CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Doing it backwards

Cloudflair's captcha thingy is ostensibly in aid of DDoS protection, Tor can't muster anything like the bandwidth needed for a DoS attack in one place at one time therefor Cloudflair should just white-list suspected exit nodes.

No new code (on Tors part anyway) no dodgy pseudo-anonymous ID's to be exploited, everything works transparently, and if they hadn't told anybody they'd done it, in all likelihood nobody would have ever noticed.

Re: Doing it backwards

How do I block cloudflare? IP range?

Re:Doing it backwards

[fustakrakich]

Except that exit nodes should be hard to spot, otherwise what good are they? Tor needs to blend in better.

Re:Doing it backwards

False. I've cleaned up DoS attacks from TOR exit nodes before.

Re:Doing it backwards

[Hizonner]

No, it's not. It's meant to slow down address-harvesting bots and comment spammers. Which you would know if you'd bothered to read the article.

Re:Doing it backwards

[GuB-42]

The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.

Re:Doing it backwards

I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.

Re: Doing it backwards

Little of value comes from most sites on the Internet but that doesn't mean we should have a check box to block them.

That said, I do block all access to our local government website from outside the U.S. (cuts down on email harvesting and phishing). And the foreign requests with weird SQL injection looking requests (no db available to us with Time Warner webhosting) get their header changed to the NSA homepage (let em try against an agency with more resources).

Re:Doing it backwards

No, Cloudflares captchas are all about harvesting user data.

I have personally never gotten hit with one of their captchas, but then I only really use a solid core of quality sites that either don't employ third party content delivery or don't use small-time content delivery like Cloudflare. Sorry Matty-boy, if I ever come across one of your captchas, I'll simply close the tab and move on rather than waste my time. I do appreciate you letting people know immediately if a site is worth looking by throwing obstacles up though.

Re:Doing it backwards

So you see little value in having an anonymous and encrypted way to browse the web? Remind me what your websites(s) are so I can just not bother visiting them in the future.

Re:Doing it backwards

[PRMan]

If you have a website providing services, then yes, there is little value in having people who are completely anonymous use your services and businesses like this should have an easy way to block Tor exit nodes.

Re:Doing it backwards

If you have a website providing services, then yes, there is little value in having people who are completely anonymous use your services

If you really feel that way, maybe you should just require that users create a login in order to use your services.

Re: Doing it backwards

The only way to do that is to have far more exit nodes. right now it's a comparatively small number due to the risks inherent in running an exit node on an IP you're using for personal stuff.

Re: Doing it backwards

Browse using tor.

Re:Doing it backwards

Why? They could still buy products from you.

Oh wait PRMan, I get it now. You're one of those losers who thinks he can throw up garbage sites and landing pages that offer absolutely nothing and get rich off of data harvesting and plastering ads everywhere. Nevermind.

Re: Doing it backwards

[Corwyn_123]

Start boycotting Cloudflair's customers. When their customer's business it's adversely affected, they'll force Cloudflair to work more appropriately with the Tor community, and find a solution that works properly.

Yay cloudflare, breaker of teh intarwebz

Wonderful 'can do' attitude except that even without tor, their 'solutions' are offensively dysfunctional and their feedback is at least as bad. How about not requiring javascript just to view a website, eh? And obviously, sod off with your plugins. This is just another poetteringesque asspull: You broke it, someone else gets to fix it.
I DO NOT AGREE.

Re:Yay cloudflare, breaker of teh intarwebz

Yeah, several servers of my normal VPN provider seemed to keep getting the cloudflare captcha treamnent; pain in the ass. I'm sure they are stopping some malicious traffic, but I don't accept the level of collateral damage that their "solution" causes.

Re:Yay cloudflare, breaker of teh intarwebz

They have joined the ranks of all of the idiotic web "developers" who think they need JavaScript to display images and/or text.

Whenever a site comes up blank due to not being in my JavaScript whitelist, I kill the tab and find a site designed by someone who has a clue. Sites that do use JavaScript but are built to gracefully degrade and that provide a useful function do get whitelisted, but only first party and possibly their CDN if they use one and it's reputable.

really?

