Why the animosity towards Tor?

I’m unable to view your website using Tor thanks to illegible captchas. Why not ensure your hosting provider allows unfettered Tor access like many other privacy-oriented websites? Also, why roll your own browser instead of using Tor Browser Bundle as the default browser: I use it for literally every website I visit these days except puri.sm (even my banks allow Tor connections without issue). It would be a great boost to purism’s reputation to openly support other projects pushing for greater freedom and privacy. The synergy would rock I think. Thanks for any feedback.

‘Private’ or ‘incognito’ mode on the Pure OS browser will be the Tor browser package, so in a sense it is the default browser.

I am frustrated by not being able to access this site from Tor though :frowning:

We bundle TOR Browser with PureOS. It is not yet the default, but as we test further it may become so.

We have to look into Cloudflare and their support for TOR, or move off of it. (we are aware of the issue, but haven’t been able to address it yet).

Here’s a basic cron job to run in the meantime that whitelists the top 200 Tor exit nodes.

1 Like

I just checked with the Qubes page. If I remember correctly they had the same anti Tor measures from cloudflare in place a while ago. I’ve checked it today and the side loaded without the cloudflare intervention.

So, dear puri.sm team, maybe you could ask your brother-in-arms how they did it so that Tor users have the same user experience as regular users on your web page. :slight_smile:

Hi all,

the Tor issue should be resolved now.

Please do check and report here (or via IRC (freenode, #purism) and mail support@puri.sm) :slight_smile:

i2p isn’t blocked by Cloudflare… cough geti2p.net

1 Like

It looks pretty good on my site! Tor Browser v5.5.1, no captchas. Thanks!

Configuring the CloudFlare service to stop CAPTCHAing Tor users is not good enough. If you’re making privacy your business model, you have to stop using CloudFlare entirely. They’ve grown so big as to become almost a global adversary, tracking you everywhere with their tendrils dug into the web almost as deep as Google. We can’t have one company monopolizing all web hosting.

Also consider making a .onion mirror.

I was going to post here yesterday, but considered the thread a bit aged. I have to agree with Torrorist on CloudFlare (albeit with less exuberance :^).

I see puri.sm is using CloudFlare’s [free] SSL certificate. This is not an end-to-end encrypted connection. Users on Puri.sm make an encrypted connection to CloudFlare who then makes a connection to the webserver hosting puri.sm. CloudFlare is essentially acting as a man-in-the-middle. This does offer some protection against certain threats. However it also erodes the security of the web particularly because the process is so transparent to the end-user who trusts CloudFlare’s SSL certs.

Cloudflare is still hassling visitors to this site, but I only had to get a new Tor circuit for this site once today, at least.

Even if Cloudflare isn’t actively maliciously (and my meaning of maliciously means including activity tracking for ad data) tracking users, it’s widespread use means any “adversary” only has to infiltrate one organization to have info on a larger and larger swath of the internet. Between Cloudflare and AWS, the internet’s becoming dangerously centralized.

Backer do you mean opaque to the end user?

We already have moving away from Cloudflare on our loooong TODO list but we didn’t just have enough time to work on it. Sorry for the inconvenience it presents at the moment.

Thanks for paying attention to this issue! :slight_smile:

Backer do you mean opaque to the end user?

I suppose I meant “seemingly transparent”. I would consider an opaque process one that is difficult to understand. I don’t believe it’s difficult to explain why CloudFlare’s MITM implementation of SSL is suspicious (even to the average user). Users have been trained to recognize the green padlock as “secure” which CloudFlare’s SSL implementation preserves. It is their position between the user and end-server that is [seemingly] transparent.

Otherwise yes.

Certainly, its easy to understand this is not at the top of the priority list.

1 Like

FYI CloudFlare now provides a configuration option for site operators to whitelist Tor exit nodes.