TorBrowser becomes less and less usable for me, and for likely most normal users

TorBrowser becomes less and less usable for me, and for likely most normal users:

The problems:
P1) Accessibility:

• More and more internet sites are blocking TOR Browser (TOR Network) users.
• More and more Content Management System (CMS) integrates protection systems that block TOR Browser (TOR Network) users.
  (Examples: Protected by: Sucuri; WordPress->Cloudflare (WordFence); WordPress–>Zero Spam; Imunify360; Amazon->CloudFront; Security check by BitNinja.IO; Protected by Imunify360; …)
  Zero Spam for WordPress – WordPress plugin | WordPress.org (by Highfivery LLC) → Issues · Highfivery/zero-spam-for-wordpress · GitHub
  WordPress–> Anti TOR plugins: Plugins categorized as tor | WordPress.org
• Sometimes TOR Browser users are blocked by endless ReCaptcha requests…

P2) Speed:
The rare pages, I could still access over the TOR Browser (which are not yet blocking TOR), are so slow that I lose my time and patience! Often to the point of becoming unusable!

My Conclusions:
C1) From my point of view, the very existence of Tor is in danger! The TorProject must make considerable efforts to raise awareness among CRMs and module developers, to stop blocking systematically all TOR Browser users. May be the TorProject needs to provide them the code that distinguishes between malicious attacks and normal site users?
(When I address an site-operator about it, they answers is always the same: “Unfortunately, most attacks come over TOR. So we have to block it.”)
C2) Meanwhile, I seriously ask myself the question, if it would not be better for me to switch to a VPN like NordVPN!?

There are very few use cases for residents in the US and UK for Tor. VPNs are much more efficient in privatizing your internet activity, writing this from an always on VPN. Tor should be saved and prioritized for people in countries with heavy censorship.

Tor should be saved and prioritized for people in countries with heavy censorship

Tor Browser is for EVERYONE - read Who uses Tor?

Thorin, I understand. However, most of those benefits are also accomplished by using a much faster VPN. As a relay operator of 29 Tor nodes I can tell you that they are at full capacity 24/7/365, which makes the service very slow for those who REALLY need it and don’t have access to such VPNs.

I am afraid that at least some of the ill effects described by @Bob123 apply to VPNs too, though. I use my own proxy on my Linode for all of my casual browsing (including discourse), but some sites do throw “endless captchas” in my way. I think they do it for all “server” IP ranges.

VPNs receive tons of CAPTCHA and Cloudflare challenges.

VPNs are no good for privacy/anonymity. See http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Whonix_versus_VPNs#Security_Experts_Opinion_on_VPNs.

Thank you for your service in providing nodes.

I can confirm. Using Tor nowadays is becoming meaningless because many website administrators block the IP addresses of Tor exit nodes.

A suggestion on how we can improve Tor architecture in order to bypass Tor blocks by destination websites.

My ideas may be kind of fundamental but I hope you will read it till the end.

I have been using Tor for several years and I’ve notice that Tor is becoming useless nowadays for browsing the Internet. But why is it like that? The main reason is that more and more destination websites are blocking Tor exit nodes so it is becoming impossible for Tor users to browse these sites at all. Some of websites are blocking access for Tor visitors at all, some of websites are blocking the ability to register accounts. For example, Instagram, Facebook, Telegram and so on have the built-in anti-spam AI systems which can detect the fact of using Tor and automatically block an ability to register new accounts through Tor exit nodes.

So, Tor is suitable for browsing the Internet in a read-only mode but it is absolutely useless if a user wants to actively use the Internet (register social media accounts, take part in discussions and so on).

Tor has an ability to hide the fact of its usage from the Internet Service Provider (ISP) by connecting to pluggable transports (such as obfs4, meek, webtunnel) but Tor has no feature to hide the fact of using Tor from destination websites.

Honestly speaking, this is not Tor-exclusive issue. I have been using Tor, VPNs, open proxies for many years and I can say that most of Tor exit nodes/VPNs/Proxies IP addresses have been already disclosed and they are all published in abusable IPs list (such as DroneBL database). It means that any destination website administrator can easily link a database with all abusable IPs to his web-server and block all incoming connections from both Tor exit nodes, VPNs and proxies IPs.

Well, Tor Project developers can say “It is not Tor problem, you should blame website administrators for blocking Tor”. But in fact, it is Tor problem. If we do nothing then we will make Tor absolutely useless in some years because most of website administrators have already banned Tor exit nodes.