Really? People still use tor? WHY?!?

Re:really?

[nsuccorso]

Really? People still read and respond to posts from Anonymous Cowards? WHY?!?

Re: really?

There are many pedos and assorted lowlifers and malfaisants around. They need Tor to hide their filthy activities.

Re: really?

There are many idiots and other intellectual lowlifes around. They need AC to hide their incompetence.

Re:really?

I often find many of the best comments are from the ACs.

Re:really?

Good thing DARPA and the DoD have access to tor.

Re:really?

I don't know, why do you?

CloudFlare Wants to De-Anonymize Tor

There's a reason Tor exit nodes are blacklisted from just about any service.

Or you know CF can stop being evil

Cloudflare hides piracy sites and child porn sites. Tor users are the one who visit those sites. Put two and two together. Likewise Tor users visit the anonymous image boards (eg 4chan, 8chan) and piracy sites that are all protected by Cloudflare.

Cloudflare is in the wrong to begin with and wouldn't have the problem if they would just pull DNS records down for the illegal sites in the first place.

Re:Or you know CF can stop being evil

Exactly! OP knows what he's talking about, but needs to take it one step further:

Criminals use cars and roads to travel in order to do their criminal things, such as smuggling drugs or just getting to work where they embezzle money. As such we should ban all vehicles and demolish roads! Then crime will disappear. See how easy it is?

Re:Or you know CF can stop being evil

[mattventura]

The really scummy part is that they harbor DDoS-for-hire sites, which in turn helps drive their business. It would be like if a radar gun company also sold radar detectors.

Genius!

[nsuccorso]

Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub.

Brilliant!!!!!

Re:Genius!

Hey, we have to compromise, just like we did on freedom slavery.

Just block them

A Tor use is clearly hiding something illegal. Don't pander to their deviant ways.

If you want to do something beneficial to society, just forward all their traffic to the FBI for analysis.

Re:Just block them

[PPH]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

Re:Just block them

A Tor use is clearly hiding something illegal. Don't pander to their deviant ways. If you want to do something beneficial to society, just forward all their traffic to the FBI for analysis.

Translation:

I'm a pedo, deviant, and a criminal, and I want less bandwidth used by the other pedos, deviants, and criminals, so I can do my pedo, deviant, and criminal online activities with less delay. Excuse me, I need to go fap to pictures of naked infants for the 10th time today FAP FAP FAP FAP FAP

In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.

MEMO TO CLOUDFLARE: PLEASE GO FUCK YOURSELVES SIDEWAYS WITH A RUSTY CHAINSAW. Leave Tor alone, it has to be the way it is to do what it's designed to do.

Re:Just block them

[nsuccorso]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

I've forwarded his comment to the FBI for analysis.

Re:Just block them

Says the pseudo-anonymous loser

Re:Just block them

[BronsCon]

In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.

You do realize that CloudFlare is simply looking for a solution to the problem Tor users are complaining about, right? CloudFlare provides a CDN caching service and HTTP firewall; it is that second item that is causing problems for Tor users, as any nefarious activity from an exit node gets all users of that node flagged as potentially malicious. CloudFlare has three options, then: do nothing (e.g. tell Tor users to go fuck themselves), stop offering the service their customers use and pay them for (e.g. tell their customers to go fuck themselves), or help Tor find a solution to their users' problem.

This story is about them attempting to do the latter, which leaves you, and others like you, to practice a bit of self-love.

Re:Just block them

How about YOU go and fuck yourself with a chainsaw. The crap that exits TOR nodes are completely fucking useless. Cloudflare's customers are not TOR users, they are people running websites. People who are paying Cloudflare to help deal with SHIT JUST LIKE THIS, you know people being dicks with TOR.

At least they're not just straight out ban hammering TOR exit nodes(that's what I prefer to do, but tracking all of those down can be difficult).

Re:Just block them

[AmiMoJo]

I think the GP is complaining about the fact that Cloudflare has build a mass surveillance network that is a wet dream for governments. I'd be amazed if they hadn't been approached for access already, maybe via secret National Security Letter.

