Zfnd.org blocks Tor

Edit: Please see discussion downthread.

I observe that Tor is still blocked and redirected. But I appreciate that ZF cares about this. When Tor-friendly people are notified of Tor-blocking behaviour in their hosting provider stack, I understand that it may take reasonable time to resolve. I will update OP as needed.

Last checked 2022-08-10 06:29 UTC: Still blocked/redirected.

(End of later edit. Original post follows.)

When I attempt to visit any page on zfnd-dot-org or its subdomains, I am redirected to the standards-violating URI https://zfnd.org/.well-known/captcha/ (or the same path at a subdomain), with a message that offends my dignity:

Please complete the captcha below to prove you’re a human and proceed to the page you’re trying to reach.

zfnd.org_blocks_tor1002×886 67.8 KB

I realize that I am a sort of a canary in the coal mine, because I use Tor all the time, for almost absolutely everything. However, I find it disheartening if I am the first Zcasher to notice this. Does anyone else here regularly surf the Web with Tor? Are there any Tor users at the Zcash Foundation? Has @nickm_tor visited zfnd-dot-org to communicate about Zcash Foundation grants to the Tor Project?

This abuse of the /.well-known/ namespace violates RFC 5785.

This abuse of the path /.well-known/captcha/ is not registered with IANA—and it could not be, because it grossly violates RFC 5785.

https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml

This /.well-known/captcha/ redirect on various sites has annoyed me for a long time. But I never cared much about those sites—not as I care about Zcash.

A general message for site owners:

If you mistreat Tor users, then some of them will simply decide that you don’t need their readership, their paying business, their friendship, or otherwise the benefits of associating with them.

As a privacy activist, I actively, vocally boycott most sites that block Tor. I do not beg and plead for the block to be removed: Instead, I tell all of my friends that the site is an unconscionable and unethical supporter of mass-surveillance.

Blocking Tor is often an heuristic indicator that the site itself is probably loaded with trackers, and it wants to prevent you from protecting yourself against them. Boycotting sites that block Tor is like boycotting food producers that misuse pesticides: It is good for your own health.

What is causing this Tor block?

After some research, I traced what I believe to be the source of this Internet abuse:

I presume that this is the Tor-blocker somehow appearing at zfnd-dot-org. If not, someone please advise what other Tor-blocker is abusing the /.well-known/ namespace.

Siteground’s blog comments are closed, and I will not even try to contact them. Why would I waste my time? Their position is clear from the blog comments on that page:

I do not advocate that they should fix this: I advocate that everyone else should boycott them until they go out of business. Reasons:

0. Their overly-hyped security theatre blocks Tor users from even reading ordinary webpages (!).

1. They demonstrate gross ignorance of, and abuse of Internet standards by polluting the RFC 5785 /.well-known/ namespace with ridiculously nonconformant usages which are not, and never could be registered with IANA. Should you ever entrust your site’s security to anyone with such abysmal incompetence at technology?

2. They hate Tor users so much that they not only block Tor, but also redirect so that Tor users lose the URI of whatever page they clicked on. I ignore and actively boycott most sites that block Tor; but if a Tor-blocking site seems sufficiently valuable to me, I sometimes try different ways to view it. Siteground obstructs this with their redirect away from the page that I had wanted to see.

3. They hate Tor users so much that they repateadly, arrogantly dismiss polite requests to change their own misbehaviour.

Don’t ask them to fix it: Dump them, tell them why, and tell everyone else to avoid them like plague.

I am unCAPTCHAed!

CAPTCHAs are totally unnecessary for most read-only resources. Even for resources that are more susceptible to abuse, they are not the best option.

And it is always insulting and offensive to human dignity to demand that people “prove you’re a human”. Unacceptable! (No comment on the widespread allegation that I am actually a robot.)

I refuse to complete CAPTCHAs simply to read any site. If you value your limited lifetime and your human dignity, then so should you.

What should Zcash do?

