Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

Yeah I've noticed that...

I thought it was just me that had to do the captchas more than once.

Re:Yeah I've noticed that...

[SumDog]

Yep I noticed that as well. I thought it just had to do with so many bots or spam scripts utilizing Tor.

Re:Yeah I've noticed that...

[Qzukk]

I don't even use Tor and cloudflare pesters me about once a week to prove I'm human.

Re:Yeah I've noticed that...

And even if it doesn't, it manages to break the 'web in all sorts of interesting ways. Javascript really shouldn't be a basic requirement just to load a page, for one.

Aside: Math fail? 0.0367 * 1.3*10^6 = 47710, those don't all fit in the alexa top 1000, or it secretly isn't a top 1000.

Re:Yeah I've noticed that...

[omnichad]

Yeah - the exit nodes that the person is using is likely also being used for DDoS or some other attack.

Re:Yeah I've noticed that...

[msauve]

I, too, was wondering about that. 3.67% of 1000 is 36.7. What 0.7 of a web site?

Re:Yeah I've noticed that...

[moehoward]

.. What 0.7 of a web site?

Yahoo. That's what.

Re:Yeah I've noticed that...

[msauve]

...but it said "top 1000," so that's not it.

Re:Yeah I've noticed that...

Nope.

I've found that even going to TPB you can encounter an endless chain of captchas that never actually lets you onto the site. The way around it was to request a new circuit.

Re:Yeah I've noticed that...

[Aighearach]

It isn't, and you already have the page if you realized that the javascript app doesn't work for you.

It is entirely up to the individual if they want to consume data from javascript apps, or only from "web pages." But if you're using a web browser, you can't generally even get the app until you have the page. If the page doesn't have content, that is easy to solve by closing it and surfing the next wave, or by finding better information sources.

Take responsibility for the pixels you consume; there are way too many available pixel configurations offered for random or passive consumption to result in personally relevant experiences.

Re:Yeah I've noticed that...

[Aighearach]

They probably just missed a digit. Same thing happened to Solon when he related the story of Atlantis from the Egyptian priests to Plato; for thousands of years nobody could find the buried palace at Thera because of it, too. They were looking for a whole continent, instead of an island, because the dot in the center of a circle was misplaced. I blame the Egyptians, but it might have even been Solon's mistaken translation.

Yahoo! is real, it is out there somewhere, buried under the rubble of category-based browsing.

Re:Yeah I've noticed that...

Its not just TOR but also anyone using a VPN.

Sometimes I have to verify 3 times in sucession just to visit a single website only to find that there was not much on that site.

More and more sites are using Cloudflare and it's really annoying me and if they are tracking as well then bang goes you anomity, so your going to have to randomise agent strings with gibberish to try and fool the software from tracking

Re: Yeah I've noticed that...

[TobiX]

> Javascript really shouldn't be a basic requirement just to load a page That's one of my main gripes with Slashdot's "mobile site": it's not a website at all, it's a shitty Javascript application. Why did they waste money on something like this, instead of making a new responsive css for the existing website, is a mystery.

Re: Yeah I've noticed that...

[TobiX]

See? Trying to format a comment on this thing is just hopeless.

Re: Yeah I've noticed that...

Because responsive websites blow? They make all desktop websites look like lame oversized mobile sites.

Re: Yeah I've noticed that...

Take responsibilty? The blockers are responsible. I was seeing a ton of sql hack attempts from various tor connections. Too bad for them the site is ancient and has no dB server. It stopped when I started changing the headers so that their attempts hit the NSA homepage instead.

Re:Yeah I've noticed that...

[RockDoctor]

If $COMPANY_OR_SERVICE$ are adversely affecting your use of a site, then tell the site's administrators that you're stopping using that service because of the use of $COMPANY_OR_SERVICE$, and that you'd appreciate a mail to tell you when they have stopped using $COMPANY_OR_SERVICE$.

Haven't you read the fucking manual on how to manipulate corporations by denying them business?

OK, there is also the possibility that they'll say, "fuck that idiot, we're going to continue using $COMPANY_OR_SERVICE$," and wave goodbye to you. But since you were going to have to find a substitute for that site anyway, you've not actually lost anything.

