Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic (softpedia.com)

Posted by timothy on from the men-in-the-middle dept.

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.

12 of 116 comments (clear)

  1. Well by Anonymous Coward · · Score: 5, Interesting

    Although I am for an anonymous internet, all serious attempts to enter our systems have come from Russian, Chinese, Korean and Tor ips. And an ignorable part of traffic from those IPs is legitimate.

    How do you stop Tor from being abusive?

    1. Re:Well by phorm · · Score: 3, Insightful

      Yeah, this seems to be a result of one of these factors:
      a) Tor lets good people do good things anonymously so as to avoid persecution
      b) Tor lets bad people do bad things anonymously so as to avoid persecution

      In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.

    2. Re:Well by Aighearach · · Score: 4, Interesting

      What I would do is to increase the presence of US law enforcement on Tor.

      Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes. The whole premise of Tor was that a citizen of a repressive regime would be able to access the internet as if they were in a free nation; they would appear on the internet as being from there, and the only people who would have enough network access to identify them would be the people on the western side.

      Those people are the "legitimate" traffic. The reason why libraries sign up as Tor nodes is to grant people under repressive regimes to view the world as it is viewed from a western library.

      It is hilarious the people who think Tor would be some sort of "privacy" service that would shield their browsing from the US Government. The whole premise was to create a safe space for communication that was locally banned, but legal in the US and like-minded States. In my opinion, if people want to prevent Tor from being banned as a source of abuse, all they have to do is limit its use to the intended use. If they want it to be broadly used for other things, eventually it will be blocked from accessing almost anything, because DoS attacks are a thing.

    3. Re:Well by Kjella · · Score: 3, Insightful

      And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.

      --
      Live today, because you never know what tomorrow brings
    4. Re:Well by gweihir · · Score: 3, Insightful

      You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  2. Cloudflare is annoying by Aaden42 · · Score: 5, Interesting

    The Cloudflare DDoS stuff is really annoying. You have to enable JavaScript (and it takes a few seconds) to load pages that would otherwise display fine w/ NoScript blocking just about everything. I'm at the point where I just close most pages that use it and treat them like clickbait crap on Facebook. Yeah, that headline sounds interesting but not worth the frustration and security risk.

  3. Exit Nodes by Anonymous Coward · · Score: 3, Insightful

    I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.

  4. A living hell by xxxJonBoyxxx · · Score: 4, Insightful

    >> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies

    Are you sure they're not just anonymous SlashDot users?

    In any case, you have an odd definition of a "living hell" even from a first-world perspective.

  5. Re:Yeah I've noticed that... by Anonymous Coward · · Score: 5, Interesting

    And even if it doesn't, it manages to break the 'web in all sorts of interesting ways. Javascript really shouldn't be a basic requirement just to load a page, for one.

    Aside: Math fail? 0.0367 * 1.3*10^6 = 47710, those don't all fit in the alexa top 1000, or it secretly isn't a top 1000.

  6. Perens.com and is on Cloudflare by Bruce+Perens · · Score: 4, Insightful

    I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.

    One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.

    Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.

    Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.

    --
    Bruce Perens.
  7. Re:Yeah I've noticed that... by moehoward · · Score: 5, Funny

    .. What 0.7 of a web site?

    Yahoo. That's what.

    --
    "If you want to improve, be content to be thought foolish and stupid." - Epictetus
  8. Re:Yeah I've noticed that... by Anonymous Coward · · Score: 3, Interesting

    Its not just TOR but also anyone using a VPN.

    Sometimes I have to verify 3 times in sucession just to visit a single website only to find that there was not much on that site.

    More and more sites are using Cloudflare and it's really annoying me and if they are tracking as well then bang goes you anomity, so your going to have to randomise agent strings with gibberish to try and fool the software from tracking