Since the DDoS attack, osm.org seems to have started using Cloudflare.
This causes no end of problems for users like me.
I use Tor Browser as my main browser, and Cloudflare is the bane of my online life. Sites that use Cloudflare require me to unblock Cloudflare’s JavaScript. If I don’t, I get thrown into a Turnstile loop, unable access the site. It is quite irritating to run into Turnstile all the time.
I also occasionally request my changeset history data (via some personal scripts) from osm.org. These are also run over Tor to prevent ISP surveillance and censorship, but ever since osm.org started using Cloudflare, I’ve been unable to use them over Tor.
Cloudflare is also an invasion of users’ privacy, and as such, conscience dictates that I speak out against its use.
I hope there is some way to alleviate the situation. Ideally, Cloudflare should be removed. If not, there must be some solution that lets my scripts work and lets me visit the site without being subjected to Turnstile or other CAPTCHAs, and without having to enable Cloudflare’s JavaScript.
I am well aware that to guard off DDoS attaches you need a party like Cloudfare and was wondering if I would detect anything but I did not, all scripts seem to be originating from openstreetmap.org and I do not see Cloudflare Turnstile coming by.
Still you are likely correct but could it be that because you are using Tor extra verification is done?
You mention osm.org but can you be more specific, is accessing this forum already problematic? If not, can you post a full link (osm.org is redirected) of what is not working for so others can try without doubting they test the same as you.
Searching the web for “cloudflare tor” throws up many resources about using Cloudflare without unnecessarily harassing Tor users. This looks especially relevant -
Is that as a signed in user or not? If not, you might want to try user_changesets.pl from the perl scripts as a logged in user. I haven’t tried it over tor, but it might be worth a go.
Given that you are trying to keep your activity private from your ISP but not from OSM, is tor really the best solution here? When connecting from “risky” locations I tend to connect via a VPN server that I have set up elsewhere. Obviously there is a cost to this and it may not be legal according to local laws everywhere in the world, but it would solve this issue.
@SomeoneElse My scripts don’t use authentication. I don’t quite feel like changing/extending them, simply on account of yet another website with a misconfigured Cloudflare
I don’t intend to move to a VPN, as Tor is a much more mature and trustworthy solution. As far as I understand, Tor is sufficient to protect against ISP mass surveillance.
Waiting to hear about the feasibility of the solutions recommended by Cloudflare. Or, of course, using some more Tor-friendly alternative.
This is entirely your choice of course, but “what OSM does” is a project is influenced by lots of things and lots of people. I can think of plenty of things that I used to do that don’t work any more, because the balance of opinion within OSM meant that “because of X we now have to do Y, which means that Z isn’t possible any more”.
Sometimes we as individuals have to adapt to a new reality - in this case to prevent wide-scale vandalism. It’s a shame, but it does happen, and the fact that OSM is able to adapt as a project to deal with it is a strength rather than a weakness.
“I don’t want to change the way I do X” is an entirely natural reaction, but unfortunately sometimes the world does change and we need to adapt to it. In my post above I tried to make suggestions that would help you to meet your goals with minimal changes; it absolutely wasn’t meant as a negative (“you’re wrong to want to do that”) - quite the reverse.
There’s a surprising amount of support in this thread for getting Tor users to move to other solutions, despite it being expressed that this is undesirable…
…and no word whatsoever about the Cloudflare configuration I linked to, which can potentially fix things without much trouble for either side.
My disappointment and irritation with the OSM community grows with each discussion I begin with it. I didn’t have much hope of empathy or understanding to begin with, and this belief gets reaffirmed with each interaction.
This is a general discussion forum, so folks here may be sympathetic but have limited ability to assist you with your specific technical needs. Have you considered contacting the responsible team more directly? I don’t see anything in the operations team’s issue tracker mentioning Tor or onion routing so far. (Yes, I know, GitHub. But they have an e-mail address too.)
I thought this was the right place to talk, since the DDoS was also discussed here. I guess I’ll write an email to the OWG, and post updates here. Thanks.
It seems potentially useful to report this Tor issues and potential solution at Issues · openstreetmap/operations · GitHub (it looks like this issue was not raised yet)
Though the main problem with malicious people/Tor/filtering is that
Tor is relatively effective at anonymizing people
In some cases (DDOS attacks, blocking malicious people from editing) you cannot distinguish malicious and not malicious Tor users, Or even between two Tor users.
So either you allow malicious connections or block all Tor users.
And malicious users, when blocked, often start using open proxies and Tor specifically as the next step. Sadly harming normal Tor users.
I am not aware of nice workarounds here.
well, now you know how people felt about idea of moving from Github to alternate solutions
It is laughable to think that the two cases are equivalent. As mentioned, it would be a downgrade to move from Tor to a VPN. Meanwhile, there are strong practical reasons to move to free software forges, and hardly any provable downsides - the people in that thread were (as I pointed out before) simply short-sighted and ignorant of history (again, Sourceforge says hi). These are not my opinions - they are objective, provable facts, and should be clearly apparent to any sensible person. Unfortunately, there seems to be a distinct shortage of them in this discussion.
(I can understand not hosting a forge on osm.org for preserving server resources. But there’s no reason not to move OSM-related free software projects to free forges.)
Meanwhile, I wrote to the OWG (mostly quoting my original post here) and promptly received a surprisingly empathetic and considerate response - quite unexpected, given my experiences with the community on the forum.
