Making WordPress.org

Opened 4 months ago

Closed 2 weeks ago

#7792 closed defect (bug) (wontfix)

TOR + VPN usage results in Too Many "429 Too Many Requests" Errors

Reported by: maltfield's profile maltfield Owned by:
Milestone: Priority: normal
Component: General Keywords:
Cc:

Description

Since the past ~6 months, I have been frequently unable to access content on wordpress.org

If I'm lucky, then when I'm browsing wordpress documentation pages, I'm able to load the main html file with the content, but the website is horribly mis-rendered because many dependent assets don't load (eg css files, images, javascript, etc) due to "429 Too Many Requests" errors.

If I'm unlucky, even the main page doesn't load load at all -- due to "429 Too Many Requests".

Usually, I start-off being able to load one or more pages, but as I click around the website trying to find the page that I need, I eventually get this error.

I am not a bot. I am a human. I'm just trying to load reference documentation as I develop a wordpress plugin. This has been extremely frustrating, and forced me to third party websites and to "guess" php functions, attributes, and return values as I'm developing, reducing my productivity.

Since the Snowden revelations of 2013, it's become clear that many at-risk users should not be using the Internet without using privacy-protections like Tor. For security and privacy reasons, I do not access the internet without passing my traffic through Tor or a VPN. To prevent discrimination against at-risk folks, it's important that WordPress servers do not block traffic from shared networks, such as VPNs or Tor exit nodes.

It appears that nginx's settings are too strict, and lots of good users are getting caught in the dragnet.

Whatever the current nginx config is, please double it to fix these false-positives.

Change History (10)

#1 @maltfield
4 months ago

I'd like to add that this issue affects both read and write requests to this trac too.

So I suspect that there's countless users who experience this bug who won't be able to speak-out, because this bug prevents them from reporting this bug.

#2 @dd32
4 months ago

  • Resolution set to reported-upstream
  • Status changed from new to closed
  • Summary changed from Too Many "429 Too Many Requests" Errors (Nginx Misconfiguration causing False-Positives) to TOR + VPN usage results in Too Many "429 Too Many Requests" Errors

For security and privacy reasons, I do not access the internet without passing my traffic through Tor or a VPN. To prevent discrimination against at-risk folks, it's important that WordPress servers do not block traffic from shared networks, such as VPNs or Tor exit nodes.

Unfortunately these networks are a high source of malicious traffic, there's not a lot we can do to resolve that, in the interests of ensuring that WordPress.org is accessible to the majority sometimes results in a small minority paying the price.

That being said, I've mentioned this to systems, but I do not expect any changes.

#3 @maltfield
4 months ago

Thank you

Unfortunately these networks are a high source of malicious traffic

What exactly is the harm that is being done to Wordpress from VPN/Tor networks in the subset of requests that are simple GET requests of cached pages?

Last edited 4 months ago by maltfield (previous) (diff)

#4 @maltfield
2 months ago

@dd32 I confirmed that this bug is still present.

Can you please re-open this bug until we have a solution for it?

#5 @maltfield
4 weeks ago

@dd32 I confirmed again that this bug is still present.

Can you please re-open this bug until we have a solution for it?

#6 @dd32
2 weeks ago

Since this is intentional, no, this isn't a bug.

#7 follow-up: @maltfield
2 weeks ago

@dd3d What??

You're arguing that you're *intentionally* blocking at-risk users from being able to contribute to WordPress?

You think that false-positives blocking benign users from being able to do GET requests on wordpress dot org websites is working as-intended?!?

Can you tell me exactly what harm a domestic abuse survivor or a refugee using Tor Browser is doing to the website when they issue a 'GET /' request on wordpress documentation?

#8 in reply to: ↑ 7 @dd32
2 weeks ago

Replying to maltfield:

You're arguing that you're *intentionally* blocking at-risk users from being able to contribute to WordPress?

No. I'm saying that sources of malicious traffic to WordPress.org are rate limited heavily to protect the ability of the majority to contribute to WordPress.org. This is not targeted at individuals, nor do I agree that the affected users should be considered at-risk.

The usage of certain anonymisation platforms (TOR is the most prolific one) results in little manner to differentiate legitimate and illegitimate traffic, by design of those platforms, which results in the experience you're seeing. Other VPNs may be affected, other VPNs may not be affected, it's not about the client, but who the other clients of the service are.

This isn't my decision, and the extreme minority of legitimate traffic is not enough to warrant me arguing for it.

#9 @maltfield
2 weeks ago

  • Resolution reported-upstream deleted
  • Status changed from closed to reopened

Great, I'm glad you recognize that your systems are harming at-risk users. These false-positives *are* the bug that this ticket is attempting to address.

This isn't my decision

Can you please bring the relevant person into this ticket so we can discuss how to fix this bug?

the extreme minority of legitimate traffic is
not enough to warrant me arguing for it.

This smells like misinformation. Have you actually tried to investigate how many of your Tor visitors are benign vs malicious?

Tor traffic roughly mirrors the rest of Internet traffic; it's mostly users browsing social media (eg facebook), reading the news, watching videos, etc. But there is a higher percent of Tor users who are at-risk -- such as journalists, activists, human rights workers, whistleblowers, refugees, domestic abuse survivors, etc [1]

The usage of certain anonymisation platforms (TOR is the most prolific
one) results in little manner to differentiate legitimate and illegitimate
traffic, by design of those platforms, which results in the experience

Sorry, this is not true. And I'm glad we're able to have this discussion in this bug report to correct such confusion.

For example, it's very, very, very easy for you to differentiate between benign GET requests and POST requests.

A simple GET request of a well-cached documentation page or other static asset (eg js or css file) is not a threat and should not be blocked.

Additionally, any request coming from an authenticated user can be tied to that user's account -- even if they use a security-hardend operating system like TAILS to protect themselves. Requests coming from sessions with a logged-in user account (in good-standing) should not be subject to such IP-based blocks (that are currently rife with false-positives).

Please bring the relevant person who made this decision into this ticket. Let's examine the actual threats and see how the current misconfiguration can be fixed while still addressing your legitimate risks.

[1] https://community.torproject.org/user-research/personas/

Last edited 2 weeks ago by maltfield (previous) (diff)

#10 @dd32
2 weeks ago

  • Resolution set to wontfix
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.