Think about it. They can see users visiting many of the most popular sites on the web. They provide secure connections, they set their own cookies and can see the site's cookies. It's a man-in-the-middle attack, with the assistance of the site operators so that the usual protections against such things don't work.

Re:Just block them

[BronsCon]

Oh, I get what you're saying, I totally do. Note the last sentence of that post, though, where it is made clear that this AC is only talking about CloudFlare "messing with" Tor, though. They're not thinking as deeply about this as you or I.

Re:Just block them

No, the problem is that their security systems rely on IP blacklisting as their primary means of threat mitigation. Whenever enough shit comes from an IP, they assume it's a bot, and blacklist the source for a set period of time (or permanently). Because that's cheap and easy to do.
But the people who get hit by that type of reactionary system are VPN, Proxy, and Tor sites. Script kiddies with few resources or knowledge tend to use such sites because they're amateurs. What Cloudfare is doing is throwing a Captcha in the way instead of an outright blacklist, that way if it's a human they can still get through, and Cloudfare doesn't have to spend money on security appliances which are capable of doing actual DPI analysis and mitigation.

The "pro" hackers, scammers, etc. take a different approach- they use an actual bot-net to sniff around the target site. The threat mitigation systems simply don't trip if you configure your botnet properly, and even if they ID some of your bots by source IP and blacklist, you still have thousands or millions of other IP's scattered all over the planet to scan with. If Cloudfare had got some decent security appliances, the DPI analysis mechanisms can still catch and mitigate all sorts of attack vectors even when the IP sources are widely distributed.

Re:Just block them

[BronsCon]

If Cloudfare had got some decent security appliances, the DPI analysis mechanisms can still catch and mitigate all sorts of attack vectors even when the IP sources are widely distributed.

You mean like this?

Perhaps know what you're talking about before you write 3 paragraphs on the subject? CloudFlare has developed, and is continually improving upon, their own systems for doing this; this gives them much finer-grained control over things so, of course, they aren't buying off-the-shelf solutions.

Re:Just block them

[cstdenis]

Cloudflare offers free services to a lot of sites, proxying all of their traffic. With a business model like that, I figure they were an NSA front from the start.

It's a comparatively cheap way to do mass surveillance.

Re:Just block them

Why is it Google, Amazon and Akamai have none of the issues that Cloudflare has?

Sorry, but you're either full of shit or a Cloudflare shill.

Re:Just block them

[BronsCon]

Google, Amazon, and Akamai don't offer the same services CloudFlare does. The only overlap is the CDN; Akamai comes closest with their hosting offering, but they're actually hosting the sites, not sitting in front of them to provide security.

Apples rarely have the same issues as oranges, my friend.

Re:Just block them

Incorrect. Google, Amazon and Akamai all offer everything that Cloudflare offers and more. They don't have to stoop to Cloudflare's level to handle attacks either.

Re:Just block them

Shut up junior. Adults are talking.

Re:Just block them

Actually, you're incorrect there. BronsCon is right.

Re:Just block them

Name one thing that Cloudflare offers that the others don't....

That's what I thought. You and BronyCon are both incorrect.

Re:Just block them

[BronsCon]

An application firewall for externally-hosted (e.g. not hosted by CloudFlare) services. It's their core business.

Easy

[fulldecent]

There are two simple technical solutions:

• Blacklist -- attempt to blacklist known exit nodes
• No Blacklist -- do not attempt to blacklist known exit nodes

The motivation between choosing between these solutions is based on whether Tor users, which use server resources, are returning value (product sales, other calls to action) to the people that provide those resources.

Therefore the solution is simply to inform each client of Cloudflare client and let them individually decide the correct course.

Re:Easy

> There are two simple technical solutions:

As with most things in the real world, simple solutions just create more problems.

The question that should be asked is "What is the intent of cloudfare's captchas?"

I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.

If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when accessing a specific site then, and only then, respond with countermeasures specific to that site.. Maybe just retard performance, serve pages very slowly or block wrirte access so spam can be posted. Or, as a last resort block the exit node fully, but only for a short period of time like an hour or two.