What do users do nowadays to bypass Tor blocks by destination websites?
Users use complex software solutions like Whonix-Gateway and Whonix-Workstation which allows to use Tor in a combination with VPN or Socks proxy. Users use Whonix to build schemes like:
ISP → Tor entry node (or a obfuscated bridge) → Tor intermediate node → Tor exit node → OpenVPN (TCP) → Website
or
ISP → Tor entry node (or a obfuscated bridge) → Tor intermediate node → Tor exit node → Open Socks Proxy → Website
in order to bypass Tor restrictions by destination websites. However, this approach does not guarantee that website is not blocking the IP address of the VPN server or an Open Proxy server. Some of websites such as imageboards are aggresively blocking not only Tor exit nodes IPs but also VPNs/Proxies IPs using abusable IP database (like DroneBL and so on).

How can we solve this problem?
When I was seeking for public VPNs, I occasionally noticed that some of VPN administrators have two global IP addresses assigned to a one networking interface. One of these IP addresses (let it be CC.CC.CC.CC) is publicly available and used for connecting to a VPN and the other one (let it be DD.DD.DD.DD) is hidden to public and shown to a destination website only. The “DD.DD.DD.DD” address should not be presented in DroneBL or other abusable IPs databases. It means, when a user connects to a VPN with an IP address CC.CC.CC.CC (which will be included to abusable IPs list because it is publicly disclosed), then a VPN server is redirecting all the traffic (by its internal rules, let it be IPtables firewall) from CC.CC.CC.CC to DD.DD.DD.DD (which is not in abusable IPs list because it has never been published on the Web) and then sends the traffic to the destination website. This approach allows users to bypass automatic anti-spam systems from many websites and allows users to browse the Internet freely.

A purposed architecture
Let’s assume that
AA.AA.AA.AA
BB.BB.BB.BB
CC.CC.CC.CC
DD.DD.DD.DD
Are global IPv4 addresses (0-255.0-255.0-255.0-255).
AA.AA.AA.AA, BB.BB.BB.BB, CC.CC.CC.CC are publicly disclosed IPv4 addresses of Tor relays (entry, intermediate and exit one).
DD.DD.DD.DD is a hidden exit IPv4 address for Tor exit node which should not be published or disclosed on Web.
ISP → Tor entry node (inet AA.AA.AA.AA) → Tor intermediate node (inet BB.BB.BB.BB) → Tor exit node (two IPs on one networking interface: CC.CC.CC.CC and DD.DD.DD.DD) → Website

I hope this architecture will be implemented in future Tor releases. Thank you!

Here you can see a purposed architecture of Tor “Exit bridges”: an idea on how to bypass Tor blocks by destination websites:

ImprovedTor1920×1080 194 KB

What about the ISP or hosting provider’s perspective?

I’m not sure if you’re aware, but website administrators don’t even need to scrape the directory authorities, because Tor Project actually publishes a list of all exit node addresses for the purpose of making it easier for websites to identify Tor users. They even provide a DNS service you can use to check if an address is a Tor exit node on the fly, for convenience. See Changes to the Tor Exit List Service | The Tor Project

Its stated purpose is to protect operators of exit nodes from legal trouble when people abuse them, and to allow sites to treat Tor users differently without blocking them entirely. Unfortunately, it is mainly used by website administrators (and CDNs) to outright block Tor users. The topic has been heavily debated over the years, but Tor Project continues stand by their decision.

The difference between VPNs and Tor is that VPNs have a financial incentive to keeping their addresses unblocked. Exit relay operators, on the other hand, are volunteers, which is why Tor Project tries to protect them from legal trouble by publishing their addresses.

It’s worth mentioning that even if address used for connecting to destination websites (DD.DD.DD.DD as you put it) is kept private, a client could still query whatismyip.com repeatedly until it obtains all or most of the addresses used by exit nodes for outgoing connections. (There are only 2000 exit nodes on the Tor network; even at just 1 request per second, you could identify over half of them in under an hour at random.)

Furthermore, some sites and CDNs don’t appear to use any kind of blocklist at all. They look for high volumes of traffic or unusual traffic patterns, and block the source address for a length of time. The result is that most VPNs, and exit nodes are blocked most of the time, but you can occasionally get through by requesting a new Tor circuit or VPN server repeatedly.

But if the ‘secondary’ IP can be enumerated by a hypothetical user the same applies to blacklist operators who manage to obtain an account of the VPN service in question. And that is before consider measures like ASN whitelisting (to block anything that does not look like a ‘residential IP’) and so forth. In that case you still lose.