Just stopping use of the service isn't effective. The reason for the cessation of use needs to be communicated too.

Well

Although I am for an anonymous internet, all serious attempts to enter our systems have come from Russian, Chinese, Korean and Tor ips. And an ignorable part of traffic from those IPs is legitimate.

How do you stop Tor from being abusive?

Re:Well

[mspohr]

How do you stop the Internet from being abusive?

Re: Well

Block it.

Re:Well

Tor isn't abusive. It's just a tool to remain anonymous. Eliminating that anonymity doesn't stop attacks. Some users are going to attack you no matter what. You don't block all IPv4 traffic because some users are abusive do you? The right response is to mitigate the issue and Implement better security and more resiliency. Stop playing wack-o-mole. It's a game that you'll never win and offers no real protection. Alternative DDoS protection options exist, there are ways to harden your defences, implement user moderated discussion systems, etc.

Re:Well

easy, block Russian, Chinese and Tor IP's. Problem pretty close to solved

Re:Well

[phorm]

Yeah, this seems to be a result of one of these factors:
a) Tor lets good people do good things anonymously so as to avoid persecution
b) Tor lets bad people do bad things anonymously so as to avoid persecution

In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.

Re:Well

Use it for legitimate traffic.

Re:Well

pfsense with snort (block known tor nodes) along with pfblockerNG (block known russian, chinese and korean hosts) takes care of this for me for my small personal servers (a game server and a forum).

The russian authorities actually encourage hostile network traffic and malware as long as it's directed at the US. Source: I work in the NOC for a large provider.

Re:Well

[Aighearach]

What I would do is to increase the presence of US law enforcement on Tor.

Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes. The whole premise of Tor was that a citizen of a repressive regime would be able to access the internet as if they were in a free nation; they would appear on the internet as being from there, and the only people who would have enough network access to identify them would be the people on the western side.

Those people are the "legitimate" traffic. The reason why libraries sign up as Tor nodes is to grant people under repressive regimes to view the world as it is viewed from a western library.

It is hilarious the people who think Tor would be some sort of "privacy" service that would shield their browsing from the US Government. The whole premise was to create a safe space for communication that was locally banned, but legal in the US and like-minded States. In my opinion, if people want to prevent Tor from being banned as a source of abuse, all they have to do is limit its use to the intended use. If they want it to be broadly used for other things, eventually it will be blocked from accessing almost anything, because DoS attacks are a thing.

Re:Well

[Aighearach]

I also have to block about 10% of Brazil that is still on shared IPs. Sad but true. It used to be like 25%, but as their ISPs upgrade to modern systems and give out IPs to individual users it is improving. IPv6 will mostly solve that.

Re:Well

[thegarbz]

IP blocklists. Thats kind of the point. I flat out block large portions of the addressable space from my web server as 99.999% of those requests appear malicious. A few users get dragged into the net, but the internet hitting my site is as the discussion has defined it, "less abusive"

Re:Well

[Kjella]

And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.

Re:Well

In my experience, attacks come from both Tor and non-Tor IPs.
Blocking Tor is really just a short-sighted, knee-jerk solution. You are not solving your fundamental problem of being exposed to attacks, by blocking Tor.

If Tor gets blocked enough, attackers will simply continue their activities without it.

Re:Well

IPv6 will mostly solve that.

So, by about 2060 all will be good.

Re:Well

Tor is way too slow to be used to dos anything.

Re:Well

[gweihir]

You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.

Re:Well

[gweihir]

Stop spreading FUD.

Re:Well

Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes.

No. Tor was created to let CIA use public infrastructure without being detected. More data and this interview

An undercover spook sitting in a hotel room in a hostile country somewhere couldn’t simply dial up CIA.gov on his browser and log in — anyone sniffing his connection would know who he was. Nor could a military intel agent infiltrate a potential terrorist group masquerading as an online animal rights forum if he had to create an account and log in from an army base IP address.

The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, ‘Oh, it’s another CIA agent.’ If those are the only people using the network.

Quickly realized that only technically anonymizing traffic was not enough — not if the system was being used exclusively by military and intelligence. In order to cloak spooks effectively, Tor needed to be used by a diverse group of people: activists, students, corporate researchers, soccer moms, journalists, drug dealers, hackers, child pornographers, foreign agents, terrorists — the more diverse the group, the better the spooks could hide in the crowd in plain sight.

