CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Doing it backwards

Cloudflair's captcha thingy is ostensibly in aid of DDoS protection, Tor can't muster anything like the bandwidth needed for a DoS attack in one place at one time therefor Cloudflair should just white-list suspected exit nodes.

No new code (on Tors part anyway) no dodgy pseudo-anonymous ID's to be exploited, everything works transparently, and if they hadn't told anybody they'd done it, in all likelihood nobody would have ever noticed.

Re:Doing it backwards

[fustakrakich]

Except that exit nodes should be hard to spot, otherwise what good are they? Tor needs to blend in better.

Re:Doing it backwards

[Hizonner]

No, it's not. It's meant to slow down address-harvesting bots and comment spammers. Which you would know if you'd bothered to read the article.

Re:Doing it backwards

[GuB-42]

The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.

Re:Doing it backwards

I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.

Re:Doing it backwards

[PRMan]

If you have a website providing services, then yes, there is little value in having people who are completely anonymous use your services and businesses like this should have an easy way to block Tor exit nodes.

Re: Doing it backwards

Browse using tor.

Re: Doing it backwards

[Corwyn_123]

Start boycotting Cloudflair's customers. When their customer's business it's adversely affected, they'll force Cloudflair to work more appropriately with the Tor community, and find a solution that works properly.

Yay cloudflare, breaker of teh intarwebz

Wonderful 'can do' attitude except that even without tor, their 'solutions' are offensively dysfunctional and their feedback is at least as bad. How about not requiring javascript just to view a website, eh? And obviously, sod off with your plugins. This is just another poetteringesque asspull: You broke it, someone else gets to fix it.
I DO NOT AGREE.

Re:really?

[nsuccorso]

Really? People still read and respond to posts from Anonymous Cowards? WHY?!?

Genius!

[nsuccorso]

Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub.

Brilliant!!!!!

Easy

[fulldecent]

There are two simple technical solutions:

• Blacklist -- attempt to blacklist known exit nodes
• No Blacklist -- do not attempt to blacklist known exit nodes

The motivation between choosing between these solutions is based on whether Tor users, which use server resources, are returning value (product sales, other calls to action) to the people that provide those resources.

Therefore the solution is simply to inform each client of Cloudflare client and let them individually decide the correct course.

Re:Easy

> There are two simple technical solutions:

As with most things in the real world, simple solutions just create more problems.

The question that should be asked is "What is the intent of cloudfare's captchas?"

I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.

If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when accessing a specific site then, and only then, respond with countermeasures specific to that site.. Maybe just retard performance, serve pages very slowly or block wrirte access so spam can be posted. Or, as a last resort block the exit node fully, but only for a short period of time like an hour or two.

Implementing that sort of monitoring and graduated responses won't be simple. But it is the kind of thing that once implemented can be used in a mostly cookie-cutter fashion across many different sites. So having that capability would be a value-add to Cloudflare's service that their competitors wouldn't necessarily have. So win for Tor (and VPN) users and win for Cloudflare (and a win for Cloudflare's customers).

Re:Easy

[AmiMoJo]

Cloudflare's position is more precarious than you realize. They can't just dictate terms. Cloudflare has been under scrutiny for a while now, because their platform does an excellent job of tracking users. If their system was run by a government, we would be alarmed at the facility for mass surveillance that is built in.

As such, many security minded people are now considering Cloudflare harmful. This is bad for Cloudflare because those people are the ones developing browsers and back end services. It could get very nasty.

So it's in Cloudflare's interests to have a discussion and try to find an acceptable solution if they can.

Re:Easy

[MatthiasF]

Won't work. You can easily change your exit node.

Cloudflare is trying to combat the huge centers in China and India running spam schemes that tear through site Captchas. In the distant past, you could just IP block by geographic location but then the spammers moved over to VPN. Since VPNs are a single centralized location on the far side, sides could again block the VPN provider's IP addresses and stop the spammers.

But now that these spammers have moved to Tor, the number of exit node IP addresses is just too large collectively ban. Made worse by the fact many of these same spammers use malware systems to create Tor exits on victim PCs, you would have a never ending list of IPs to ban.

So, Cloudflare thinks it can meet the legitimate users of Tor half-way but just what percentage of the users are actually legitimate?

Re:Easy

[nsuccorso]

There are published lists of exit nodes that are updated dynamically. I'm pretty sure it's not terribly hard to block all of Tor. There are even services available to help you auto-configure your firewall/proxy/iptables to do so.

Re:Easy

[MatthiasF]

Again, it is pretty easy to hide from those lists as well. There are scripts out there that are doing the reverse, tracking the sites tracking the Tor exits, and blocking the traffic.