1. As far as I know, most of Tor exit relays are located in thee countries: Germany, the Netherlands and the United States (some of them are also located in Austria, Switzerland and France though). As for the US, most of American exits are hosted at the institutes and universities which means they don’t have to ask permissions by a hosting provider or ISP. American exit relay operators can just buy some IPv4 addresses from ARIN and assign them to their exit nodes. As for European exit relay operators, it might be a bit harder because most of European exit nodes are hosted on VPS providers (like Hetzner and so on)
2. “Exit bridges” shoud not be the primary use case for Tor. As you know, most of Tor users do not use obfs4 bridges or other pluggable transports in order to connect to Tor. 80% of Tor users use direct mode and 20% use bridges. The same approach should be applied to “Exit bridges”. “Exit bridges” should be manually configured and used only in urgent cases (such as destination website blocks the IP address of a Tor exit node but you need to visit it anonymously)
3. Some of websites such as imageboards aggressively block not only Tor exit nodes IPs but also the whole hosting AS numbers (such as Hetzner, OVH SAS and so on)so it is useless to host an “Exit bridge” IP at the same VPS provider where the primary Tor exit node is hosted. I’ve accidentally found out that it is less likely that the destination website will block exit IP if the exit IP address is located in “Tor-free” countries like: Poland, Bulgaria, Serbia, Italy, Spain.
4. Some of users from Eastern Asian countries like South Korea and Japan don’t set up Tor relays but they widely use VPNs (like VPNgate) with “double-routing” technology (although such kind of VPN servers are very rare, ~5% from the total amount of VPN servers). It means that the entry and exit IP addresses of these VPN servers differ from each other. This approach is the only way to bypass IP blocks from the destination websites because exit IP address is not listed neither on DNSBL nor other databases.

I hope my information and ideas will help Tor Project to improve Tor network.

VPN does not provide an anonymity although it might help you to bypass IP addresses blocks by destination websites. The main disadvantage of VPN in context of anonymity is that VPN server does not send client’s traffic through several nodes. VPN connection look like:

ISP → VPN → Website

That means that the client’s real IP addresses can be disclosed by a simple timing attack. For example, if you post some message from the VPN’s IP address on a destination website, then a website administrator can either ask VPN provider to give him authentication logs or ask government structures to see who has made the connection to a certain VPN server at that time.

The only scheme that can provide you an anonymity is Onion Routing:

ISP → Tor entry node → Tor intermediate node → Tor exit node → Website

This scheme makes timing attacks impossible. It is also impossible to find out who has made the connection to a destination website.

VPN and Proxies can be used in a combination with Tor using specific software solution like Whonix:

ISP → Tor → OpenVPN → Website
or
ISP → Tor → Proxy → Website

But it doesn’t guarantee that the destination website is not blocking the IP addresses of VPN/Proxy servers. Some IP blacklisting lists like DroneBL (https://dronebl.org/) store the information about most of VPN and Open proxy servers so some sites like imageboards are aggressively blocking not only the IPs of Tor exit nodes but also the IPs of VPN and proxy servers.

The only solution to safe Tor Project is to use my purposed architecture.

@sunshinecowboy I wholeheartedly disagree with your comment that “There are very few use cases for residents in the US and UK for Tor.”
As a UK resident I reside in a country where the government introduced The Investigatory Powers Act 2016 (c. 25) (nicknamed the Snoopers’ Charter) an Act of the Parliament of the United Kingdom which received royal assent on 29 November 2016." [1]
It’s worth remembering that following the introduction of the IPA, Edward Snowden commented on Twitter,
"The UK has just legalised the most extreme surveillance in the history of western democracy. It goes further than many autocracies.” [2]
The Investigatory Powers Act was further amended earlier this year [3]
I live in a country where the police have infiltrated practically every resistance group, protest group or grass roots political party, since the end of WW2 [4]. Perhaps the British government has always secretly envied the level of power & control previously achieved by the Stasi?
The surveillance continues to extend into our villages, towns & cities. Some research has found Britain has an estimated 5 million CCTV cameras [4b] with facial recognition being the British government’s next instrument of scrutiny [5]
After Snowden, as a member of The Five Eyes Alliance [6] the British government pushed back & pushed back hard [7] From the ashes of the Snowden disclosures, the British government went on the offensive against end to end encryption [8] & many other public justifications for the use of strict, all-pervasive surveillance.
Today British citizens continue to come under attack by their government. The proposed Data Protection and Digital Information Bill [9] being one of the latest weapons to be turned by the government against it’s own citizenry & so-called “Pre-Crime” policing is very close to becoming a reality [10].
If you care about privacy, as you claim to care because you are a “relay operator of 29 Tor nodes” you should also care about embarrassing yourself by making unfounded generalisations about where Tor is needed most.
Using the Tor Browser might be a necessity & from another perspective it could be said to represent a state of mind. Education of the up & coming generations is crucial to help them to understand the importance of Tor & what differentiates Tor from a VPN.

What we don’t need in this forum are wasteful debates about the pros & cons of VPN vs. Tor; you can find those debates all over the Internet. This forum is solution focused & works best to help others when it serves a functional purpose, rather than declining into speculation & generalisation, hot gossip & conjecture (outside the framework of solving a problem).