So what's Tor for

• It's original goal: Cloaks the online identity of government agents while they are in the field. And the rest of this stuff — the online protection of activists, dissidents, journalists, criminals, etc. The more diverse the group, the better.
• A, a trap, a honeypot for other countries intelligence, but they are not that stupid, so finally it's a honeypot for activist against USA.
• A way to allow activists against non-friend governments.
• Friend oppressive regimes like Saudi Arabia, Arab Emirates, Morocco,new Egyptian Regime etc , get information about dissidents from Tor thanks to USA's Tor honeypot.

Re:Well

[peawormsworth]

a) Tor lets good people do good things anonymously so as to avoid persecution

b) Tor lets bad people do bad things anonymously so as to avoid persecution

but also...

c) Tor lets everyone search out their curiosities online without having that curiosity permanently attached to their profile.

I think far too many people quote extreme examples of who might want to use tor. When in reality, the anonymous features of tor is useful for the average citizen living in a "free" country. We all know that everything is being collected on mass and often sold to 3rd parties or used by authorities to profile and monitor their citizens. Tor is for the masses. It is unreasonable for a massive caching and DDOS service to toy with all of them and knowingly attempt to destroy the objectives of those users.

Cloudflare is annoying

[Aaden42]

The Cloudflare DDoS stuff is really annoying. You have to enable JavaScript (and it takes a few seconds) to load pages that would otherwise display fine w/ NoScript blocking just about everything. I'm at the point where I just close most pages that use it and treat them like clickbait crap on Facebook. Yeah, that headline sounds interesting but not worth the frustration and security risk.

Re:Cloudflare is annoying

The javascript requirement is because that's how they de-anonymize you behind TOR. (One of several ways actually, but a key one). They're depending on people dumb enough to run arbitrary scripts from tracking agencies while somehow fooling themselves into believing they are still anonymous.

Re:Cloudflare is annoying

Are you fucking serious? The javascript is make you perform a computation before you can access the site (so that there is a cost for the attackers, and it slows them down). Sometimes it is simply a redirection in javascript, which weeds out attack scripts that cant execute javascript or emulate dom.

They should use APPS, not LUDDITE TOR!

Modern app appers know that ONLY apps can app apps, not LUDDITE TOR! If these LUDDITES switched to appy app apps instead of LUDDITE TOR, they would get modern APPtchas instead of LUDDITE captchas!

Apps!

Re:They should use APPS, not LUDDITE TOR!

Snap!

Re:They should use APPS, not LUDDITE TOR!

No not snap. SnAPP!

Exit Nodes

I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.

Re:Exit Nodes

[SumDog]

That's what I thought when I experienced this, but they do request A LOT of Captchas...like every few pages. I'm more willing to bet it's intentional.

Re:Exit Nodes

Cloudflare allows the site admins to set the paranoia level.

Most site admins (me included) don't care if Tor clients can't get through - it's worth it for the safety. I pump up the paranoia level slightly and no regular customers have complained.

Re:Exit Nodes

[Aighearach]

You say you doubt they do it purposely, but then you go on to describe doing it purposely, for reasons.

Yes, they likely do have reasons. It is a valuable insight that many are missing.

Re:Exit Nodes

I have to wonder, though. To a large site, the behavior of a Tor exit node will certainly seem unusual (lots of connections, each one coming from a different browser, but with most of those browsers broadcasting exactly the same User-Agent and other identifying information), but that doesn't mean they're "malicious."

I also have to wonder: when I click on a link, see it's cloudflared, and decide that reading the page isn't worth the effort of solving whatever infuriating puzzle they're showing me today, and close the tab... does that visit go into their big bucket of statistics as "another bot attack successfully thwarted"?

Re:Exit Nodes

[GNious]

I've been stuck in infinite CAPTCHAs when using Tor ... is pretty effing annoying.

Re:Exit Nodes

maybe you are just bad at being human or doing them wrong.

I was stuck in a loop for a while then I realized that certain things which I would definitely consider a street sign aren't street signs.

