Element-web: Error: Problem communicating with the given homeserver. (HTTP 403)

I can't reproduce this using riot.im/develop via torbrowser 7.5.2 (based on Mozilla Firefox 52.7.2) (64-bit) :/

What happens when you use torify riot-web on your computer?

I have the same issue. The desktop client (Debian Jessie package, installed on Whonix 13) reports "Connectivity to the server has been lost."; the deb repo reports a 403 error when accessed with apt-get update in Whonix 13, and the Android client (installed via F-Droid on Replicant 6.0, routed through Orbot via Orwall) reports a 403 error when I try to send a message. This all seems to have started in the last few days.

looks like torsocks from brew is broken on MacOS 10.12.6 (it craps out with 1521400319 WARNING torsocks[37394]: [syscall] Unsupported syscall number 427. Denying the call (in tsocks_syscall() at syscall.c:488)) and Riot/Desktop then crashes, so I can't repro.

I wonder whether this is because torify's DNS resolver is somehow choking on our new cloudflare DNS records (rather than cloudflare itself actually blocking Tor traffic). I'll try to get torsocks to work, although i'm hardly a tor expert so more inspiration would be welcome.

Whonix and Replicant. Wow. Haters from NSA can't even.

@ara4n If you're on macOS, maybe try reproducing the issue via Whonix's VirtualBox images? I've never tried torsocks on macOS, so I can't help with that approach to reproducing the issue.

My experience is that CloudFlare seems to do a bunch of weird non-standards-compliant shit to try to identify Tor Browser's fingerprint, and then rejects all HTTP clients that are accessing over Tor with anything besides Tor Browser. (E.g. most CloudFlare-hosted sites that work fine for me in Tor Browser don't work in Firefox routed over Tor.) So I strongly suspect that the issue is a CloudFlare anti-feature.

frustrating. right now i don't have a good solution then beyond suggesting using tor browser, given we're obligated to hide behind a CDN now thanks to DDoS and I'm not aware of a better option than cloudflare. I'll try asking cloudflare support if they have a way of tweaking it.

@ara4n Would you be willing to make the relevant servers available via Tor onion services that aren't behind CloudFlare? I'm not an expert on DDoS resistance, but my understanding is that Tor onion services are significantly more difficult to DDoS than clearnet services (because you'd probably end up taking out some Tor relays before you managed to take out the onion service). So it seems plausible that you'd get sufficient DDoS resistance by keeping your clearnet services behind CloudFlare but having onion services not use CloudFlare.

Onion services also have privacy advantages (they're not vulnerable to malicious TLS CA's), they conserve Tor exit bandwidth (thereby making the Tor network scale better), and a lot of Tor users are nervous about the privacy implications of accessing CloudFlare infrastructure (because CloudFlare has enough geographically diverse traffic going through it that they might qualify as a Global Active Adversary, which Tor isn't designed to be anonymous against).

yup, good point - this could be a good reason to set official onion services running at last.

i've hopefully pressed some buttons which should have helped this; please lmk otherwise. meanwhile we've filed an internal bug to get hidden services up & running (although this will probably take at least a few weeks)

All the right buttons. Everything back to normal.