Implementing that sort of monitoring and graduated responses won't be simple. But it is the kind of thing that once implemented can be used in a mostly cookie-cutter fashion across many different sites. So having that capability would be a value-add to Cloudflare's service that their competitors wouldn't necessarily have. So win for Tor (and VPN) users and win for Cloudflare (and a win for Cloudflare's customers).

Re:Easy

[AmiMoJo]

Cloudflare's position is more precarious than you realize. They can't just dictate terms. Cloudflare has been under scrutiny for a while now, because their platform does an excellent job of tracking users. If their system was run by a government, we would be alarmed at the facility for mass surveillance that is built in.

As such, many security minded people are now considering Cloudflare harmful. This is bad for Cloudflare because those people are the ones developing browsers and back end services. It could get very nasty.

So it's in Cloudflare's interests to have a discussion and try to find an acceptable solution if they can.

Re:Easy

[MatthiasF]

Won't work. You can easily change your exit node.

Cloudflare is trying to combat the huge centers in China and India running spam schemes that tear through site Captchas. In the distant past, you could just IP block by geographic location but then the spammers moved over to VPN. Since VPNs are a single centralized location on the far side, sides could again block the VPN provider's IP addresses and stop the spammers.

But now that these spammers have moved to Tor, the number of exit node IP addresses is just too large collectively ban. Made worse by the fact many of these same spammers use malware systems to create Tor exits on victim PCs, you would have a never ending list of IPs to ban.

So, Cloudflare thinks it can meet the legitimate users of Tor half-way but just what percentage of the users are actually legitimate?

Re:Easy

[nsuccorso]

There are published lists of exit nodes that are updated dynamically. I'm pretty sure it's not terribly hard to block all of Tor. There are even services available to help you auto-configure your firewall/proxy/iptables to do so.

Re:Easy

[MatthiasF]

Again, it is pretty easy to hide from those lists as well. There are scripts out there that are doing the reverse, tracking the sites tracking the Tor exits, and blocking the traffic.

It's a cat and mouse game that will never end. First it was proxies, then it was Tor when people started blocking proxies, then it was Tor inside malware on zombie computers when they started making Tor exit lists.

So long as there is money to be made finding away around the mouse trap, the mice will continue to flourish.

Re:Easy

[Ash-Fox]

As such, many security minded people are now considering Cloudflare harmful.

Of course, any decent security person knows that using a darknet solution like the Freenet project is the way to go at the end of the day, nor Tor or other solutions to access regular website services.

Re:Easy

That's like saying a car is a better solution than a boat. Darknets are cool, but any real security person knows that they are a solution to a different class of problem.

Re:Easy

[Ash-Fox]

Darknets are cool, but any real security person knows that they are a solution to a different class of problem.

Indeed. If your problem is obtaining privacy and anonymity online use Freenet. If your problem obtaining a false sense of privacy and anomymity online, use Tor.

Re:Easy

The Freenet Project is fucking garbage. I mean Java as a requirement, really?

There are much better alternatives.

Re:Easy

> The Freenet Project is fucking garbage. I mean Java as a requirement, really?

Compile it with gcj if you don't trust a java runtime?

Do their captchas even work without Javascript?

Hey web master, there's a man in the middle preventing me from seeing your site. Thought you might want to know.

CAPTCHAs

[PPH]

... are a price you pay for anonymity. No persistent logins and getting bounced back to the 'Please identify your country/region' page. Too bad. I use private browsing (a far cry from Tor-like anonymity) and I have to go through this all the time. Big deal.

If the alternative is some temporary identity token which might be abused by 'bots, I'm OK with CAPTCHAs.

Re:CAPTCHAs

[freeze128]

Isn't "Anonymous Identification" an oxymoron? How can you remain anonymous when you are identified?

Also, I take issue with the "Temporary" in "Temporary Anonymous Identification". How much you want to bet that it's not temporary enough?

