[wp-meta] [Making WordPress.org] #7792: TOR + VPN usage results in Too Many "429 Too Many Requests" Errors

Making WordPress.org noreply at wordpress.org
Mon Jan 6 21:33:33 UTC 2025 

#7792: TOR + VPN usage results in Too Many "429 Too Many Requests" Errors
--------------------------+-----------------------
 Reporter:  maltfield     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  General       |  Resolution:
 Keywords:                |
--------------------------+-----------------------
Changes (by maltfield):

 * status:  closed => reopened
 * resolution:  reported-upstream =>


Comment:

 Great, I'm glad you recognize that your systems are harming at-risk users.
 These false-positives *are* the bug that this ticket is attempting to
 address.

 > This isn't my decision

 Can you please bring the relevant person into this ticket so we can
 discuss how to fix this bug?

 > the extreme minority of legitimate traffic is
 > not enough to warrant me arguing for it.

 This smells like misinformation. Have you actually tried to investigate
 how many of your Tor visitors are benign vs malicious?

 Tor traffic roughly mirrors the rest of Internet traffic; it's mostly
 users browsing social media (eg facebook), reading the news, watching
 videos, etc. But there is a higher percent of Tor users who are at-risk --
 such as journalists, activists, human rights workers, whistleblowers,
 refugees, domestic abuse survivors, etc [1]

 > The usage of certain anonymisation platforms (TOR is the most prolific
 > one) results in little manner to differentiate legitimate and
 illegitimate
 > traffic, by design of those platforms, which results in the experience

 Sorry, this is not true. And I'm glad we're able to have this discussion
 in this bug report to correct such confusion.

 For example, it's very, very, very easy for you to differentiate between
 benign GET requests and POST requests.

 A simple GET request of a well-cached documentation page or other static
 asset (eg js or css file) is not a threat and should not be blocked.

 Additionally, any request coming from an authenticated user can be tied to
 that user's account -- even if they use a security-hardend operating
 system like TAILS to protect themselves. Requests coming browser sessions
 with a logged-in user account (in good-standing) should not be subject to
 such IP-based blocks (that are currently rife with false-positives).

 Please bring the relevant person who made this decision into this ticket.
 Let's examine the actual threats and see how the current misconfiguration
 can be fixed while still addressing your legitimate risks.


 [1] https://community.torproject.org/user-research/personas/

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7792#comment:9>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list