Zcash’s mission is to promote privacy. I urge the Zcash Foundation please forthwith to dump and to boycott the perpetrators of this toxic, destructive, counterproductive, actively anti-Tor security theatre—and please to make sure in the future that Tor users can freely access your site.

Indeed, I respectfully suggest that ZF, ECC, the current Z.Cash site, and the Zcash Community site should set up onions—as Bitcoin Core (onion) has had since March of 2020, and as the old Z.Cash site used to have five years ago. (What happened to that?)

Thank you.

I also noticed, and I couldn’t agree more. Please fix this.

Adding an .onion service for the site may be a more friendly way to welcome Tor users and at the same time not have them blocked because of being on a Tor IP.

Hello!

Thank you for pointing this out and I apologize for the negative browsing experience. Our intention was not to prevent Tor users from accessing the Zcash Foundation site. Tor is a friend of the Zcash Foundation and will even be participating at our upcoming Zcon3 event. As you already pointed out, this actually has to do with our hosting service.

We’re looking into how we can best address this and appreciate your patience in the meantime.

Thanks for your reply. I understood that in this particular case, it must simply be a matter of nobody noticing, nobody pointing it out. My nym “nullius” literally means ‘nobody’s’, so I noticed and reported the issue.

Alas, I cannot see the linked page. (Just tried again.) I do have access to plenty of non-Tor “clean” anonymous IPs; but I will be a stubborn activist here, and decline to circumvent the Tor block. Hey, on transparent blockchains, I also sometimes purposely add mixer “taint” to “clean” coins just to be constructively disruptive.

Nonetheless, as a longtime Tor user and a longtime Zcasher, I am pleased to see the two projects working together! I am guessing that the Tor people will probably be happy to offer guidance on how best to increase all-around Tor-friendliness in the Zcash ecosystem.

Obviously, I think it’s important to give pushback against webhosts that block Tor without their clients’ even knowing it. Please read my message not as a self-oriented “unblock me so that I personally can see your site”, but rather as, “Let’s all stand together with Tor, and send a message that it is NOT OK to treat all Tor users as ipso facto ‘attackers’.”

This is an issue separate from the IP block, although of course it is related.

I recall that Zcash used to do onions. Z.Cash had an onion; and there was even an onion for apt.z.cash, zcaptnv5ljsxpnjt.onion, which I used from a Debian system way back! (Cf. the Tor Project’s and Debian’s respective lists of their official onions, including source repos and binary package repos.) I think it’s sad that we fell behind the onion-ness of Facebook, Twitter, The New York Times, and even the American CIA. Behold Alec Muffett’s list of legitimate mainstream onions!

@anon35140610, perhaps that Zcon3 meetup with the Tor people may turn out to be a great opportunity for all sorts of things.

P.S., @anon35140610, with apologies for the somewhat topic-drifting double-reply: I have a suggestion of something you may wish to discuss with the Tor people at Zcon3.

Famous is the fact that Bitcoin was created by a strongly pseudonymous developer, known only as “Satoshi Nakamoto”. Yet alas, obscure remains is the fact that Satoshi was a Tor user. I would not be surprised if the Tor people may be unaware of this; they would probably be thrilled to discuss it with Zcash people at a convention about the premier zero-knowledge privacy coin.

My source on this: In 2013, theymos, the Bitcoin Forum’s administrator, said that “he [Satoshi Nakamoto] always used Tor, as far as I [theymos] can tell.” That forum was founded by Satoshi in late 2009, originally at www.bitcoin.org/smf/ before various URL changes; Satoshi did most of his circa-2010-era public activity there. I presume that theymos must have IP access logs from the Satoshi era. Accordingly, I take theymos’ statement as authoritative primary-source historical information for documenting Satoshi as a Tor user.

