CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Doing it backwards

[Anonymous Coward]

Cloudflair's captcha thingy is ostensibly in aid of DDoS protection, Tor can't muster anything like the bandwidth needed for a DoS attack in one place at one time therefor Cloudflair should just white-list suspected exit nodes.

No new code (on Tors part anyway) no dodgy pseudo-anonymous ID's to be exploited, everything works transparently, and if they hadn't told anybody they'd done it, in all likelihood nobody would have ever noticed.

Re:

[Anonymous Coward]

Browse using tor.

Re:

[fustakrakich]

Except that exit nodes should be hard to spot, otherwise what good are they? Tor needs to blend in better.

Re:

[Hizonner]

No, it's not. It's meant to slow down address-harvesting bots and comment spammers. Which you would know if you'd bothered to read the article.

Re:Doing it backwards

[GuB-42]

The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.

Re:Doing it backwards

[Anonymous Coward]

I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.

Re:

[PRMan]

If you have a website providing services, then yes, there is little value in having people who are completely anonymous use your services and businesses like this should have an easy way to block Tor exit nodes.

Re: Doing it backwards

[Corwyn_123]

Start boycotting Cloudflair's customers. When their customer's business it's adversely affected, they'll force Cloudflair to work more appropriately with the Tor community, and find a solution that works properly.

Yay cloudflare, breaker of teh intarwebz

[Anonymous Coward]

Wonderful 'can do' attitude except that even without tor, their 'solutions' are offensively dysfunctional and their feedback is at least as bad. How about not requiring javascript just to view a website, eh? And obviously, sod off with your plugins. This is just another poetteringesque asspull: You broke it, someone else gets to fix it.
I DO NOT AGREE.

Re:

[nsuccorso]

Really? People still read and respond to posts from Anonymous Cowards? WHY?!?

Only a copyright owner can order a takedown

[tepples]

Only a copyright owner can lawfully order DNS records to be pulled down because only a copyright owner knows whether a particular use is licensed. Have you tried reporting the results of your investigation of piracy sites to the legitimate copyright owners of the affected works so that they can act?

Re:

[mattventura]

The really scummy part is that they harbor DDoS-for-hire sites, which in turn helps drive their business. It would be like if a radar gun company also sold radar detectors.

Genius!

[nsuccorso]

Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub.

Brilliant!!!!!

Re:

[PPH]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

Re:

[nsuccorso]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

I've forwarded his comment to the FBI for analysis.

Re:Just block them

[BronsCon]

In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.

You do realize that CloudFlare is simply looking for a solution to the problem Tor users are complaining about, right? CloudFlare provides a CDN caching service and HTTP firewall; it is that second item that is causing problems for Tor users, as any nefarious activity from an exit node gets all users of that node flagged as potentially malicious. CloudFlare has three options, then: do nothing (e.g. tell Tor users to go fuck themselves), stop offering the service their customers use and pay them for (e.g. tell their customers to go fuck themselves), or help Tor find a solution to their users' problem.

This story is about them attempting to do the latter, which leaves you, and others like you, to practice a bit of self-love.

Re:

[AmiMoJo]

I think the GP is complaining about the fact that Cloudflare has build a mass surveillance network that is a wet dream for governments. I'd be amazed if they hadn't been approached for access already, maybe via secret National Security Letter.

Think about it. They can see users visiting many of the most popular sites on the web. They provide secure connections, they set their own cookies and can see the site's cookies. It's a man-in-the-middle attack, with the assistance of the site operators so that the usu

Re:

[BronsCon]

Oh, I get what you're saying, I totally do. Note the last sentence of that post, though, where it is made clear that this AC is only talking about CloudFlare "messing with" Tor, though. They're not thinking as deeply about this as you or I.

Re:

[cstdenis]

Cloudflare offers free services to a lot of sites, proxying all of their traffic. With a business model like that, I figure they were an NSA front from the start.

It's a comparatively cheap way to do mass surveillance.

Re:

[BronsCon]

If Cloudfare had got some decent security appliances, the DPI analysis mechanisms can still catch and mitigate all sorts of attack vectors even when the IP sources are widely distributed.

You mean like this [cloudflare.com]?

Perhaps know what you're talking about before you write 3 paragraphs on the subject? CloudFlare has developed, and is continually improving upon, their own systems for doing this; this gives them much finer-grained control over things so, of course, they aren't buying off-the-shelf solutions.

Re:

[BronsCon]

Google, Amazon, and Akamai don't offer the same services CloudFlare does. The only overlap is the CDN; Akamai comes closest with their hosting offering, but they're actually hosting the sites, not sitting in front of them to provide security.

Apples rarely have the same issues as oranges, my friend.

Re:

[BronsCon]

An application firewall for externally-hosted (e.g. not hosted by CloudFlare) services. It's their core business.