They apologized for my disruption in access (!!)
Suggested overriding my local DNS as a workaround
Mentioned that “continuing to use Cloudflare DDoS protections” is not planned “in the medium to long term”.
Genuinely relieved to hear it. I’ll be trying the workaround.
That sounds more like an opinion than a fact to me. You say that you are having problems accessing the site via tor; I know that I don’t have problems via VPN. I know that you can’t compare the two since …
… you haven’t even tried that as a potential solution.
That said, accessibility to everyone is clearly a goal for OSM (more so than the commercial alternatives), and if a solution could be found that allowed access from antidemocratic regimes whilst still blocking people who want to harm OSM, then that’d be great. Unfortunately, I’m not sure that such as solution is even possible.
@SomeoneElse Quoting a Reddit comment, for lack of better resources on this subject -
Tor Browser does a lot more than a VPN and provides way stronger anonymity. A VPN simply routes your traffic through a VPN server hiding your IP address from the sites you visit and your internet activity from your ISP and others watching your connection. However this does not solve the problem of your traffic being traceable, it just shifts it to the VPN. The VPN will see everything your ISP used to see and while sites you connect to won’t know your IP address, the VPN will know your real IP address and which sites you visited. VPNs are privacy by policy. You have to trust the VPN not to keep any records of your activity without any guarantee for it. At any time the VPN can start or stop recording information about your activity. So even an audit by an independent company cannot guarantee the VPN is keeping its own promises and policy. Additionally VPNs are a single point of failure. Even if the VPN is not spying on you, you still have to trust it to secure its infrastructure against attacks. If an attacker gains access to the VPN server you are using they will be able to see and track your activity. Furthermore VPNs are an easier target to more advanced attacks on your anonymity like traffic correlation attacks than Tor is.
This is not even the biggest problem regarding anonymity and VPNs. Even if the VPN is trustworthy and not spying on you and there are no attackers spying either, most of the time the services and website you are using have much more effective ways of tracking you than your IP address and a VPN does exactly nothing against them. Cookies, browser fingerprinting, tracking and hardware IDs are much more accurate in identifying and tracking you than an IP address. VPNs simply do not grant you anonymity. They can be useful for hiding your internet activity from your ISP or people on your WiFi network if the VPN is more trustworthy than your regular network, however they simply do not make you anonymous to most services you are using. Tor Browser however routes your traffic through three random servers of the decentralized Tor network. Each server (also called node or relay) only knows the station before and after it in the route your traffic takes (also called circuit). The first node, the guard relay will know your real IP, your real identity, but it will not know your activity, it will only know the next node in your circuit, the middle relay. The middle relay will only know your guard relay and the last relay, the exit relay. It will neither know your identity nor your activity. The exit node will know the destination of your traffic, but it will not know your identity. It only sees the middle relay before it. It can also not track your activity across multiple sites and build a profile of you, because Tor Browser builds a new circuit with different relays for each site. (Your guard node will stay the same though. That’s a security feature against a certain attack on Tor). The same applies for the site you’re visiting. It will only see traffic coming from the exit node, but won’t know its origin, your identity. Tor is not privacy by policy like a VPN, it is anonymous by its design. No one besides you knows both your activity and your identity. Additionally Tor Browser is designed to resist against tracking techniques like cookies or browser fingerprinting.
i would ask yourself the question “who am I trying to hide my identity from?”.
I suspect that the answer in your case is your ISP, or dodgy coffee-shop wifi, or three of the four “alleged Wetherspoons wifis” that I was shown in a pub a couple of days ago.
I suspect (given that you have logged in to map and post) that you are not trying to hide your identity from OSM.
“Who is running the VPN” is absolutely a key question (in my case it is me, from a rented VPS in a relatively safe jurisdiction).
@SomeoneElse, Tor is much better in terms of user privacy compared to VPNs. Your VPN service provider can see all your activity. Instead of going through ISP, all your connections go through your VPN provider. In Tor network, only the guard node knows your IP address but cannot correlate it with the websites you are visiting. I am not saying that people should distrust all the VPN providers.
I am also a Tor user and I think OSM infrastructure should be accessible via Tor. @contrapunctus’s point to not switch to a VPN is not about changing habits, but about Tor being a more robust solution. Being decentralized in terms of network, it is almost impossible for governments to censor as opposed to VPNs. In addition to the anonymous Tor network, the Tor browser also comes with many security features, compared to Chromium and Firefox defaults. Remember that there are malicious actors be it Tor Browser or VPN. Blocking all Tor users might hinder privacy conscious people in contributing to OSM.
For me, right now, osm.org and other OSM infra are accessible via the Tor Browser in my desktop without making any changes to the settings.
Some tor users are still receiving the JS challenge due to “badscore”. I am not a tor user, but maybe changing the ExitNodes setting to use another country or region may help.
You really don’t seem to get the contradiction here do you. If you’re armchair mapping then privacy is essentially of no concern in that way with OSM: no one can work out where you are based on it. If you’re NOT armchair mapping then since you have to walk up to things or drive past or cycle to them to map them then you automatically reveal where you are based on the mapping you do!
So Tor is nothing to do with “privacy” in this case so far as OSM is concerned. Tor is an extremely good way for malicious actors to get access to the system by its very nature. Since there are more malicious actors out there than Tor users trying to use OSM I’m afraid to say that stopping the malicious actors must take priority.
