Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

Exit Nodes

I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.

It's easy to see why

With Tor, I can specifically set which country I want my exit node to be from, and I have a large selection. If I want, I can select a single exit node and stick with it until the IP is blocked.

This is useful for scanning, brute forcing, exploitation, ex-filtrating data, or just trolling online. Anything nefarious that I don't want linked back to me easily. Malware using Tor for C&C traffic doesn't help the situation.

Bad actors give Tor a bad rap, even if does a ton of good for countries with repressive regimes. Thanks to negativity bias, people block Tor unless they have a specific reason for allowing it.

A living hell

[xxxJonBoyxxx]

>> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies

Are you sure they're not just anonymous SlashDot users?

In any case, you have an odd definition of a "living hell" even from a first-world perspective.

Perens.com and is on Cloudflare

[Bruce+Perens]

I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.

One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.

Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.

Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.

Re:Well

[phorm]

Yeah, this seems to be a result of one of these factors:
a) Tor lets good people do good things anonymously so as to avoid persecution
b) Tor lets bad people do bad things anonymously so as to avoid persecution

In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.

Re:Well

[Kjella]

And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.

Re:Well

[gweihir]

You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.