It's easy to see why

With Tor, I can specifically set which country I want my exit node to be from, and I have a large selection. If I want, I can select a single exit node and stick with it until the IP is blocked.

This is useful for scanning, brute forcing, exploitation, ex-filtrating data, or just trolling online. Anything nefarious that I don't want linked back to me easily. Malware using Tor for C&C traffic doesn't help the situation.

Bad actors give Tor a bad rap, even if does a ton of good for countries with repressive regimes. Thanks to negativity bias, people block Tor unless they have a specific reason for allowing it.

Re:It's easy to see why

[Aighearach]

One thing I've considered is maybe there should be an exit node that only accepts connections from countries that have repressive regimes, and few or no remotely-purchasable VPS hosting services. Or at least no VPS services with English or Russian sales pages. ;)

Then you might have a safe exit node without all the American trolls and Russian criminals.

Pre-emptive strike: No, I did not overlook that various technical changes would be required, I simply didn't go into it.

Re:It's easy to see why

Perhaps one desirable use of Tor is the ability it gives the american citizen to datamine large corporations who otherwise limit access to their data's availability on a per-IP basis (meanwhile, while fully datamining the lives of the people to whom it is denying access)

Re:It's easy to see why

Why would you have a Tor exit node inside a repressive regime? That doesn't make sense.

First Post!

You get used to it.

Captcha: Onion
Captcha: Traffic Sense
Captcha: JohTn89 uBs
Captcha: 910
I'm not a robot:
        Selected 4 street name signs
        Selected 3 bodies of water
        Selected 3 panels with road signs
and finally
Slashdot captcha: chanted

cloud fear

this is a rockerfeller company..

A living hell

[xxxJonBoyxxx]

>> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies

Are you sure they're not just anonymous SlashDot users?

In any case, you have an odd definition of a "living hell" even from a first-world perspective.

Re:A living hell

In any case, you have an odd definition of a "living hell" even from a first-world perspective.

Right, a true first-world living hell also involves Starbucks using real cream instead of non-fat vanilla flavored soy-milk.

Re:A living hell

[AmiMoJo]

Actually it sounds a lot like classical descriptions of hell and divine punishment. In this case it reminds me of Sisyphus, forced to enter a captcha over and over without end.

Re:A living hell

Because Starbucks isn't Starbucks unless a baby cow dies for it.

Re:A living hell

[Aighearach]

In any case, you have an odd definition of a "living hell" even from a first-world perspective.

Stop oppressing me by tracking me when I'm pretending I'm anonymous! lololol

Once upon a time, Tor was a shining beacon of light that caused me to think fond thoughts of oppressed Persians being able to access their own cultural history via the West. These days, they have phone apps for that in their own language, and Tor is just a joke that never stops giving.

Re:A living hell

[Aighearach]

Because no baby animal ever died to replace a dairy with a chemical factory!

Oh, wait...

Re:A living hell

[Aighearach]

Yeah, what an idiot that Sisyphus was, he should have just closed the window and ignored the stone! They were sure simple-minded in the past.

Re:A living hell

Actually it sounds a lot like classical descriptions of hell and divine punishment. In this case it reminds me of Sisyphus, forced to enter a captcha over and over without end.

CAPTCHAs in full Unicode, he has once chance to get it right before it changes and each time he is wrong, it gets one character longer. How sure are you that is a "O" and not a "0" and once you get that far, what alphabet?

3.67% of 1000?

3.67% of 1000 is 36.7 websites. I question whoever came up with those stats.

Re:3.67% of 1000?

[dgtangman]

But that's not what the summary says! It says 3.67% of the 1.3 million are Alexa Top 1000 sites, so 47,710 of those 1000 sites are blocking Tor users. Hmm. Not much better.

Re:3.67% of 1000?

[Actually,+I+do+RTFA]

That's not what the article says. Oh, wait, it is. The summary ripped that numerically impossible line verbatim from the article, and no one noticed.

Re:3.67% of 1000?

Nobody noticed, except the dozen times it's been posted here.

Wonderful editing timmay

Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites

This sentence doesn't make any sense. 3.67% of 1.3 million would be ~47700 sites. Good ole timmay who is unable to actually edit anything since the actual article says:

The researchers found that over 1.3 million websites actively block connections from the Tor network, including 3.67% of the top-1,000 Alexa sites.

which makes much more sense.