Re:

[Anonymous Coward]

How about YOU go and fuck yourself with a chainsaw. The crap that exits TOR nodes are completely fucking useless. Cloudflare's customers are not TOR users, they are people running websites. People who are paying Cloudflare to help deal with SHIT JUST LIKE THIS, you know people being dicks with TOR.

At least they're not just straight out ban hammering TOR exit nodes(that's what I prefer to do, but tracking all of those down can be difficult).

Easy

[fulldecent]

There are two simple technical solutions:

• Blacklist -- attempt to blacklist known exit nodes
• No Blacklist -- do not attempt to blacklist known exit nodes

The motivation between choosing between these solutions is based on whether Tor users, which use server resources, are returning value (product sales, other calls to action) to the people that provide those resources.

Therefore the solution is simply to inform each client of Cloudflare client and let them individually decide the correct course.

Re:

[Anonymous Coward]

> There are two simple technical solutions:

As with most things in the real world, simple solutions just create more problems.

The question that should be asked is "What is the intent of cloudfare's captchas?"

I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.

If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when acces

Re:

[AmiMoJo]

Cloudflare's position is more precarious than you realize. They can't just dictate terms. Cloudflare has been under scrutiny for a while now, because their platform does an excellent job of tracking users. If their system was run by a government, we would be alarmed at the facility for mass surveillance that is built in.

As such, many security minded people are now considering Cloudflare harmful. This is bad for Cloudflare because those people are the ones developing browsers and back end services. It could

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[MatthiasF]

Won't work. You can easily change your exit node.

Cloudflare is trying to combat the huge centers in China and India running spam schemes that tear through site Captchas. In the distant past, you could just IP block by geographic location but then the spammers moved over to VPN. Since VPNs are a single centralized location on the far side, sides could again block the VPN provider's IP addresses and stop the spammers.

But now that these spammers have moved to Tor, the number of exit node IP addresses is

Re:

[nsuccorso]

There are published lists of exit nodes that are updated dynamically. I'm pretty sure it's not terribly hard to block all of Tor. There are even services available to help you auto-configure your firewall/proxy/iptables to do so.

Re:

[MatthiasF]

Again, it is pretty easy to hide from those lists as well. There are scripts out there that are doing the reverse, tracking the sites tracking the Tor exits, and blocking the traffic.

It's a cat and mouse game that will never end. First it was proxies, then it was Tor when people started blocking proxies, then it was Tor inside malware on zombie computers when they started making Tor exit lists.

So long as there is money to be made finding away around the mouse trap, the mice will continue to flourish.

CAPTCHAs

[PPH]

... are a price you pay for anonymity. No persistent logins and getting bounced back to the 'Please identify your country/region' page. Too bad. I use private browsing (a far cry from Tor-like anonymity) and I have to go through this all the time. Big deal.

If the alternative is some temporary identity token which might be abused by 'bots, I'm OK with CAPTCHAs.

Re:

[freeze128]

Isn't "Anonymous Identification" an oxymoron? How can you remain anonymous when you are identified?

Also, I take issue with the "Temporary" in "Temporary Anonymous Identification". How much you want to bet that it's not temporary enough?

Re:CAPTCHAs

[BronsCon]

You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

Make sense now?

This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.

Re:

[BronsCon]

Or, they bake in a "reset" button that changes your UUID (which would be done simply by requesting a new UUID as though one had not yet been issued) upon request, and you click that whenever you want to "break" tracking, with the understanding that you'll have to complete a CAPTCHA to prove your humanity every time you do so if you're coming from an exit node that has been abused (so basically... every time). Seems like a fair balance between getting hit with a CAPTCHA every pageload and being universally t

Re:

[gstoddart]

Sorry, I need to identify myself to a freaking web-page .... why?

I'm not posting to your comments section, and I'm sure as hell not signing up to pay you to read a random article Google pointed me to.

My anonymity comes when I refuse to let you set cookies, run scripts, or let any of your third party bullshit do anything at all.

If you're using private browsing, why are you authenticating yourself to websites at all? If I'm willing to authenticate with you, I'm not using private browsing ... if I'm not willi

Re:

[mysidia]

I'm not posting to your comments section, and I'm sure as hell not signing

Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

Simple GETs don't contain POST form data or other non-Idempotent operations.

They also don't contain any complex request parameters which could harbor malicious intent.

It would make sense for CloudFlare to ignore them; if the request seems innocuous, even if the client is mal

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[complete loony]

They are also trying to block spammers who are trying to bulk harvest email addresses. For that traffic, each request *is* a simple GET.

Where is the code?

[tarlek1234]

No code, just another brainstorming "project", yay!

Re:

[account_deleted]

Comment removed based on user account deletion

Then more people need to use Tor

[MobyDisk]

If there are more attacks launched via Tor than there is legitimate traffic, then perhaps we need more people to use Tor.