I like Tor. I think it’s a brilliant and necessary tool. If you’re a whistleblower, political dissident, under surveillance from dangerous or oppressive governments, or you simply don’t want your ISP or anyone to know about your embarrassing online searches (VPNs or some privacy-focused browsers can help with the latter without needing Tor), it should be in your toolset and configured correctly.
And if you are one of the above, or you just require privacy and anonymity online, don’t think VPNs are failsafe. If you don’t run your own (on your own physical hardware using a VPN such as Outline from Jigsaw, a unit within Google that explores threats to open societies and builds technologies to assist) you have to trust the VPN provider regarding any logs kept, DNS leaks, overall security, etc. Worryingly, a few providers have a very sketchy track record in these regards.
In any case, through DNS leaks or other inadequacies, some VPNs will not only display your (VPN’s) IP address in server logs but may also divulge your device’s hostname, which, depending on your ISP, may include your ISP, your approximate location, and your real IP address. Plus, who knows which U.S. and Russian TLAs already have access to some VPN providers, one way or another. Oh, incidentally, they run their own Tor exit nodes, too.
For those that don’t know, Tor started at the U.S. Naval Research Lab (NRL), with the majority of its development funding coming from the Office of Naval Research (ONR) and the Defense Advanced Research Projects Agency (DARPA). Since 2004, Tor has been supported by the EFF (see torproject.org/about/history).
I use Cloudflare. I could (and actually do) configure my Cloudflare account to only allow connections from Tor via Cloudflare’s Onion Routing services (see Cloudflare’s blog post on Introducing the Cloudflare Onion Service). Put very simply, the benefit of this is that my sites would not be reachable from nefarious Tor exit nodes. The option is available in the Crypto tab of the Cloudflare dashboard.
That’s good, I have it selected, but it’s not good enough for my requirements.
Naturally, Tor is used by bad actors as well as good. It is the way to be anonymous on the Internet. I cannot think of a single use-case for legitimate users of Tor to need to access my sites via Tor. I don’t require confidential communication within my sites (for encrypted email, I use ProtonMail), I’m not storing, receiving, or providing any sensitive information, I’m not in the military, government, intelligence services, or any activist or hacking organization, and no one with embarrassing medical conditions should be searching my sites. I think that just about covers it.
However, I can think of countless reasons why bad actors would want to access my sites via Tor. Fortunately, I can prevent this by using Cloudflare, also.
One of the values in Cloudflare’s firewall rules allows you to block Tor. It’s listed as a value in the
In the Cloudflare dashboard, click the Firewall tab > Firewall Rules > Create a Firewall Rule. In the page that follows, give your rule a name, select Tor from the Country field (add other rules that meet your requirements, and, crucially, understand the difference between
Or if you do), and ensure the
Then... action is set to Block. Then, click Deploy.
The result will be that no Tor exit node will be able to establish a connection to your site.
Caveat: I haven’t tested using a connection via Cloudflare Onion Routing to my site – i.e., I do not yet know if the Cloudflare Onion Routing setting overrides the Cloudflare Firewall setting). Once I do know, I’ll update this post.
Of course, nothing is 100% guaranteed, 100% secure, or foolproof. For example, if your site is available via its origin server’s IP address rather than just its URL, or if your managed host provides you a temporary URL at install that also happens to be publically available and not redirected to your domain, your Cloudflare defenses can be bypassed.
So, if you’re unable to access my sites using Tor, I’m sorry about that; I can’t think why you’d want to, other than for reasons to attack them. If you want to visit my sites anonymously (anonymously from me, anyway, but not necessarily from some bad actors), use a good VPN (that’s not located in a country I block).
If you can give me a reason why someone would need to access my sites via Tor legitimately, I would love to read them in the comments below. Or, if you’re able to access this site via Tor, you’re more than welcome to tell me (and demonstrate it, of course).
Thanks for reading. I hope this is helpful to someone.
PS. If you did find it useful, or you got something of benefit from it, and you’re feeling generous, perhaps you would Buy Me a Coffee. Thank you.