Re:Wonderful editing timmay

3.67% of 1000 sites is how many sites now?

In a world where both the original author and the editor are fucking clueless...

Re:Wonderful editing timmay

3.67% of 1000 sites is how many sites now?

A much more logical number than written to say that 3.67% of 1.3 million sites were Alexa Top 1000 sites.

Re:Wonderful editing timmay

[mrchaotica]

In a world where both the original author and the editor are fucking clueless...

"...a lone Anonymous Coward will find the courage to correct them! A hero will rise, and an Editor will fall. Things are about to get trollish on Slashdot, this year [and every year]. And this time, it's serious business!"

Then allow HIDDEN exit nodes

Allow 4 hop circuits with exit nodes that DO NOT publish their IP.

Entry-Middle-Middle-NoPublishExit.

Then cloudfare won't know it's a Tor node so easily.

Re: Then allow HIDDEN exit nodes

[Aighearach]

You mistakenly believe that they are targeting Tor directly, rather than indirectly. They don't download a list of these IPs, they have the list based on what IPs are being used in attacks. An unpublished exit node would have just as many attacks appearing to originate from it as a published exit node, and would make the blacklist in the exact same amount of time.

These are lists created by software, not lists input by humans. That is silly, there are actually lots of IPs that need blocking. Lots and lots. And lots. If they were being input by hand, there would be a whole major country employed in doing it. ;)

This is a technical malfunction, not surveillance.

[Striek]

CloudFlare is not targeting Tor users. They aren't doing anything not considered best practices in general and practised all over the net. Showing a CAPTCHA to a Tor user is used in many places, including Google and Yahoo, who employ this method without irking people. The issue is that the technology CloudFlare is using to accomplish this is malfunctioning, and not that they are targeting Tor users.

So far, the Tor project hasn't accused them of surveillance publicly. That would be overkill. Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance. Tor are being their usual anal selves and refusing to compromise. This problem is a technical malfunction, not mass surveillance of CloudFlare users.

They do have a point that CloudFlare can be notoriously difficult to resolve problems with, though. CloudFlare can be just as anal as Tor.

APPLE does it too!

Our newly acclaimed champion of encryption also blocks TOR traffic, at least these ones:

https://getsupport.apple.com/
https://support.apple.com/
https://discussions.apple.com/

Source: TOR Project

This is Tor's fault

[fustakrakich]

It has to be able to blend in better, or it's not doing its job.

Re:This is a technical malfunction, not surveillan

They aren't doing anything not considered best practices in general and practised all over the net. Showing a CAPTCHA to a Tor user is used in many places, including Google and Yahoo, who employ this method without irking people.

Speak for yourself. Using google is certainly very annoying with TOR.

Re:This is a technical malfunction, not surveillan

[gstoddart]

Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance.

Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.

You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.

Re:This is a technical malfunction, not surveillan

[Richard_at_work]

So what if CloudFlare is carrying out surveillance, isnt Tor supposed to be immune to that? No one granted Tor users the unmitigated right to browse the internet and be treated the same as everyone else, especially if they can be picked out from the crowd...

Perens.com and is on Cloudflare

[Bruce+Perens]

I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.

One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.

Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.

Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.

Re:Perens.com and is on Cloudflare

> Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions [...]

This is simply not true.

Re:Perens.com and is on Cloudflare

go away bruce

Re:Perens.com and is on Cloudflare

Giving up the freedom of other people appears to be the convenient option.

Re:Perens.com and is on Cloudflare

[MtHuurne]

Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate.

If you hand out session IDs prior to authentication, you're vulnerable to session fixation. So giving session cookies to all visitors is not required for the purpose of supporting logins, since you're going to have to give them a new session ID after logging in.

Re:Perens.com and is on Cloudflare

Nor have they been malicious.

How do you know? Seriously, how do you know they haven't done and aren't still doing something nefarious. Your site appears to be working fine and so as far as you're concerned everything is roses, but you have no idea what information Cloudflare is gathering about your users. You can't know how many legitimate users hit a "prove you're human" page on your site, and fuck right off to a different site instead of putting up with that hassle. You probably won't be likely to notice minor outages and those random "CloudFlare Ray ID# 810a5bdaafc6dd30b1d9979215935871 has encountered an error" bullshit interfering with your site.

