CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Re:Easy

> There are two simple technical solutions:

As with most things in the real world, simple solutions just create more problems.

The question that should be asked is "What is the intent of cloudfare's captchas?"

I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.

If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when accessing a specific site then, and only then, respond with countermeasures specific to that site.. Maybe just retard performance, serve pages very slowly or block wrirte access so spam can be posted. Or, as a last resort block the exit node fully, but only for a short period of time like an hour or two.

Implementing that sort of monitoring and graduated responses won't be simple. But it is the kind of thing that once implemented can be used in a mostly cookie-cutter fashion across many different sites. So having that capability would be a value-add to Cloudflare's service that their competitors wouldn't necessarily have. So win for Tor (and VPN) users and win for Cloudflare (and a win for Cloudflare's customers).

Re:CAPTCHAs

[gstoddart]

Sorry, I need to identify myself to a freaking web-page .... why?

I'm not posting to your comments section, and I'm sure as hell not signing up to pay you to read a random article Google pointed me to.

My anonymity comes when I refuse to let you set cookies, run scripts, or let any of your third party bullshit do anything at all.

If you're using private browsing, why are you authenticating yourself to websites at all? If I'm willing to authenticate with you, I'm not using private browsing ... if I'm not willing to authenticate with you, I have no intention of doing so.

Re:CAPTCHAs

[BronsCon]

You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

Make sense now?

This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.