Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

Well

Although I am for an anonymous internet, all serious attempts to enter our systems have come from Russian, Chinese, Korean and Tor ips. And an ignorable part of traffic from those IPs is legitimate.

How do you stop Tor from being abusive?

Re:Well

[mspohr]

How do you stop the Internet from being abusive?

Re:Well

[phorm]

Yeah, this seems to be a result of one of these factors:
a) Tor lets good people do good things anonymously so as to avoid persecution
b) Tor lets bad people do bad things anonymously so as to avoid persecution

In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.

Re:Well

[Aighearach]

What I would do is to increase the presence of US law enforcement on Tor.

Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes. The whole premise of Tor was that a citizen of a repressive regime would be able to access the internet as if they were in a free nation; they would appear on the internet as being from there, and the only people who would have enough network access to identify them would be the people on the western side.

Those people are the "legitimate" traffic. The reason why libraries sign up as Tor nodes is to grant people under repressive regimes to view the world as it is viewed from a western library.

It is hilarious the people who think Tor would be some sort of "privacy" service that would shield their browsing from the US Government. The whole premise was to create a safe space for communication that was locally banned, but legal in the US and like-minded States. In my opinion, if people want to prevent Tor from being banned as a source of abuse, all they have to do is limit its use to the intended use. If they want it to be broadly used for other things, eventually it will be blocked from accessing almost anything, because DoS attacks are a thing.

Re:Well

[thegarbz]

IP blocklists. Thats kind of the point. I flat out block large portions of the addressable space from my web server as 99.999% of those requests appear malicious. A few users get dragged into the net, but the internet hitting my site is as the discussion has defined it, "less abusive"

Re:Well

[Kjella]

And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.

Re:Well

[gweihir]

You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.

Cloudflare is annoying

[Aaden42]

The Cloudflare DDoS stuff is really annoying. You have to enable JavaScript (and it takes a few seconds) to load pages that would otherwise display fine w/ NoScript blocking just about everything. I'm at the point where I just close most pages that use it and treat them like clickbait crap on Facebook. Yeah, that headline sounds interesting but not worth the frustration and security risk.

Re:Cloudflare is annoying

The javascript requirement is because that's how they de-anonymize you behind TOR. (One of several ways actually, but a key one). They're depending on people dumb enough to run arbitrary scripts from tracking agencies while somehow fooling themselves into believing they are still anonymous.

Exit Nodes

I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.

Re:Exit Nodes

[SumDog]

That's what I thought when I experienced this, but they do request A LOT of Captchas...like every few pages. I'm more willing to bet it's intentional.

It's easy to see why

With Tor, I can specifically set which country I want my exit node to be from, and I have a large selection. If I want, I can select a single exit node and stick with it until the IP is blocked.

This is useful for scanning, brute forcing, exploitation, ex-filtrating data, or just trolling online. Anything nefarious that I don't want linked back to me easily. Malware using Tor for C&C traffic doesn't help the situation.

Bad actors give Tor a bad rap, even if does a ton of good for countries with repressive regimes. Thanks to negativity bias, people block Tor unless they have a specific reason for allowing it.

A living hell

[xxxJonBoyxxx]

>> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies

Are you sure they're not just anonymous SlashDot users?

In any case, you have an odd definition of a "living hell" even from a first-world perspective.

This is a technical malfunction, not surveillance.

[Striek]

CloudFlare is not targeting Tor users. They aren't doing anything not considered best practices in general and practised all over the net. Showing a CAPTCHA to a Tor user is used in many places, including Google and Yahoo, who employ this method without irking people. The issue is that the technology CloudFlare is using to accomplish this is malfunctioning, and not that they are targeting Tor users.

So far, the Tor project hasn't accused them of surveillance publicly. That would be overkill. Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance. Tor are being their usual anal selves and refusing to compromise. This problem is a technical malfunction, not mass surveillance of CloudFlare users.

They do have a point that CloudFlare can be notoriously difficult to resolve problems with, though. CloudFlare can be just as anal as Tor.

This is Tor's fault

[fustakrakich]

It has to be able to blend in better, or it's not doing its job.

Re:Yeah I've noticed that...

And even if it doesn't, it manages to break the 'web in all sorts of interesting ways. Javascript really shouldn't be a basic requirement just to load a page, for one.