It's a cat and mouse game that will never end. First it was proxies, then it was Tor when people started blocking proxies, then it was Tor inside malware on zombie computers when they started making Tor exit lists.

So long as there is money to be made finding away around the mouse trap, the mice will continue to flourish.

Re:Easy

[Ash-Fox]

As such, many security minded people are now considering Cloudflare harmful.

Of course, any decent security person knows that using a darknet solution like the Freenet project is the way to go at the end of the day, nor Tor or other solutions to access regular website services.

Re:Easy

[Ash-Fox]

Darknets are cool, but any real security person knows that they are a solution to a different class of problem.

Indeed. If your problem is obtaining privacy and anonymity online use Freenet. If your problem obtaining a false sense of privacy and anomymity online, use Tor.

Re:Just block them

[PPH]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

CAPTCHAs

[PPH]

... are a price you pay for anonymity. No persistent logins and getting bounced back to the 'Please identify your country/region' page. Too bad. I use private browsing (a far cry from Tor-like anonymity) and I have to go through this all the time. Big deal.

If the alternative is some temporary identity token which might be abused by 'bots, I'm OK with CAPTCHAs.

Re:CAPTCHAs

[freeze128]

Isn't "Anonymous Identification" an oxymoron? How can you remain anonymous when you are identified?

Also, I take issue with the "Temporary" in "Temporary Anonymous Identification". How much you want to bet that it's not temporary enough?

Re:CAPTCHAs

[gstoddart]

Sorry, I need to identify myself to a freaking web-page .... why?

I'm not posting to your comments section, and I'm sure as hell not signing up to pay you to read a random article Google pointed me to.

My anonymity comes when I refuse to let you set cookies, run scripts, or let any of your third party bullshit do anything at all.

If you're using private browsing, why are you authenticating yourself to websites at all? If I'm willing to authenticate with you, I'm not using private browsing ... if I'm not willing to authenticate with you, I have no intention of doing so.

Re:CAPTCHAs

[BronsCon]

You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

Make sense now?

This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.

Re:CAPTCHAs

[mysidia]

I'm not posting to your comments section, and I'm sure as hell not signing

Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

Simple GETs don't contain POST form data or other non-Idempotent operations.

They also don't contain any complex request parameters which could harbor malicious intent.

It would make sense for CloudFlare to ignore them; if the request seems innocuous, even if the client is malicious, provided the known malicious clients are ones that act Overtly malicious.

Re:CAPTCHAs

[Ash-Fox]

Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.

I do believe it's not presented for any statically cached content.

Re:CAPTCHAs

[BronsCon]

Or, they bake in a "reset" button that changes your UUID (which would be done simply by requesting a new UUID as though one had not yet been issued) upon request, and you click that whenever you want to "break" tracking, with the understanding that you'll have to complete a CAPTCHA to prove your humanity every time you do so if you're coming from an exit node that has been abused (so basically... every time). Seems like a fair balance between getting hit with a CAPTCHA every pageload and being universally trackable; you decide the scope and duration of your session based on what level of exposure is acceptable to you. If the only level of exposure you are willing to accept is zero, you shouldn't be connecting to the internet at all, let alone browsing sites that are behind a service such as CloudFlare.

And, personally knowing a handful of CloudFlare engineers (some pretty high up in the relatively small organization), I actually do know what data they keep on their end: not nearly as much as you fear. While they do offer a free service, they also offer many paid services and that is where they actually make their money. Their data collection really is limited to what is necessary to provide their CDN and firewall services, and the very limited analytics they offer. And I mean very limited. If you can imagine the absolute least amount of data that would need to be stored to offer these services, well, they've probably found a way to store less.

They offer a free service because bandwidth is cheap so it really costs them next to nothing to do so; they store as little data as possible to provide the services they do because storage is expensive and they'd be unable to provide the free service (which is where something approaching 95% of their paid customers start out) if they had to pay for all of that.

Re:CAPTCHAs

[complete+loony]

They are also trying to block spammers who are trying to bulk harvest email addresses. For that traffic, each request *is* a simple GET.

Re:Just block them

[nsuccorso]

A Tor use is clearly hiding something illegal.

Posted by Anonymous Coward.

I've forwarded his comment to the FBI for analysis.

Only a copyright owner can order a takedown

[tepples]

Only a copyright owner can lawfully order DNS records to be pulled down because only a copyright owner knows whether a particular use is licensed. Have you tried reporting the results of your investigation of piracy sites to the legitimate copyright owners of the affected works so that they can act?

Re:Just block them

[BronsCon]

In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.