But, using them is your choice and more power to you.

Re:Perens.com and is on Cloudflare

yeah, we need more drunken 3 word anonymous contributions, right?

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

There are session-oriented features that don't depend on logging in, too. I'm going to hope the developers of at least two wikis and Wordpress got it right, and that Debian is keeping an eye on them for me :-)

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

Giving up the freedom of other people appears to be the convenient option.

No, not particularly. I had never heard of a Tor interaction until today, one reason is that I don't use Tor.

If you want to talk about Freedom, let's allow users to choose not to use HTTPS instead of forcing it upon them as most sites do today. Even the browsers are starting to do it, Chrome won't run getUserMedia() over HTTP any longer. I know when I need to hide my web transactions, and resent being forced to do it the rest of the time.

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

How do you know?

How do you know about anyone's character? By watching their actions. I'm really sensitive about companies, because there are a lot of self-serving ones out there who don't deserve my business.

Now, if Cloudflare doesn't fix the problem or people show me that they've been giving data on democracy and freedom advocates to totalitarian governments, then I'll re-evaluate and move my business elsewhere. But if they are collecting data on Tor users who attack their own customer's sites, and handing them over to law enforcement, I'm going to be completely OK with that.

Re:Perens.com and is on Cloudflare

[BronsCon]

How about you show us how it is not true, rather than making a blatantly false statement you can't back up?

Oh, sorry, answered my own question. carry on, then.

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

Grasshopper, it is the time to learn the art of argument. One submits facts to make their argument, not simply contradiction. In this case, a discussion of the HTTP protocol would be appropriate.

Re:Perens.com and is on Cloudflare

[bheerssen]

HTTP protocol: the Hypertext Transfer Protocol protocol. Text is transmitted in a hyper, super active state that is stateful and aware of itself. Sessions are irrelevant.

Right?

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

Put that copy of A Fire on the Deep down, before there's no hope for you.

Re:Perens.com and is on Cloudflare

The thing you should realize, though, is that this story is really not news. It's been about a year and a half, I think, since CloudFlare started becoming a major problem for Tor users, and about a year since they switched to a captcha system that was literally impossible to solve for anyone with Javascript disabled. Now, in fairness, CloudFlare has started making an effort to improve things in the last month or so. But it took a long time for them even to acknowledge the problem, and they still have a long way to go to fix it.

I hope you can appreciate how aggravating it is to be told you have to prove you're a human, many times a day, simply for trying to read a website. It certainly didn't help that for many months, if you disabled Javascript, the site would completely ignore what you typed in the box. And the "FAQ" at the bottom of the page ("Why do I have to complete a CAPTCHA?") seems almost deliberately antagonistic in the way it gives a factual response that completely fails to answer the question ("Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.") So I hope you can understand why, after over a year of this, people are a little bitter.

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

Actually, you're not being told to prove you're a human just to read a web site. You're being told that because you approach the site through what is, unfortunately, a known attack vector. Yes, Tor was created with the best intentions, to protect people who are victims of repressive governments, but its users don't always have those intentions. Some are just plain malicious.

I am also having a little trouble understanding why anyone needs to approach Perens.com, FreeDV.org, and other quite mundane sites using Tor.

Re:Perens.com and is on Cloudflare

> How about you show us how it is not true [...]

You'll probably have moved on. ADHS and that. But just in case...

You can (this is the more simplistic approach) put the session ID in the URL. At this point, you have the choice to put it more at the "end" of the URL (I include the query parameter into this vague category), which is kinda more readable) -- or just be "badass" and put it more at the "beginning" or root, which would let you leverage the relative URL and "base" mechanisms to even serve immutable pages while passing on the session ID.

But my favorite is to not use a session ID, but a properly linked transaction ID, which is more tamper resistant and makes tracking more difficult. Because I don't want my users tracked against their own will.

Re:Perens.com and is on Cloudflare

[BronsCon]

Putting the session ID in the URL prevents people from sharing links without also sharing their session. Likewise with a transaction ID, unless you only allow each transaction to occur once, in which case you break the "back" button. Never allow a user to accidentally share their session and never, never, and I mean never break the browser.