I have frequently cited that theymos post to push back against people who want to ban Tor users from cryptocurrency sites: “So, you would ban Satoshi from cryptocurrency? ”

Similarly, I have frequently cited “Satoshi Nakamoto” as an incisive two-word argument rebutting those are against pseudonymous crypto-developers. It has been my standard argument for years. Sadly, it happened again right here on this forum only hours ago.

Please pass this along to the Tor people. For my part, I take it as additional evidence that Satoshi cherished the same values, and shared the same goals, as motivated the later work on Zerocoin for Bitcoin, which begat Zerocash, which begat Zcash.

Anything in particular that you have in mind? ZF welcomes suggestions and it seems you have a few?

Thank you for the benefit of doubt. This was simply a case of oversight on my part - as this was my responsibility. I do have an Onion Browser, but I didn’t test the Foundation’s website on it, before its being deployed. I’m very sorry for that and I hope you continue to understand.

I totally understand. I have nothing to question as far as your intentions are concerned. I’m thankful you brought this to our attention. The last thing I would want is for people to think it had been intentional. ZF loves Tor, as does the rest of Zcash! It’s why we invited their Executive Director to be actively involved at Zcon3 - our annual privacy Zcash event! (You beat me to it but we will be announcing Isabella Fernandes’ participation at Zcon3 tomorrow actually!)

Suggestion received! While I’m well aware of the history behind the creation of Bitcoin and Zcash, I appreciate the “walk down history’s lane!”

@nullius is it ok if I edit your topic to reflect that the Zcash Foundation is not in fact who blocks Tor? Can the original post be edited to reflect that it’s in fact Siteground (I’m not sure that I even have adequate permissions to do this myself but I can ask for the @admins to do so if agreed upon) that is responsible for this? I’m a regular and I think that allows me the permissions but not fully sure .

It seems to me that the one thing you and I definitely agree upon is the need for appropriate representation of information

I quoted (some version of) your post at the top of OP. When time permits, perhaps I may smooth the presentation a bit; but it may suffice as-is.

I did just test again. Tor is still blocked, which I should probably note in OP.

When I make a post that is factually accurate and in good faith, I strongly prefer that it never be administratively edited over my head. I am happy to avoid any potential misunderstandings of ZF’s intentions towards Tor.

Thank you for your attention to this. As a Tor user, it means much to me to see people in responsible positions take this seriously, instead of brushing off my concerns as not infrequently has occurred.

Based on your response, I will make no such request to the @admins of this forum but would ask them to take note of my comments as they may want to act on this feedback for other situations.

I understand that these types of issues may take a reasonable time to resolve.

I have been monitoring the status of this issue—checking at least once or twice per day. After it was suggested that my OP may be administratively edited over my head, I have been editing OP with the dates and times when I checked to see if the issue had been resolved. I encourage the public to click the little pen icon at the top, and view the edit history. Javascript is required, but a forum account is not; please go ahead and look!

Five business days after I reported it, zfnd.org is still blocking Tor. I request an update.

It has been a long time since I ran any significant website; but when I did, I always maintained things in a way that I could easily switch hosts. That is a matter of independence and censorship-resistance. I think it is prudent, like backing up data. I suggest that if the Zcash Foundation is stuck in a position that it can’t easily tell its Tor-hating host to take a hike, some policies and procedures should be improved.

The Tor community used to maintain a list of Tor-friendly hosts on the old Tor Trac. (Not sure about now.) Tor-friendly hosts deserve our business; Tor-hating hosts do not! I think that if you reach out to the Tor community, people on the Tor side would be happy to help the Zcash Foundation find Tor-friendly hosting suitable to ZF’s technical requirements and its budget—ideally, payable with ZEC!

If this seems embarrassing to the Zcash Foundation, @anon35140610, I ask that you please consider how this feels to me as a Tor user and a Zcasher.

I have tried to get my friends into Zcash. Like likes like. My Bitcoiner friends tend to be Tor users—not people who maybe tried Tor once or twice, but people who use Tor on a daily basis.