Re:CAPTCHAs

capcha isn't a solution. it's part of the problem. the growing number of cloudfare-driven web sites are totally inaccessible through the network with javascript off -- and people SHOULD BE turning off the (very stupid) default 'allow' in the bundled noscript addon

Re:CAPTCHAs

[gstoddart]

Sorry, I need to identify myself to a freaking web-page .... why?

I'm not posting to your comments section, and I'm sure as hell not signing up to pay you to read a random article Google pointed me to.

My anonymity comes when I refuse to let you set cookies, run scripts, or let any of your third party bullshit do anything at all.

If you're using private browsing, why are you authenticating yourself to websites at all? If I'm willing to authenticate with you, I'm not using private browsing ... if I'm not willing to authenticate with you, I have no intention of doing so.

Re:CAPTCHAs

[BronsCon]

You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

Make sense now?

This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.

Re: CAPTCHAs

Amen brother.

I've had this problem lately with cloudflare sites. I randomize my browser string every request, cloudfare doesn't like a certain browser string I'm using and the websites always denies me access. Only happens on cloudflare sites.

Re:CAPTCHAs

Think of CloudFlare like the TSA

You really hate Cloudfare, uh?

Re:CAPTCHAs

[mysidia]

I'm not posting to your comments section, and I'm sure as hell not signing

Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

Simple GETs don't contain POST form data or other non-Idempotent operations.

They also don't contain any complex request parameters which could harbor malicious intent.

It would make sense for CloudFlare to ignore them; if the request seems innocuous, even if the client is malicious, provided the known malicious clients are ones that act Overtly malicious.

Re:CAPTCHAs

In other words this is a proposal for a meta-data tracking system. It appear to be anonymous at first blush, but the more times a person uses it, the more easily they are de-anonymized.

The one way I could see it working without metadata is if all the history is stored on the client side, not on cloudfare's side. Each time you access a cloudfare hosted website you get digitally signed cookie that says you were a good boy and deserve to be treated nicely. Then you give back some version of those cookies, to prove you are a good boy, each time you access one of their websites.

Even then cloudflare could still track you in addition to giving you those cookies, you really have no way of knowing what data they keep on their end, so safe to assume they keep all of it.

Re:CAPTCHAs

[Ash-Fox]

Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

I do believe it's not presented for any statically cached content.

Re:CAPTCHAs

[BronsCon]

Or, they bake in a "reset" button that changes your UUID (which would be done simply by requesting a new UUID as though one had not yet been issued) upon request, and you click that whenever you want to "break" tracking, with the understanding that you'll have to complete a CAPTCHA to prove your humanity every time you do so if you're coming from an exit node that has been abused (so basically... every time). Seems like a fair balance between getting hit with a CAPTCHA every pageload and being universally trackable; you decide the scope and duration of your session based on what level of exposure is acceptable to you. If the only level of exposure you are willing to accept is zero, you shouldn't be connecting to the internet at all, let alone browsing sites that are behind a service such as CloudFlare.

And, personally knowing a handful of CloudFlare engineers (some pretty high up in the relatively small organization), I actually do know what data they keep on their end: not nearly as much as you fear. While they do offer a free service, they also offer many paid services and that is where they actually make their money. Their data collection really is limited to what is necessary to provide their CDN and firewall services, and the very limited analytics they offer. And I mean very limited. If you can imagine the absolute least amount of data that would need to be stored to offer these services, well, they've probably found a way to store less.

They offer a free service because bandwidth is cheap so it really costs them next to nothing to do so; they store as little data as possible to provide the services they do because storage is expensive and they'd be unable to provide the free service (which is where something approaching 95% of their paid customers start out) if they had to pay for all of that.

Re:CAPTCHAs

[complete+loony]

They are also trying to block spammers who are trying to bulk harvest email addresses. For that traffic, each request *is* a simple GET.

Only a copyright owner can order a takedown

[tepples]

Only a copyright owner can lawfully order DNS records to be pulled down because only a copyright owner knows whether a particular use is licensed. Have you tried reporting the results of your investigation of piracy sites to the legitimate copyright owners of the affected works so that they can act?

