Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy IT Technology

Cloudflare Ends CAPTCHAs For Tor Users (zdnet.com) 50

Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases.

Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

This discussion has been archived. No new comments can be posted.

Cloudflare Ends CAPTCHAs For Tor Users

Comments Filter:
  • You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again, never accepting that you are human.

    • by AmiMoJo ( 196126 )

      Google's Recaptcha is the worst, especially if you use a VPN.

      • by Opportunist ( 166417 ) on Thursday September 20, 2018 @11:13AM (#57348776)

        Since they're fairly predictable (it's always 3 "correct" images, each re-validating 2-3 times) I wonder whether it wouldn't be faster to write a bot for it, requesting the page a few dozen times and randomly "solving" the pictures...

        • If you fail enough times it locks you out for a substantial time period and in fact may never allow you back in.
          • Is being locked out a problem if you have trillions of IPv6 addresses to try from?

            • Is being locked out a problem if you have trillions of IPv6 addresses to try from?

              They're not going to block one throwaway IP address at a time; not if they're being smart about it, anyway. They'll block the entire prefix assigned to your account. No one should be allocated a subnet smaller than /64 (it would break automatic address assignment, among other things) so this is roughly equivalent to blocking a single IPv4 address.

        • by AmiMoJo ( 196126 )

          It might be that way on an unprotected connection, but on a VPN it's not unusual to get 10+ challenges every time. And for some reason the ones that refresh the images refresh at about 1/4 the normal speed.

          • Not related to VPN, I've had this problem myself. Crypto-currencies faucets use ReCaptcha and I've faced that problem many times. You need to stop using ReCaptchas for a few days before it semi-resets itself - at least enough that you can use them again.

    • You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again

      I ran into the "insolvable" CAPTCHA problem this week. I wanted to sign into my account with a online retailer (large, well-known etailer), but there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

      • there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

        Some online stores require passing a CAPTCHA if they sell products that have a vibrant secondary market. Making automated mass buying harder for scalpers ostensibly helps get products in front of bona fide end users. One example is Ticketmaster, as ticket scalping increases cost for people attending a show without benefiting the performers. Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

        • by tlhIngan ( 30335 )

          Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

          I doubt that's actually a thing - because warez sites are generally about having the latest games first, and Humble Store bundles generally mean the game or program has been out a while already. Plus they aren't necessarily DRM-free since a lot of them just give Steam codes.

          GOG store on the other hand is DRM-free and there have been many new relea

        • Limits on CAPTCHAs should be domain-based, i.e. you may have busted the limit on shadytickets.com but still be fine on ticketmaster.com

  • by Anonymous Coward

    Does anyone actually believe Tor is secure?

    Cloudflare are ideologically driven internet censors.

    You don't think this same technology is going to be used to track and report dissidents to the "new world order"?

  • They told us that we were being MiTM'd. Without them it's now more difficult to know. [notabug.org]
  • by laie_techie ( 883464 ) on Thursday September 20, 2018 @11:07AM (#57348716)

    CAPTCHA is just a test to distinguish between bots and humans. CAPTCHA does not need to be images of swirled words. It sounds like Cloudfare has developed a CAPTCHA which isn't even visible to the end user (yeah!).

    • by acvh ( 120205 )

      CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

      • CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

        Google used image CAPTCHAs to help digitize books; I wouldn't be surprised if other companies were using the same sort of technology to improve OCR for nefarious purposes.

    • by AmiMoJo ( 196126 )

      Google pioneered the technique with Recaptcha. It looks at things like mouse movements, browser metrics and timing info, installed font lists, all sorts of stuff.

      Unfortunately it breaks quite easily with things like RDP. If you have an RDP session and a VPN you are basically fucked, doomed to solve 10-20 captachs before you can access the site. It's got a little better recently, but still doesn't like things you you using a less popular browser.

  • TOR traffic can be identified by the way it looks, not by the source it comes from? Interesting...

  • I had to stop using cloudflare dns because some web sites wouldn't resolve. I wont say its sabotage, just poor technical ability.

  • The problem with CAPTCHAs is that bots are now better than most humans at solving them, so they keep getting more and more difficult. The wiggly-text style was okay until they started putting in extraneous lines that look almost like letters. Do I count that skinny line as an I and that little bubble as an O?

    Then they began using the images divided by a grid. "Click on all cars in this picture" seems simple enough, but do you include the frame that has the tiny bit of car roof at the bottom or one pixel of

  • It's been 2 days, we're still getting CAPTCHAs [qhtn4w2q36dojls2.onion].

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...