I have gotten a sort of a “LOLWUT” reaction from my own friends, when I had to explain to them that, um, the privacy coin with hands-down absolutely the best on-chain privacy utterly lacks support for onions.

By the way, I suggest that the Tor Project’s Executive Director may be interested in knowing how and when that will be resolved. The Tor Project’s v2 onion deprecation deadline (onion) was 15 July 2021—one year ago today. Tor kicked v2 onions out of their own codebase nine months ago (onion). Not only it is fair to say that Zcash does not support onions: It would be dishonest to claim that Zcash supports onions. At this point, v2 onion support is like supporting the old v0/v1 “Hidden Services”: It does not qualify as “supporting onions”.

And it also leaves me in a difficult position to explain to my friends why the best privacy coin has governance and grantmaking processes run by a foundation whose website they can’t see, because it discriminates against Tor users.

Moreover, and more importantly in the big picture, I am disturbed by this circumstantial evidence that most Zcashers don’t use Tor. If Bitcoin.org or Bitcoin Core’s website (onion) were to block Tor for even a split-second, there would be a nuclear explosion! It would not go unnoticed.

Due to demand, community interest, and Tor usage by Bitcoin developers themselves, the shipping, release-version bitcoind had v3 onion support in Bitcoin Core v0.21.0, released 2021-01-14—over half a year before the Tor Project’s 2021-07-15 deadline. Bitcoin killed v2 onion from its own codebase, right after the v2 deprecation deadline. Because Bitcoiners care about this stuff. Where is the widespread interest from Zcashers?

I wish to deal with that constructively. As an experienced privacy activist, I will be advocating for Zcashers to use Tor—to use Tor generally, to surf the Web with Tor Browser, to boycott chat networks that are notoriously hostile to Tor, and specifically to use Tor with Zcash. As a technical expert of some repute in other venues, I offer help and support to Zcashers who are interested in using Tor’s network-layer privacy together with Zcash’s blockchain privacy. And of course, I will be advocating for PGP as I have been doing since the 90s. If you don’t do PGP, you don’t do “crypto”!

I think that that would make a positive topic for Zcon3. I’d like to see if there is any reasonable way for me to contribute. Alas, I still cannot see the website.

Whoops. While I was making some preliminary preparations for a Zcash Forum post to help introduce more Zcashers to Tor, I noticed that the only way to donate ZEC to Tor is by sending to a t-address. Although this isn’t anything like having a website that blocks Tor—not even comparable!—it is definitely suboptimal, and not a good look for the Tor Project as a privacy advocate. Perhaps it is time to make some constructive improvements all-around.

Tor’s cryptocurrency donation page (onion) (archival snapshot—onion):

I will be reaching out to the Tor Project and its community, to help them optimize their support for strong privacy. I observe that the Tor Project has an XMR donation address; thus, I presume that they must already have in place any necessary procedures for auditability and accounting with selective disclosure of view keys. They have a BTC Pay Server (and even a BTC Pay onion) for accepting Bitcoin; that is consistent with current best practices for privacy.

@anon35140610, I have a question for the Zcash Foundation: How has the Zcash Foundation sent grant money to the Tor Project? Thanks for any information you can provide about that, and if ZF has a set policy about it. I would dig around on the ZF website to see if this is disclosed; but I can’t reasonably do so, because zfnd.org is still blocking Tor.

I advocate that the Zcash Foundation should have a strict policy of sending grants only with fully shielded ZEC. I hope that it has had such a policy since Sprout. If it does not, I urge making this an iron-clad rule with no exceptions. People who cannot or will not receive fully-shielded ZEC should never receive any ZEC development-seigniorage money from the Zcash Foundation—period.

To support auditing and accountability, the crypto-wizards at ECC have done an awful lot of work to support selective disclosure; and for Zcash Foundation grants, it would be appropriate for all of the necessary view keys to be available to the community.

As of December 2022 zfnd.org is still blocking Tor users.
It’s a real bummer, and I would really hope that zcash foundation starts caring about the privacy of the users a bit more