What's with the continued complaints about Javascr

From the proposal:

ReCAPTCHA de facto demands JavaScript execution- the challenges it produces without JS have degraded to such an extent that humans frequently cannot solve them.

As somebody who has to deal with these regularly, this is a strange comment.

* Until about a year ago, non-Javascript users would see the well-known, miserable two-word OCR puzzles, which were difficult but by no means impossible to solve. I don't remember what Javascript users were seeing at this point.

* From about a year ago to about 2 months ago, non-Javascript users would see a puzzle that was literally impossible to solve, i.e., the server-side code was broken and rejected you regardless of what you typed. It wasn't a matter of "humans frequently cannot solve them", it was "you cannot pass". Javascript users during this period would see a variety of puzzles, the most common of which was to find house numbers in blurry photos.

* For the last 2 months, non-Javascript users are seeing puzzles consisting of 9 images and asked to select the ones containing X (street signs, flowers, grass, etc.) This is certainly annoying but much less difficult than any of the puzzles that were used in the past, including the previous generation of Javascript-based puzzles.

So honestly it seems really strange to me that people are now complaining so vociferously about Javascript - it hasn't "degraded", it's gotten better recently. And while the entire concept of requiring a CAPTCHA in order to view a site is an abomination, the current generation of puzzles are probably the easiest non-Javascript puzzles I've ever seen.

Cloudflare is the largest man-in-the-middle

on the whole of Internet, and was created on that premise by recommendations from the DoJ. Don't for a second think they are being entirely sincere on this matter.

Re: What's with the continued complaints about Jav

I've noticed this trend as well and I am in 100 agreeance with you. The new pick the pics are much easier to solve.

Self defeating and ridiculous

This doesn't make sense. sure, it's a great idea, but it entirely breaks the purpose of CAPTCHA's in the first place. Why? This is why:

Token stockpiling

        An attacker who wishes to bypass many CAPTCHAs in the future could
        intentionally trigger CAPTCHAs (e.g. by first running attacks through a
        particular IP) and save the resulting tokens for later.

        [TODO: We don't have a great answer for this. Halp!]

From the github readme

In other words, sure this is a gaping nullification of any security pretense, opening the system to anyone who wants to add a few extra lines to their tor robots.

Then again, I'm not sure it is THAT much of a problem. Existing tor-bots can simply funnel the captchas to the user anyway with enough ingenuity, just not ahead of time as this new technique would allow.

Where is the code?

[tarlek1234]

No code, just another brainstorming "project", yay!

Breaking News: Obsolete Business Model in Danger

This just in: Buggy Whip Maker pleads with Automobile Industry to expose throttle plates on the hood so their whips can still accelerate the carriage.

Just Die Cloudflare. Your days have been numbered since we realized that decentralization is the future. HTTP over bittorrent (or other protocol like Disruption Tolerant Networking or Named Data Networking where we add caches to all the nodes) is being worked on right now by everyone from NASA to Google. Go search those terms up and see for yourself. Basically: Nearly all the routers should also have caches, then you refer to data by hash rather than by file name or URL (instant deduplication, even if you "rename" it), and everyone gets free "colocation" because my request might be served by my neighbor's browser cache. The hash ensures the data's not tampered, and means that an encrypted page can actually play nice with caches since it can pull in the resource with a hash.

Some people are highly sceptical, but they shouldn't be because you can already see the pieces coming together bit by bit. Resource URIs can already have hashes in HTML5 to authenticate linked data. The existence of cloudflare and other colocation providers are another example of the shift in the ultimate direction of reingineering. They remind me of BBS operators who provided Internet gateways before we had our own Internet connections in our homes... BBSs are dead. Such "interim services" make money only while our network capabilities lag behind the next upgrade.

Current decentralized solutions suck because we only have our caches at the endpoints, not in the interim. So the packets must hop across so many intermediary switches and routers. If the generic caches were distributed across the middle of the network, then you solve the problem. Storage is cheap. New improved network architecture will have switches with caches built in, because that's just faster. We'll have to do it eventually because of the lightspeed barrier, so might as well get out ahead of the issue now.

