CloudFlare Wants Tor To Change Or Risk CAPTCHA Blockades

An anonymous reader writes: CloudFlare's co-founder Matthew Prince has publicly appealed to work with the Tor Project on implementing a solution that will stop the high incidence of Tor users being challenged by CAPTCHAs whilst browsing. Prince proposes the implementation of a Tor plugin that would communicate with CloudFlare servers to provide temporary, anonymous identification to bypass the CAPTCHAs, and has presented the code on GitHub. Other possibilities mooted include the adoption of higher-level encryption, which would be likely to adversely influence a network which already has native (and inevitable) latency issues. CloudFlare's public post on the matter comes after five turbulent weeks of comments-section debate between CloudFlare and Tor, and seems to be an appeal for public arbitration on the matter.Prince further noted that 94% of the traffic CloudFlair sees is "per se malicious." From his blog post: That doesn't mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

Re:Just block them

[BronsCon]

In all seriousness: Cloudflare needs to go fuck themselves. What, are they in the pocket of the FBI/NSA/CIA/NID/{insert government agency here}, now? Wouldn't at all be surprised.

You do realize that CloudFlare is simply looking for a solution to the problem Tor users are complaining about, right? CloudFlare provides a CDN caching service and HTTP firewall; it is that second item that is causing problems for Tor users, as any nefarious activity from an exit node gets all users of that node flagged as potentially malicious. CloudFlare has three options, then: do nothing (e.g. tell Tor users to go fuck themselves), stop offering the service their customers use and pay them for (e.g. tell their customers to go fuck themselves), or help Tor find a solution to their users' problem.

This story is about them attempting to do the latter, which leaves you, and others like you, to practice a bit of self-love.

Re:Doing it backwards

[GuB-42]

The problem is that script kiddies love to launch attacks from Tor. And even though it is rarely effective and more damaging for the network than for the victim, proxies like cloudflare still need protection against them.

Re:Doing it backwards

I've got a couple of sites behind CloudFlare, and they do a bit more than simple DDoS protection. The reason captcha is being triggered is the volume of dodgy SQL injection scans, bruteforce auth attacks, etc coming from these nodes. Scrubbing regular old browsing traffic of identifying information makes it look even more bot-like to their inspection algorithms. Whitelisting against fixed criteria just means the bots will change tactics - same as the old email spam arms race.

I'm obviously biased, but I think this is a brilliant feature. If they had an explicit checkbox to block Tor traffic I'd have it enabled everywhere. Signal to noise is too high, little of real value comes from a Tor exit node.

Re:CAPTCHAs

[BronsCon]

You are identified as the same individual who made some previous request, but not as a specific individual. That is to say, they could match your current requests with your historical requests, but not pick you out of a line-up based on those requests.

Make sense now?

This is useful for, say, determining that some user is the same user who made a previous malicious request and targeting them for further scrutiny (e.g. a CAPTCHA challenge) or (more likely, as malicious users would avoid the identification and tracking to begin with[1]) identify users who have not made any prior malicious requests, in order to allow them to bypass the additional scrutiny applied to other Tor users.

Think of CloudFlare like the TSA, if the TSA were actually effective at their jobs. What they're proposing here, then, is akin to TSA Pre Check, wherein the TSA (at your request) considers your history of not hijacking planes or being a general bad actor and allows you to pass through a lighter screening process with a shorter line, rather than assuming you're a terrorist like everyone else. CloudFlare would, for users who use the proposed plugin, keep a record of "malicious vs. benign" on a per-user basis, rather than per-IP, so they can, then, use your history of not spamming, hacking, or being a general bad actor to allow you to pass through their screening process, rather than assuming you're a spammer like everyone else.

[1]: As would others who erroneously think it actually buys them any privacy, likely because they harbor the same misunderstanding you do.