do find themselves stuck from time to time: I will often prepend https://web.achive.org/ to the URL of a page that is blocked, which allows me to view the page in the Internet Archive’s Wayback Machine. For example, to view my website in the Wayback Machine, you’d visit https://web.archive.org/https://mikegerwitz.com/.