this post was submitted on 16 Feb 2024
53 points (92.1% liked)

Privacy

32173 readers
1056 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Hi, I have noticed for three days now not being able to post comments from my Lemmy.world account while connected via Tor (I was left waiting for a spinning wheel )! I thought at first It might be a problem with LW servers but after three days, I concluded they are banning Tor and VPN users from posting, I Have found a user post on their help community about VPN and tor ban.

then I tried signing-up to lemm.ee but was greeted with a couldflare of non ending page reload after solving captcha. so I created this account hoping to test this instance and ask Lemmy users with privacy concerns about where this is headed and should we expect the rest of Lemmy instances to go the way of reddit and entirely ban users behind proxies ?

The fact that very big instances hold the majority of the communities and discussions on lemmy and the fediverse in general is concerning. and adopting tactics like shadow banning and dark patterns is concerning as well. I dropped reddit for the same practices and I will drop Lemmy if it carries on like this.

top 31 comments
sorted by: hot top controversial new old
[–] [email protected] 44 points 10 months ago

I'd be shocked if the dbzer0 (piracy) instance blocked it.

I'd also expect that this has more to do with cloudflare than the specific instances.

[–] [email protected] 37 points 10 months ago (2 children)

Lemmy.world had announcement a while ago that they won't support creating content with VPN and Tor due to CSAM spam that is going on

[–] [email protected] 10 points 10 months ago (1 children)

It's limited to voting and commenting right?

[–] MrKaplan 11 points 10 months ago

posting and commenting.

voting should work: https://lemmy.world/post/11967676

[–] natsume_shokogami 4 points 10 months ago (1 children)

Though I know what this is for, but I am against blocking VPNs and Tor since it prevent privacy-conscious people like me and other people such as dissents or other having high risks of like harassment online.

The instances being affected the most are those with open registration, and don't block registration from temporary email providers, and have don't have like automatic filter or using Fediverse softwares not providing such.

Though given Lemmy development may not support blocking registration by emails or filtering keywords or filtering federation of very new accounts/new account having no profile, manual approvement registration or applying bots filtering repeating spams may be enough without blocking VPNs or Tor I think

[–] [email protected] 1 points 10 months ago

I'm also against blocking proxies, but we the privacy minded folks are a minority that actually uses vpn or tor for everyday internet browsing. There are lots of bots and malicious actors using our resources to spam large instances, and if I were managing a popular fediverse instance, I too would have been forced to consider blocking vpn/tor, even if I didn't want it.

[–] [email protected] 20 points 10 months ago (1 children)

then I tried signing-up to lemm.ee but was greeted with a couldflare of non ending page reload after solving captcha.

That particular instance was very recently the source of a lot of CSAM and spam, so that'd be why. A lot of instances recently upped their security to combat that.

There's nothing forcing anyone to use those services, but the reality is that instances that aren't quick to respond to those kinds of incidents will get defederated.

Cloudflare is a lazy but very effective and economical solution to this. The alternative is staff to monitor everything that goes through 24/7 which for most instances isn't easy or possible. Many can barely afford the infrastructure costs.

The fact that very big instances hold the majority of the communities and discussions on lemmy and the fediverse in general is concerning.

It's concerning regardless of the whole proxy banning debacle. A healthy fediverse is a well spread out fediverse.

But I doubt all instances will ever be that way. You don't need a lemmy.world account to use lemmy.world's communities, any instance would do.

My instance for example doesn't use Cloudflare or any CDN, although it is invite only because I really don't have time to deal with moderation. But I can access it over Tor if I want, and you can access it over Tor and browse it (read-only) just fine.

Reddit on the other hand wants to keep the data for themselves. Their VPN, Tor and proxy block isn't just for posting, it's for reading too and that is a much worse problem. They want to hoard the data so they can train their own Reddit AI on it. On lemmy you'll always have at least read access to the platform through Tor and VPNs through random instances.

At least on Lemmy, a fully featured Tor hidden service instance is entirely possible, if someone is willing to vet the account getting registered and potentially malicious uploads. And anyone can make it happen.

[–] [email protected] 7 points 10 months ago* (last edited 10 months ago)

That particular instance was very recently the source of a lot of CSAM and spam, so that’d be why. A lot of instances recently upped their security to combat that.

Just to add some more context, there was an attacker recently who created accounts on several Lemmy instances and used those accounts to spread CSAM. On lemm.ee, this attacker created 4 accounts over a 24h period, but was not able to upload any CSAM to our servers due to our stricter upload rules (we require 4 week old accounts to upload any images at all), and all of the 4 accounts were removed very shortly after creation (most of them within an hour of signing up). The attacker gave up trying to use lemm.ee very quickly, and moved on to other instances.