So, within the confines of basic security and usability practices, care to explain this again?

Re:Perens.com and is on Cloudflare

Oh, noes. You followed through :-)

I take back all that with ADHS and gladly swallow every word.

> Putting the session ID in the URL prevents people from sharing links without also sharing their session.

Trivial to fix: a session should never be universal -- it's only valid whithin a narrow (time/IP/browser attributes: make that match a "soft" match, i.e. when too much differs, session is considered invalid [1]) context. Plus: a session by itself *never* authenticates, authentication is separate from that.

I repeat, because this is important: Other than cookies, a "session id in an URL" is *not* an authentication token (this is a Good Thing).

> Likewise with a transaction ID, unless you only allow each transaction to occur once, in which case you break the "back" button.

Same context thing applies to transaction IDs. I do agree that one should never break the browser's back button.

That said, in my (admittedly simple) applications (web shop, wiki, that kind of thing) authentication + session was enough. If the user is authenticated and the session not too old, the session was considered valid. Otherwise a redirect to the same URL sans session was issued and the "normal" handling applied.

That made the user "the boss", being able to bookmark several sessions (I guess very few made use of that, because the Web is making us dumber, alas).

Re:This is a technical malfunction, not surveillan

[Ash+Vince]

Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance.

Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.

You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.

It worth remembering that these "assholes" are not going around hacking websites and forcing their tags onto them, website owners are adding third party tracking websites and ad networks to their site to cover the cost of running a website. Instead of bitching about ad networks, just stop using ad supported sites.

Running a website costs money, like everything else in this world.

Can confirm.

[waspleg]

They also do this to VPN services.

Re:Can confirm.

[Gondola]

Yep. I use a VPN on one system and I am getting inundated with the CloudFlare CAPTCHAs, and they don't work right. It keeps coming up over and over.

Re:Can confirm.

Yeah, the one Captcha of choose all boxes that contain a road sign is shitty.

You choose every square that contains part of a road sign and wow your wrong and we have to go through the whole process several times again.

Probabably because many attacks come from TOR

[GuB-42]

There are many script-kiddies who launch attacks using the TOR network so it isn't very surprising.
I rented a small server hosted by OVH that I used as a web proxy to make up for the poor peering of my ISP. I noticed the same thing : captcha, etc... That's because cheap servers like mine are popular for attackers and many are infected by botnets.

most famous Tor discrimiating site ...

Wikipedia, they stopped me improving the content when I switched completely to Tor browsing. So Wikipedia bugs are no longer a problem of mine.

Behavioral Detection

The analysis needs to become more sophisticated. Judging a user by their ip address is the internet version of "driving while black" or "flying while muslim." It is super easy to do, but gives you tons and tons of false positives.

You can choose between doing it the easy way and alienating all those legitimate users (the number of which is probably growing considering people's inherent desire to not be surveilled) or you can start analyzing what they do on the site and banning them based on their actions.

Craigslist is starting to move in that direction - they still ban by ip address but (1) the ban is only short term and (2) it doesn't kick in until a user on that ip address has done something suspicious like read 50 ads in 50 seconds. It would be great if they stepped it up so that if you had a cookie that was not associated with anything suspicious you would not be banned despite the ip address. That would require some sort of continuous score-keeping such that the first couple of accesses might be throttled until the user has "earned" trust in order to prevent malicious actors from simply discarding cookies associated with bad behaviour. The complexities of these algorithms are beyond the scope of a slashdot post though.

Re:This is a technical malfunction, not surveillan

[Aighearach]

Is it still a "malfunction" if some percent of Tor users are in fact treating the hosts they connect to with mal-intent? And what if frequent captchas are believed to reduce specific forms of malicious behavior?

It may simply be a feature that is unpopular with some small subset of users.

CloudFlare

is was shit

More like "Tor project fails to rein Jake in"

Seriously, if you read the comment threads where this is happening, you have ioerror doing stuff like choosing words with obvious nasty connotations to describe what Cloudflare is doing, then coming up with obvious bullshit "but I just mean it's technically X" defenses when called on it. Not to mention refusing to acknowledge the obvious relevance of the well-known fact that traffic from Tor exits has a far higher abuse probability than other traffic.