You do realize that CloudFlare is simply looking for a solution to the problem Tor users are complaining about, right? CloudFlare provides a CDN caching service and HTTP firewall; it is that second item that is causing problems for Tor users, as any nefarious activity from an exit node gets all users of that node flagged as potentially malicious. CloudFlare has three options, then: do nothing (e.g. tell Tor users to go fuck themselves), stop offering the service their customers use and pay them for (e.g. tell their customers to go fuck themselves), or help Tor find a solution to their users' problem.

This story is about them attempting to do the latter, which leaves you, and others like you, to practice a bit of self-love.

Re:Just block them

How about YOU go and fuck yourself with a chainsaw. The crap that exits TOR nodes are completely fucking useless. Cloudflare's customers are not TOR users, they are people running websites. People who are paying Cloudflare to help deal with SHIT JUST LIKE THIS, you know people being dicks with TOR.

At least they're not just straight out ban hammering TOR exit nodes(that's what I prefer to do, but tracking all of those down can be difficult).

Re:Just block them

[AmiMoJo]

I think the GP is complaining about the fact that Cloudflare has build a mass surveillance network that is a wet dream for governments. I'd be amazed if they hadn't been approached for access already, maybe via secret National Security Letter.

Think about it. They can see users visiting many of the most popular sites on the web. They provide secure connections, they set their own cookies and can see the site's cookies. It's a man-in-the-middle attack, with the assistance of the site operators so that the usual protections against such things don't work.

Re:Just block them

[BronsCon]

Oh, I get what you're saying, I totally do. Note the last sentence of that post, though, where it is made clear that this AC is only talking about CloudFlare "messing with" Tor, though. They're not thinking as deeply about this as you or I.

Where is the code?

[tarlek1234]

No code, just another brainstorming "project", yay!

Re:Breaking News: Obsolete Business Model in Dange

[Ash-Fox]

HTTP over bittorrent

And then they can run HTTP trackers over Bittorent, oh wait!

or other protocol like Disruption Tolerant Networking or Named Data Networking where we add caches to all the nodes

You do realize that Cloud Flare does a lot of this, right?

The existence of cloudflare and other colocation providers are another example of the shift in the ultimate direction of reingineering.

I suspect that Cloud Flare will one of the leaders in such re-engineering actually..

If the generic caches were distributed across the middle of the network, then you solve the problem.

You've not seen a modern BGP setup of an ISP, have you?

Storage is cheap.

Try finding decent VPS providers with large amounts of storage for cheap. Hell, try finding online storage solutions that go into petabytes that are cheap... Because that's what the demand is.

Once we have DTN and/or NDN then Tor and Cloudflare will be irrelevant.

Your assuming that Cloudflare will look the same as it does today when that happens.

The content producers don't need to know what content you requested from the (mesh) network.

The problem here is that these sort of things break down where end2end encryption is involved and we are seeing a massive shift towards that with HTTPS becoming a lot more prominent. The days of when providers were happy to leave even small things unencrypted is no longer a thing.

Everyone is getting hooked on tracking users, but they forget how radio, TV, and newspapers got by without tracking end users for centuries.

While it's entirely possible static content maybe requested from cached resources, there is no reason why dynamic requests won't go through first before requesting static content. You're not really thinking any of this through, are you?

Re:Just block them

[BronsCon]

If Cloudfare had got some decent security appliances, the DPI analysis mechanisms can still catch and mitigate all sorts of attack vectors even when the IP sources are widely distributed.

You mean like this?

Perhaps know what you're talking about before you write 3 paragraphs on the subject? CloudFlare has developed, and is continually improving upon, their own systems for doing this; this gives them much finer-grained control over things so, of course, they aren't buying off-the-shelf solutions.

Re:Just block them

[cstdenis]

Cloudflare offers free services to a lot of sites, proxying all of their traffic. With a business model like that, I figure they were an NSA front from the start.

It's a comparatively cheap way to do mass surveillance.

Re:Or you know CF can stop being evil

[mattventura]

The really scummy part is that they harbor DDoS-for-hire sites, which in turn helps drive their business. It would be like if a radar gun company also sold radar detectors.

Re:Just block them

[BronsCon]

Google, Amazon, and Akamai don't offer the same services CloudFlare does. The only overlap is the CDN; Akamai comes closest with their hosting offering, but they're actually hosting the sites, not sitting in front of them to provide security.

Apples rarely have the same issues as oranges, my friend.

Then more people need to use Tor

[MobyDisk]

If there are more attacks launched via Tor than there is legitimate traffic, then perhaps we need more people to use Tor.

Re:Just block them

[BronsCon]

An application firewall for externally-hosted (e.g. not hosted by CloudFlare) services. It's their core business.