I just wanted to share this context to illustrate that while indeed the different measures we implement to protect the instance can have a negative impact on legitimate users, I really believe that overall, they have a net positive effect. In addition to Cloudflare DDoS protection and image upload restrictions, we also have a separate content-based alerting layer on top of Lemmy, which allows our admins to quickly notice when something suspicious is going on. As another example, this alerting has allowed us to extremely efficiently deal with a current ongoing spam attack on the Fediverse, and I bet many lemm.ee users aren't even aware of this attack due to the quick content removal. We will continue to improve our defenses, and hopefully try to limit the impact on real users as much as possible, but some trade-offs are necessary here in order to protect the overall userbase.

[–] [email protected] 17 points 10 months ago* (last edited 10 months ago) (1 children)

I think using Cloudflare isn't very Fediverse.

You probably need to find a different instance.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago)

You can filter out instances behind CloudFlare on my internet web site, https://lemmyverse.net 😁 Choose the tags filter, and remove CloudFlare!

[–] [email protected] 14 points 10 months ago (1 children)

I am posting on lemmy.ml and piefed.social via Tor browser without issues.

[–] [email protected] 5 points 10 months ago

Yes, I am exploring other instances right now, I can post from sh.itjust.works fine, but I kinda arbitrarily disconnects me from time to time, It must be a bug. will check other instances if needed.

[–] [email protected] 13 points 10 months ago (1 children)

The nice thing about Lemmy is that you can always host your own instance, even if it's only for your own individual use. You can basically use your own instance as a proxy - other instances will not see how or from where you are connecting to your instance.

Large instances are being attacked almost constantly at this point in smaller and bigger ways. Almost all measures we implement to combat these attacks come with some trade-offs for the rest of the userbase.

[–] [email protected] 9 points 10 months ago

Hi, I liked using Lemm.ee and the way you managed that instance. but cloudflare is a pain in the butt for everyone using VPNs or Tor, and I also understand the struggle of keeping an instance safe from trolls posting illegal stuff. anyways it seems this is the trend most websites are adopting these days, so I will have to make do with what works for now.

[–] [email protected] 12 points 10 months ago (1 children)

FWIW: I'm always on VPN and I've never had an issue with lemmy.ca

[–] [email protected] 2 points 10 months ago

Me neither!

[–] [email protected] 10 points 10 months ago

It likely depends on the instance.

[–] [email protected] 8 points 10 months ago (1 children)

Only instances using cloudflare won't work.

[–] [email protected] 3 points 10 months ago (1 children)

But commenting using a LW account used to work a week ago, they must have actively changed something.

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago) (1 children)

Each time you start your Tor browser after having closed it, it could be using a different Tor circuit, isn't it ? Maybe the Lemmy instances you're using only blocked a few IP addresses that are Tor based. You can check what you are using each time, clicking on the circuit icon next to the lock icon in the Address bar.

[–] [email protected] 1 points 10 months ago (1 children)

On LW I have been trying for over 3 days, and restarted the browser many times, cleaned the identity, changed the circuits many times as well. I am not concerned about that account. I just wasn't expecting it to catch up with the fediverse this quickly.

[–] [email protected] 1 points 10 months ago

Oh.That's too bad :(

[–] [email protected] 5 points 10 months ago (1 children)

It depends on the instance, you just have to try different instances until you find one that works for you. For what it's worth I've found that dbzer0 works okay with Tor Browser.

[–] [email protected] 1 points 10 months ago

Yes, I use my account with VPN and have never had any problems

[–] slazer2au 4 points 10 months ago (2 children)

How else do you prevent spam/illegal content originating from behind those locations?

There is nothing stopping you from running your own private Lemmy instance to get around those restrictions.

[–] [email protected] 3 points 10 months ago (1 children)

It crossed my mind to host my own instance, but I am not very confident in my tech skills. It might create more security issues than it solves.

[–] [email protected] 2 points 10 months ago

It definitely will. Past CSAM spam used abandoned or ignored instances to smuggle into the larger ones.
When you build something yourself, you also become responsible for what goes through it.

[–] [email protected] 1 points 10 months ago

Simply disabling registration of new accounts using Tor/VPN should be sufficient and won't affect existing users.

Although, requiring verification of accounts made via those would be a better approach. Require captchas to prevent automated posting. Automatically mark posts made from new accounts and/or via Tor or a VPN for moderation review.

There are way to mitigate spam that aren't as blunt and overreaching as blanket banning entire IP ranges. This approach is the dumbest, least competent way of ensuring any kind of security, and, honestly, awfully close to being needlessly discriminating. Fuck everyone from countries with draconian internet censorship, I guess?

[–] [email protected] 2 points 10 months ago
[–] WhatsHerBucket 1 points 8 months ago (1 children)

Late to the party, but what was your solution OP?

I’m currently weighing my options, that’s how I found this post :)

[–] [email protected] 0 points 8 months ago

change instance, try smaller instances, like https://sh.itjust.works/ or https://lemmy.dbzer0.com/