Either he's too dumb to adjust his rhetoric to his audience and purposes, or he's too arrogant and emotional to care about the actual effects of what he says.

If the Tor project wants to work with anybody in Cloudflare's position to actually solve anything, they need to get this guy out of the conversation.

They're in a no-win position.

[Mal-2]

Sites that accept Tor connections find themselves subjected to many problems. Just one of them is being unable to identify the source of a connection to keep one person from setting up large numbers of accounts. This is happening on Voat, with a few certain users signing up hundreds of times then spamming the place -- while the rest of us are limited to one account per IP address. Got two people at your house who want accounts? Too fucking bad. Yet it does abs-olutely nothing to stop the Tor and proxy users. There is a very vocal contingent (I can't say how numerous they are) that insists that without the anonymity of Tor and proxies, they won't visit at all. These are not problem users, either, they're well-behaved. They might be spewing vile shit in /v/niggers or /v/FatPeopleHate, but they're not abusing the service and crossposting where nobody wants to see them. On the other hand, you have people like me, who want the crapfloods stopped. If it takes banning Tor and proxies, I'm afraid I have to say I'm for it -- though if it can be accomplished by less severe methods, that would be better. So far, management has taken the other side (doing nothing as best I can tell), so I've largely moved on. Rule #0 of any service should be "no unenforceable rules". If they can't or won't enforce the "one account per person" rule on Amalek and the Men's Rights Activists, then they shouldn't enforce them on anyone.

4chan, vile as it was, did not allow posting from proxies the last I checked (which would be over a year ago, now) because of the inability to stop the crapfloods. 8chan makes Tor users solve CAPTCHAs every three to five posts instead of once a day. There may actually be a good balance between preserving functionality for good Tor users while preventing abuse by the bad ones, but if a site as dedicated to free speech as Voat can't find it, then sites that aren't so gung ho about free speech are just going to say "screw it, block them". Can they really be blamed?

Re:They're in a no-win position.

All of that is quite understandable. Stopping spam is really, really hard.

That also has virtually nothing to do with CloudFlare. CloudFlare isn't about stopping people from creating accounts or posting spam - it's about stopping people from *viewing* the site in the first place. Which is a couple orders of magnitude more obnoxious, because I would estimate I read a few hundred web pages for every comment thread I care to post on.

Re:They're in a no-win position.

8chan makes Tor users solve CAPTCHAs every three to five posts instead of once a day.

Last I tried to post to 8chan via Tor (through its .onion address), they asked for a captcha and after solving it, they told me that I was not allowed.to post at all through Tor.

I wasn't posting an image either. Just plain text.

Are those restrictions board-specific?

Re:They're in a no-win position.

[Mal-2]

You know, the 8chan software has been really fucky since the whole Infinity Next debacle. I can't say what's normal. A couple days ago, the CAPTCHAs stopped showing up. We still had to do them, but there was no graphic displayed. The workaround came from /pol/, the first time I've ever found that bunch of Stormfront asswipes useful -- View Source, highlight the link to the image that wasn't showing up, and pull it up in another tab or window.

So I don't know if the .onion is just not high on Hotwheels' priority list right now, or if that's somehow normal behavior.

Not just TOR users.

[MadMaverick9]

I whitelist cookies and javascript as needed (my whitelist is very very short really).

And I just now was asked to "Please complete the security check to access alpha.wallhaven.cc" when trying to go to http://alpha.wallhaven.cc/wall....

Fuck em. You don't want me to look at your site. Then I simply don't. I don't give a shit.

A fucking "security check" to look at some desktop wallpapers??!!?? For crying out loud!!

The Open Internet is indeed getting smaller and smaller by the day.

Same happens with Propel Accelerator

[AUX4Ever]

Im stuck using Propel (a relic of dial-up) on my internet connection and I regularly get intercepted by Cloudfire, shopping cart subsystems, and other third-party apps thinking im trying to do something nefarious.

Heaven help you if your browsing in a non-linear fashion (control-click) with multiple tabs set to load in the background while your browsing.

I usually just give up and look somewhere else.