[1] Investigatory Powers Act 2016 - Wikipedia
[2] 'Extreme surveillance' becomes UK law with barely a whimper | Surveillance | The Guardian
[3] Investigatory Powers (Amendment) Act 2024
[4] Police spies infiltrated UK leftwing groups for decades | Undercover police and policing | The Guardian
[4b] CCTV Cameras by Countries & Cities (2023 Guide) - Upcoming Security
[5] Stop Facial Recognition — Big Brother Watch
[6] https://www.youtube.com/watch?v=oW0KrReDiNI&list=PLPf90W3gtZzv4HFzEZy19vu9dwzAEbm66
[7] GCHQ hacking phones and computers is legal, says top UK court | The Independent | The Independent
[8] Former GCHQ boss backs end-to-end encryption • The Register
[9] Hands Off Our Data | Open Rights Group
[10]End Pre-Crime | Open Rights Group

VPN is no good for privacy and anonymity

5 minutes later

How about if we add VPN?

Tor already has options for specifying an OR address (used by middle relays to connect to the exit node itself) different from the exit address (used by the exit relay to connect to the destination).

OutboundBindAddressOR IP

Make all outbound non-exit (relay and other) connections originate from the IP address specified. This option overrides OutboundBindAddress for the same IP version. This option may be used twice, once with an IPv4 address and once with an IPv6 address. IPv6 addresses should be wrapped in square brackets. This setting will be ignored for connections to the loopback addresses (127.0.0.0/8 and ::1).

OutboundBindAddressExit IP

Make all outbound exit connections originate from the IP address specified. This option overrides OutboundBindAddress for the same IP version. This option may be used twice, once with an IPv4 address and once with an IPv6 address. IPv6 addresses should be wrapped in square brackets. This setting will be ignored for connections to the loopback addresses (127.0.0.0/8 and ::1).

Only the OR address is published in the consensus. (This is necessary so that middle relays can connect to the exit node.) However, the exit list service (TorDNSEL) performs its own scanning to discover exit addresses (by building a circuit through every known exit and querying https://check.torproject.org/api/ip at regular intervals). So while it is possible for exits to use a separate address for connection to destinations, it would be only a matter of time before that address is discovered and published in the exit list.

In theory, the exit node’s administrator could exclude check.torproject.org from its exit policy or firewall, but @arma noted that if Tor Project discovered an exit node interfering with this exit address scanning, it would be marked as a bad exit and removed from the network.

Again, the technical part is not the hard part here.

Honestly, your right, and it’s not just in the UK, the US is quickly becoming a surveillance state, if it’s not already? I won’t go into how Intel has backdoored every CPU they have made since 2008, look it up, they conveniently call it “Management Engine,” and many chip makers have similarly capitulated to intelligence agencies. Nation States, that powerful easily capture data that you would otherwise try to hide, even through TOR. My comment is directly focused at the people in those democratic nations using Tor to pirate, who are taking up nearly half of the Tor networks bandwidth. JUST STOP! It’s unnecessary and stupidly paranoid. Unless you are running a large distributive network, folks like the FBI have better things to do than harass you, since they are also breaking the law via the 4th amendment, here in the US, by capturing that data. They are looking for the big fish. That might be different in the UK, but I doubt it.

I know you said you don’t want to talk about it but I think its important to add that the UK Home Office has black boxes at ISP level which record everything. Its likely that all bare tor users get put into an isolated group of potential suspect paedophiles and terrorists. There is a LONG TERM soloution to this issue which ISN’T bridges, but VPN is useless for privacy as everybody has groomed themselves into believing.

Evidence: Home Office tests web-spying powers with help of UK internet firms

VPN itself doesn’t provide anonymity but VPN can be used in a combination with Tor in order to bypass blocks by destination websites.

Anonymity may be reduced to pseudonimity of course but if you visit AmIUnique website you can see that even if a user uses Tor Browser his browser fingerprint is still unique according to HTML5 Canvas fingerprinting which means there is no anonymity on the Internet but only pseudonimity (which is OK though).

• Pseudonymous connection: A connection to a destination server, where it is not possible to discover the origin (IP address / location) of the request, but the request can be associated with an identifier. The more often an pseudonymous identifier is detected the easier this pseudonym is traced back to a real identity.
• Anonymous connection: A connection to a destination server, where it is neither possible to discover the origin (IP address / location) of the request, nor to associate any identifier with it.

How can it help to bypass Tor exit node blocks by destination websites? The main problem is that Tor is becoming useless because more and more websites are blocking the IP addresses of Tor exit nodes and not only them. Many websites administrators also block the whole AS numbers which are related to hosting providers (such as OVH SAS, Contabo, Hetzner etc.). The era of whitelisting is coming.