Aside: Math fail? 0.0367 * 1.3*10^6 = 47710, those don't all fit in the alexa top 1000, or it secretly isn't a top 1000.

Perens.com and is on Cloudflare

[Bruce+Perens]

I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.

One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.

Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.

Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.

Re:Perens.com and is on Cloudflare

[Bruce+Perens]

Grasshopper, it is the time to learn the art of argument. One submits facts to make their argument, not simply contradiction. In this case, a discussion of the HTTP protocol would be appropriate.

Re:Yeah I've noticed that...

[omnichad]

Yeah - the exit nodes that the person is using is likely also being used for DDoS or some other attack.

Re:Wonderful editing timmay

[mrchaotica]

In a world where both the original author and the editor are fucking clueless...

"...a lone Anonymous Coward will find the courage to correct them! A hero will rise, and an Editor will fall. Things are about to get trollish on Slashdot, this year [and every year]. And this time, it's serious business!"

Re:Yeah I've noticed that...

[msauve]

I, too, was wondering about that. 3.67% of 1000 is 36.7. What 0.7 of a web site?

Re:Yeah I've noticed that...

[moehoward]

.. What 0.7 of a web site?

Yahoo. That's what.

Re:Yeah I've noticed that...

[msauve]

...but it said "top 1000," so that's not it.

Probabably because many attacks come from TOR

[GuB-42]

There are many script-kiddies who launch attacks using the TOR network so it isn't very surprising.
I rented a small server hosted by OVH that I used as a web proxy to make up for the poor peering of my ISP. I noticed the same thing : captcha, etc... That's because cheap servers like mine are popular for attackers and many are infected by botnets.

Re:Can confirm.

[Gondola]

Yep. I use a VPN on one system and I am getting inundated with the CloudFlare CAPTCHAs, and they don't work right. It keeps coming up over and over.

Re:Yeah I've noticed that...

Its not just TOR but also anyone using a VPN.

Sometimes I have to verify 3 times in sucession just to visit a single website only to find that there was not much on that site.

More and more sites are using Cloudflare and it's really annoying me and if they are tracking as well then bang goes you anomity, so your going to have to randomise agent strings with gibberish to try and fool the software from tracking

Re: Then allow HIDDEN exit nodes

[Aighearach]

You mistakenly believe that they are targeting Tor directly, rather than indirectly. They don't download a list of these IPs, they have the list based on what IPs are being used in attacks. An unpublished exit node would have just as many attacks appearing to originate from it as a published exit node, and would make the blacklist in the exact same amount of time.

These are lists created by software, not lists input by humans. That is silly, there are actually lots of IPs that need blocking. Lots and lots. And lots. If they were being input by hand, there would be a whole major country employed in doing it. ;)

They're in a no-win position.

[Mal-2]

Sites that accept Tor connections find themselves subjected to many problems. Just one of them is being unable to identify the source of a connection to keep one person from setting up large numbers of accounts. This is happening on Voat, with a few certain users signing up hundreds of times then spamming the place -- while the rest of us are limited to one account per IP address. Got two people at your house who want accounts? Too fucking bad. Yet it does abs-olutely nothing to stop the Tor and proxy users. There is a very vocal contingent (I can't say how numerous they are) that insists that without the anonymity of Tor and proxies, they won't visit at all. These are not problem users, either, they're well-behaved. They might be spewing vile shit in /v/niggers or /v/FatPeopleHate, but they're not abusing the service and crossposting where nobody wants to see them. On the other hand, you have people like me, who want the crapfloods stopped. If it takes banning Tor and proxies, I'm afraid I have to say I'm for it -- though if it can be accomplished by less severe methods, that would be better. So far, management has taken the other side (doing nothing as best I can tell), so I've largely moved on. Rule #0 of any service should be "no unenforceable rules". If they can't or won't enforce the "one account per person" rule on Amalek and the Men's Rights Activists, then they shouldn't enforce them on anyone.

4chan, vile as it was, did not allow posting from proxies the last I checked (which would be over a year ago, now) because of the inability to stop the crapfloods. 8chan makes Tor users solve CAPTCHAs every three to five posts instead of once a day. There may actually be a good balance between preserving functionality for good Tor users while preventing abuse by the bad ones, but if a site as dedicated to free speech as Voat can't find it, then sites that aren't so gung ho about free speech are just going to say "screw it, block them". Can they really be blamed?