Sticky security issues: how your website security should handle Tor users

As your mother and a handful of other well-meaning adults probably told you, there is a certain thing that happens when you assume things. It pertains to the u and me that ends the word assume turning into its first three letters, if you were somehow unaware.

This saying has endured through 100 million utterances because of 1) high school gym teachers and 2) the fact that it is, largely, true. Just as it is unacceptable to ban shoppers from a brick and mortar store solely based on the neighborhood they come from, you can’t ban users from your website because of assumptions made based on their browsing habits. Securing your website when it comes to the anonymity network Tor requires a lot more finesse.

Browse-aholics anonymous

Tor is free software that makes it possible for users to navigate and communicate over the internet without having their activities traced by government agencies, corporations and other interested parties.

The reasons for wanting to use Tor range from benign to evil. On the benign end of the spectrum, some people are simply concerned about privacy and prefer to use the internet without being tracked. Tor is also used to protect victims of domestic violence as well as shield the agencies and individuals who help them. Whistleblowers and other human rights workers are afforded the opportunity to contact journalists and other people in a position to help without compromising their own safety thanks to Tor.

However, with the opportunity for anonymity comes the opportunity to do terrible things. Tor has reportedly been used in the perpetration of crimes including drug trafficking, weapons dealing and the distribution of illegal sexual content. And then there’s the cybercrime.

The cybercrime

One of the most obvious reasons for wanting to be untraceable on the internet is having the ability to perpetrate a cyber-attack without facing consequences for it. In fact, cyber-attacks using the Tor network are so common that in August of 2015 IBM issued a warning to companies, telling them to block the Tor network in order to help prevent SQL injection, ransomware and DDoS attacks.

The warning came after the IBM X-Force team uncovered 150,000 cyber-attacks or other malicious events that relied on the Tor network through just the first eight months of 2015. IBM found that Tor was frequently being used to target IT and communications companies.

Blunt force trauma

On the surface, the warning issued by IBM is understandable. However, since Tor is used by a wide range of people for a wide range of purposes, it isn’t in the best interests of your website to simply block the entire network, nor is it fair. The need to go untracked or even just a basic desire for privacy shouldn’t render a person ineligible for unfettered internet browsing.

Blunt security actions like blocking everyone using Tor, blacklisting based on reputation or serving CAPTCHAs to every single user are, for the most part, excessive security measures that can do more harm than good, disrupting more legitimate traffic than blocking bad traffic.

How leading security providers handle Tor

For internet security provider Imperva Incapsula, handling Tor users not only involves inspecting traffic at a granular level that allows them to transparently vet visitors without interrupting user experience, but also allows Tor users to retain the anonymity that is obviously important to them.

“When a Tor user enters a website, in a majority of cases, we won’t take any special action and will only profile its behavior from a security perspective like any other visitor,” says Imperva Incapsula Senior Security Researcher Ofer Gayer in a blog post on accommodating Tor users. “We will never use anything that violates anyone’s privacy or that de-anonymizes them.”

Incapsula instead uses what they call a surgical, multi-dimension approach to profile visitors as well as requests in order to determine the lowest suitable action required to block malicious traffic. It’s an approach that combines client classification with supporting use of IP reputation and issues progressive security challenges to separate malicious traffic from legitimate traffic, only issuing a CAPTCHA when it has been determined there is only a slight chance of it being served to a human there for legitimate reasons.

This approach allows Incapsula to differentiate between good and malicious Tor users, even while Tor is involved in a DDoS attack. There’s no punishing all for the actions of a few, because that would be assuming. And we should all stop assuming things, so we can stop hearing about what happens when we assume.

Previous article3 Ways Businesses are Making Their Content Stand Out
Next articleHow to Secure Financing When Traditional Means Aren’t an Option
Melissa Thompson

Melissa is a mother of 2, lives in Utah, and writes for a multitude of sites. She is currently the EIC of and writes about health, wellness, and business topics.