Slashdot Mirror
CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades (thestack.com)
An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.
A Tor use is clearly hiding something illegal.
Posted by Anonymous Coward.
Have gnu, will travel.
> There are two simple technical solutions:
As with most things in the real world, simple solutions just create more problems.
The question that should be asked is "What is the intent of cloudfare's captchas?"
I think the answer is that they want to prevent abuse, not just DDOS but bad actors, like comment spam, spidering in contradiction to robots.txt, etc.
If that is the case, then correct course of action is to watch the behavior of the user(s) on that exit node and if they start behaving badly when accessing a specific site then, and only then, respond with countermeasures specific to that site.. Maybe just retard performance, serve pages very slowly or block wrirte access so spam can be posted. Or, as a last resort block the exit node fully, but only for a short period of time like an hour or two.
Implementing that sort of monitoring and graduated responses won't be simple. But it is the kind of thing that once implemented can be used in a mostly cookie-cutter fashion across many different sites. So having that capability would be a value-add to Cloudflare's service that their competitors wouldn't necessarily have. So win for Tor (and VPN) users and win for Cloudflare (and a win for Cloudflare's customers).
Cloudflare's position is more precarious than you realize. They can't just dictate terms. Cloudflare has been under scrutiny for a while now, because their platform does an excellent job of tracking users. If their system was run by a government, we would be alarmed at the facility for mass surveillance that is built in.
As such, many security minded people are now considering Cloudflare harmful. This is bad for Cloudflare because those people are the ones developing browsers and back end services. It could get very nasty.
So it's in Cloudflare's interests to have a discussion and try to find an acceptable solution if they can.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Won't work. You can easily change your exit node.
Cloudflare is trying to combat the huge centers in China and India running spam schemes that tear through site Captchas. In the distant past, you could just IP block by geographic location but then the spammers moved over to VPN. Since VPNs are a single centralized location on the far side, sides could again block the VPN provider's IP addresses and stop the spammers.
But now that these spammers have moved to Tor, the number of exit node IP addresses is just too large collectively ban. Made worse by the fact many of these same spammers use malware systems to create Tor exits on victim PCs, you would have a never ending list of IPs to ban.
So, Cloudflare thinks it can meet the legitimate users of Tor half-way but just what percentage of the users are actually legitimate?
No, it's not. It's meant to slow down address-harvesting bots and comment spammers. Which you would know if you'd bothered to read the article.
In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.
You do realize that CloudFlare is simply looking for a solution to the problem Tor users are complaining about, right? CloudFlare provides a CDN caching service and HTTP firewall; it is that second item that is causing problems for Tor users, as any nefarious activity from an exit node gets all users of that node flagged as potentially malicious. CloudFlare has three options, then: do nothing (e.g. tell Tor users to go fuck themselves), stop offering the service their customers use and pay them for (e.g. tell their customers to go fuck themselves), or help Tor find a solution to their users' problem.
This story is about them attempting to do the latter, which leaves you, and others like you, to practice a bit of self-love.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.
I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.
I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.
You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.
Make sense now?
This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.
Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.
[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I think the GP is complaining about the fact that Cloudflare has build a mass surveillance network that is a wet dream for governments. I'd be amazed if they hadn't been approached for access already, maybe via secret National Security Letter.
Think about it. They can see users visiting many of the most popular sites on the web. They provide secure connections, they set their own cookies and can see the site's cookies. It's a man-in-the-middle attack, with the assistance of the site operators so that the usual protections against such things don't work.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'm not posting to your comments section, and I'm sure as hell not signing
Perhaps CloudFlare could eliminate CAPTCHAs for simple GETs, except when the malicious access issue is DoS, or a Risky Cookie is found in the HTTP request.
Simple GETs don't contain POST form data or other non-Idempotent operations.
They also don't contain any complex request parameters which could harbor malicious intent.
It would make sense for CloudFlare to ignore them; if the request seems innocuous, even if the client is malicious, provided the known malicious clients are ones that act Overtly malicious.