Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Ends CAPTCHAs For Tor Users (zdnet.com)

Posted by msmash on from the how-about-that dept.

Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases.

Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

50 comments

  1. Godamn CAPTCHAs by DontBeAMoran · · Score: 1

    You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again, never accepting that you are human.

    --
    #DeleteFacebook
    1. Re:Godamn CAPTCHAs by AmiMoJo · · Score: 1

      Google's Recaptcha is the worst, especially if you use a VPN.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Godamn CAPTCHAs by Anonymous Coward · · Score: 0

      wouldn't want to inconvenience the criminals on tor

    3. Re:Godamn CAPTCHAs by DontBeAMoran · · Score: 1

      Because of course Google's ReCAPTCHA's are only used on Tor.

      --
      #DeleteFacebook
    4. Re: Godamn CAPTCHAs by Anonymous Coward · · Score: 0

      Does this new service require registration? A browser plugin? A copy of government-issued ID?

    5. Re:Godamn CAPTCHAs by QuietLagoon · · Score: 1

      You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again

      I ran into the "insolvable" CAPTCHA problem this week. I wanted to sign into my account with a online retailer (large, well-known etailer), but there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

    6. Re:Godamn CAPTCHAs by Opportunist · · Score: 3, Funny

      Since they're fairly predictable (it's always 3 "correct" images, each re-validating 2-3 times) I wonder whether it wouldn't be faster to write a bot for it, requesting the page a few dozen times and randomly "solving" the pictures...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    7. Re:Godamn CAPTCHAs by Rick+Schumann · · Score: 1

      If you fail enough times it locks you out for a substantial time period and in fact may never allow you back in.

    8. Re:Godamn CAPTCHAs by Gavagai80 · · Score: 1

      Is being locked out a problem if you have trillions of IPv6 addresses to try from?

      --
      This space intentionally left blank
    9. Re:Godamn CAPTCHAs by Anonymous Coward · · Score: 0

      It is getting ridiculous. It is now at the point where machine would probably have a better shot at solving this BS than human.

    10. Re:Godamn CAPTCHAs by JesseMcDonald · · Score: 1

      Is being locked out a problem if you have trillions of IPv6 addresses to try from?

      They're not going to block one throwaway IP address at a time; not if they're being smart about it, anyway. They'll block the entire prefix assigned to your account. No one should be allocated a subnet smaller than /64 (it would break automatic address assignment, among other things) so this is roughly equivalent to blocking a single IPv4 address.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    11. Re:Godamn CAPTCHAs by AmiMoJo · · Score: 1

      It might be that way on an unprotected connection, but on a VPN it's not unusual to get 10+ challenges every time. And for some reason the ones that refresh the images refresh at about 1/4 the normal speed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re:Godamn CAPTCHAs by DontBeAMoran · · Score: 1

      Not related to VPN, I've had this problem myself. Crypto-currencies faucets use ReCaptcha and I've faced that problem many times. You need to stop using ReCaptchas for a few days before it semi-resets itself - at least enough that you can use them again.

      --
      #DeleteFacebook
    13. Re:Godamn CAPTCHAs by Anonymous Coward · · Score: 0

      but on a VPN it's not unusual to get 10+ challenges every time

      This is about figuring out your identity. Those 10 challenges, with the exact timing of clicks you make and mouse movements, present enough data to trace your identity through a VPN or series of "anonymized" connections.

      That is why you have to solve 10 in a row: so your identity can be discovered.

  2. Sounds great by Anonymous Coward · · Score: 1

    Does anyone actually believe Tor is secure?

    Cloudflare are ideologically driven internet censors.

    You don't think this same technology is going to be used to track and report dissidents to the "new world order"?

    1. Re: Sounds great by Anonymous Coward · · Score: 0

      Hm, let me think about this. Nope, I think not, you fucking whack job.

    2. Re: Sounds great by DontBeAMoran · · Score: 1

      Back when Enemy of the State was released, most people thought it was Hollywood fantasy. These days, it's reality.

      So in reply to your comment, today's "whack jobs" are tomorrow's "I told you so".

      --
      #DeleteFacebook
    3. Re:Sounds great by AmiMoJo · · Score: 2

      TOR is secure, within the limitations of what it is designed to do.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Sounds great by Anonymous Coward · · Score: 0

      TOR was never secure. Look who invented it and for the purpose. It was designed for a time when nobody knew about it or understood how it worked. To say it's secure on any level is to have no idea how it works. It's obfuscation.

  3. Translation by Anonymous Coward · · Score: 0

    Tor Users are more easily identified using cloudflare.

    passphrase = unkindly

  4. Tor now comprimised on cloudflare by Anonymous Coward · · Score: 0

    Hope your favorite drug site has cloudflare.

