Slashdot Mirror

← Back to Stories (view on slashdot.org)

CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades (thestack.com)

Posted by msmash on from the offering-helping-hand dept.

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

1 of 87 comments (clear)

  1. Re:Doing it backwards by Anonymous Coward · · Score: 5, Informative

    I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

    I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.