Become a fan of Slashdot on Facebook


Forgot your password?
Encryption Open Source Privacy Security Software

CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades ( 87

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.
This discussion has been archived. No new comments can be posted.

CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

Comments Filter:
  • Doing it backwards (Score:1, Insightful)

    by Anonymous Coward

    Cloudflair's captcha thingy is ostensibly in aid of DDoS protection, Tor can't muster anything like the bandwidth needed for a DoS attack in one place at one time therefor Cloudflair should just white-list suspected exit nodes.

    No new code (on Tors part anyway) no dodgy pseudo-anonymous ID's to be exploited, everything works transparently, and if they hadn't told anybody they'd done it, in all likelihood nobody would have ever noticed.

    • Except that exit nodes should be hard to spot, otherwise what good are they? Tor needs to blend in better.

    • by Hizonner ( 38491 )

      No, it's not. It's meant to slow down address-harvesting bots and comment spammers. Which you would know if you'd bothered to read the article.

    • by GuB-42 ( 2483988 ) on Thursday March 31, 2016 @11:37AM (#51814603)

      The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.

    • by Anonymous Coward on Thursday March 31, 2016 @11:43AM (#51814665)

      I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

      I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.

    • Start boycotting Cloudflair's customers. When their customer's business it's adversely affected, they'll force Cloudflair to work more appropriately with the Tor community, and find a solution that works properly.

  • by Anonymous Coward

    Wonderful 'can do' attitude except that even without tor, their 'solutions' are offensively dysfunctional and their feedback is at least as bad. How about not requiring javascript just to view a website, eh? And obviously, sod off with your plugins. This is just another poetteringesque asspull: You broke it, someone else gets to fix it.

  • Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub.

  • Easy (Score:2, Insightful)

    by fulldecent ( 598482 )

    There are two simple technical solutions:

    • Blacklist -- attempt to blacklist known exit nodes
    • No Blacklist -- do not attempt to blacklist known exit nodes

    The motivation between choosing between these solutions is based on whether Tor users, which use server resources, are returning value (product sales, other calls to action) to the people that provide those resources.

    Therefore the solution is simply to inform each client of Cloudflare client and let them individually decide the correct course.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      > There are two simple technical solutions:

      As with most things in the real world, simple solutions just create more problems.

      The question that should be asked is "What is the intent of cloudfare's captchas?"

      I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.

      If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when acces

    • by AmiMoJo ( 196126 )

      Cloudflare's position is more precarious than you realize. They can't just dictate terms. Cloudflare has been under scrutiny for a while now, because their platform does an excellent job of tracking users. If their system was run by a government, we would be alarmed at the facility for mass surveillance that is built in.

      As such, many security minded people are now considering Cloudflare harmful. This is bad for Cloudflare because those people are the ones developing browsers and back end services. It could

      • by Ash-Fox ( 726320 )

        As such, many security minded people are now considering Cloudflare harmful.

        Of course, any decent security person knows that using a darknet solution like the Freenet project is the way to go at the end of the day, nor Tor or other solutions to access regular website services.

    • Won't work. You can easily change your exit node.

      Cloudflare is trying to combat the huge centers in China and India running spam schemes that tear through site Captchas. In the distant past, you could just IP block by geographic location but then the spammers moved over to VPN. Since VPNs are a single centralized location on the far side, sides could again block the VPN provider's IP addresses and stop the spammers.

      But now that these spammers have moved to Tor, the number of exit node IP addresses is
      • There are published lists of exit nodes that are updated dynamically. I'm pretty sure it's not terribly hard to block all of Tor. There are even services available to help you auto-configure your firewall/proxy/iptables to do so.
        • Again, it is pretty easy to hide from those lists as well. There are scripts out there that are doing the reverse, tracking the sites tracking the Tor exits, and blocking the traffic.

          It's a cat and mouse game that will never end. First it was proxies, then it was Tor when people started blocking proxies, then it was Tor inside malware on zombie computers when they started making Tor exit lists.

          So long as there is money to be made finding away around the mouse trap, the mice will continue to flourish.
  • ... are a price you pay for anonymity. No persistent logins and getting bounced back to the 'Please identify your country/region' page. Too bad. I use private browsing (a far cry from Tor-like anonymity) and I have to go through this all the time. Big deal.

    If the alternative is some temporary identity token which might be abused by 'bots, I'm OK with CAPTCHAs.

    • Isn't "Anonymous Identification" an oxymoron? How can you remain anonymous when you are identified?

      Also, I take issue with the "Temporary" in "Temporary Anonymous Identification". How much you want to bet that it's not temporary enough?
      • Re:CAPTCHAs (Score:5, Interesting)

        by BronsCon ( 927697 ) <> on Thursday March 31, 2016 @11:50AM (#51814721) Journal
        You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

        Make sense now?

        This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

        Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

        [1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.
    • Re: (Score:2, Interesting)

      by gstoddart ( 321705 )

      Sorry, I need to identify myself to a freaking web-page .... why?

      I'm not posting to your comments section, and I'm sure as hell not signing up to pay you to read a random article Google pointed me to.

      My anonymity comes when I refuse to let you set cookies, run scripts, or let any of your third party bullshit do anything at all.

      If you're using private browsing, why are you authenticating yourself to websites at all? If I'm willing to authenticate with you, I'm not using private browsing ... if I'm not willi

      • by mysidia ( 191772 )

        I'm not posting to your comments section, and I'm sure as hell not signing

        Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

        Simple GETs don't contain POST form data or other non-Idempotent operations.

        They also don't contain any complex request parameters which could harbor malicious intent.

        It would make sense for CloudFlare to ignore them; if the request seems innocuous, even if the client is mal

        • by Ash-Fox ( 726320 )

          Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

          I do believe it's not presented for any statically cached content.

        • They are also trying to block spammers who are trying to bulk harvest email addresses. For that traffic, each request *is* a simple GET.
  • No code, just another brainstorming "project", yay!
  • If there are more attacks launched via Tor than there is legitimate traffic, then perhaps we need more people to use Tor.

Never buy from a rich salesman. -- Goldenstern