Once we have DTN and/or NDN then Tor and Cloudflare will be irrelevant. Your request won't have to go funnel into a pinch point "server" (or name server) to be return the data. This move is inevitable because our bandwidth is limited by the speed of light. Eventually we'll have to move all the data closer to the endpoints and DTN / NDN are attempts to solve this issue, DTN is used for NASA's space Internet already, because light speed is already an issue for them. The content producers don't need to know what content you requested from the (mesh) network. Everyone is getting hooked on tracking users, but they forget how radio, TV, and newspapers got by without tracking end users for centuries.

ad revenue argument disguised as "abuse" argument

The "automated requests designed to harm our customers" are just crawlers, building indexes, searching for vulnerabilities, or feeding SEO content farms. The customers don't care about vulerability databases, non-monopoly search engines, or scammy SEO. Their cares are defined entirely by their role within the ads ecosystem because that's what signs their checks and permits their existence. They are publishers, and they want to promise advertisers that a real human saw the ad.

The solution is to let cloudflare run the ad ecosystem, or send a signal in to it. When Google shows ads, there is a middle category of maybe-scammy stuff that gets to see the web page, and in retrospect they decide it probably wasn't a human and refund the advertiser days or months later. You can see it on your statement. Cloudflare knows what traffic falls in this grey area. They could refund the advertiser if they ran the network themselves like Google, or send a signal to the publisher.

For the subset of the publisher's ads that go through Google, the problem is already solved, but many publishers have armies of salespeople with nothing to do but make silly deals with one another, so they banter and bicker and get each other drunk trying to beat the algorithmic auction with crudely targeted contracts. In this "legacy" ad system, that they position as "premium" because it's so high touch and complimentary to them, they show all the ads themselves and don't have access to Google's despamming, so they're trying to get it by proxy from Cloudflare even though they're a ddos company not an adspam company.

The problem is most people aren't as big-picture as Google, and Google tricks others into being big-picture by applying cognitive load on the ecosystem cleverly so that things are basically working, but if you start asking questions nobody is certain of the answers. Cloudflare sounds like they're either more honest or less clever about what they make complicated, so these greedy small-businessmen types are like, "whauy am I payin' for them rack servers just to feed content farms. ain't you s'psed to block that thar shit?"

phew.

HTH.

Re: What's with the continued complaints about Ja

Fuck yeah! It beats the Google distorted words captcha tests. I breeze through the street sign tests.

Re:Breaking News: Obsolete Business Model in Dange

[Ash-Fox]

HTTP over bittorrent

And then they can run HTTP trackers over Bittorent, oh wait!

or other protocol like Disruption Tolerant Networking or Named Data Networking where we add caches to all the nodes

You do realize that Cloud Flare does a lot of this, right?

The existence of cloudflare and other colocation providers are another example of the shift in the ultimate direction of reingineering.

I suspect that Cloud Flare will one of the leaders in such re-engineering actually..

If the generic caches were distributed across the middle of the network, then you solve the problem.

You've not seen a modern BGP setup of an ISP, have you?

Storage is cheap.

Try finding decent VPS providers with large amounts of storage for cheap. Hell, try finding online storage solutions that go into petabytes that are cheap... Because that's what the demand is.

Once we have DTN and/or NDN then Tor and Cloudflare will be irrelevant.

Your assuming that Cloudflare will look the same as it does today when that happens.

The content producers don't need to know what content you requested from the (mesh) network.

The problem here is that these sort of things break down where end2end encryption is involved and we are seeing a massive shift towards that with HTTPS becoming a lot more prominent. The days of when providers were happy to leave even small things unencrypted is no longer a thing.

Everyone is getting hooked on tracking users, but they forget how radio, TV, and newspapers got by without tracking end users for centuries.

While it's entirely possible static content maybe requested from cached resources, there is no reason why dynamic requests won't go through first before requesting static content. You're not really thinking any of this through, are you?

"Simple" Get?

A Get with a sql injection attack perhaps?

Then more people need to use Tor

[MobyDisk]

If there are more attacks launched via Tor than there is legitimate traffic, then perhaps we need more people to use Tor.