  5. But I don't trust Cloudflare! by Anonymous Coward · · Score: 0

    I don't see the point of all this, if they can't keep their own company trustworthy in the first place.
    The company name itself already suggest complete incompetence and a messed-up corporate culture, which might be the root cause.
    And since corporate culture doesn't change much, and stays rotten if it's rotten, for centuries even, this won't change either.
    So thanks, but no thanks.

  6. those captchas were a *feature* not a bug by themusicgod1 · · Score: 1

    They told us that we were being MiTM'd. Without them it's now more difficult to know.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  7. CAPTCHA is still in place! by laie_techie · · Score: 2

    CAPTCHA is just a test to distinguish between bots and humans. CAPTCHA does not need to be images of swirled words. It sounds like Cloudfare has developed a CAPTCHA which isn't even visible to the end user (yeah!).

    1. Re:CAPTCHA is still in place! by acvh · · Score: 2

      CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

    2. Re:CAPTCHA is still in place! by laie_techie · · Score: 1

      CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

      Google used image CAPTCHAs to help digitize books; I wouldn't be surprised if other companies were using the same sort of technology to improve OCR for nefarious purposes.

    3. Re:CAPTCHA is still in place! by AmiMoJo · · Score: 1

      Google pioneered the technique with Recaptcha. It looks at things like mouse movements, browser metrics and timing info, installed font lists, all sorts of stuff.

      Unfortunately it breaks quite easily with things like RDP. If you have an RDP session and a VPN you are basically fucked, doomed to solve 10-20 captachs before you can access the site. It's got a little better recently, but still doesn't like things you you using a less popular browser.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Beware of NSA propaganda though. by Anonymous Coward · · Score: 0

    Every time I read about Tor's security, I have to think about all the propaganda stuff mentioned in the NSA leaks.
    Spreading the view that Tor is unsafe, is exactly up their alley, and given their multi-billion dollar budget for exactly this sort of thing, I don't know where else they would spend it. (After the villas, puppets and terrorists are paid off, of course.)

    I personally don't trust TOR either, but only because I don't trust much at all, and because it's so likely that several three-letter agencies make up more than 50% of the nodes in the mix, ruining the otherwise very good point of TOR.
    And using exit nodes with a browser is nuts anyway, but that is not TOR's fault. Exit nodes just should not exist, as they are insecure by design. They are only sensible for one-off usage with a very well-known data stream, before the entire system that sent it, including the hardware, is wiped or trashed. Which is infeasible for the average victim of state terrorism.
    Apart from that, the base concept of using mixes to disguise who of the people in the set did what, is solid.
    Doesn't help against the entire group being targeted, of course, if less than the majority of the population uses it and keeps using it under threats.
    Which, again, is not TOR's fault, but a problem by definition of the concept of a small group trying to protect itself from a large group (of livestock following a tiny group of assholes).

    1. Re: Beware of NSA propaganda though. by Anonymous Coward · · Score: 0

      If you are worried about TLAs, you are not on the internet.

  9. For products with heavy scalper demand by tepples · · Score: 1

    there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

    Some online stores require passing a CAPTCHA if they sell products that have a vibrant secondary market. Making automated mass buying harder for scalpers ostensibly helps get products in front of bona fide end users. One example is Ticketmaster, as ticket scalping increases cost for people attending a show without benefiting the performers. Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

    1. Re:For products with heavy scalper demand by tlhIngan · · Score: 1

      Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

      I doubt that's actually a thing - because warez sites are generally about having the latest games first, and Humble Store bundles generally mean the game or program has been out a while already. Plus they aren't necessarily DRM-free since a lot of them just give Steam codes.

      GOG store on the other hand is DRM-free and there have been many new releases on it that come out same day.

    2. Re:For products with heavy scalper demand by DontBeAMoran · · Score: 1

      Limits on CAPTCHAs should be domain-based, i.e. you may have busted the limit on shadytickets.com but still be fine on ticketmaster.com

      --
      #DeleteFacebook
    3. Re:For products with heavy scalper demand by Anonymous Coward · · Score: 0

      warez sites

      What is this 1998?

    4. Re:For products with heavy scalper demand by tepples · · Score: 1

      Nowadays the "warez sites" are public torrent sites (such as The Pirate Bay) and private trackers (for which I'll refer you to the essay on Install Gentoo).

  10. So in other words by Opportunist · · Score: 1

    TOR traffic can be identified by the way it looks, not by the source it comes from? Interesting...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. USA ADA violation by Anonymous Coward · · Score: 0

    How are required CAPTCHAs not a violation of ADA in the USA?

  12. A small tweak... hmmm by Anonymous Coward · · Score: 0

    sounds a bit suspicious.

  13. Storefront by Anonymous Coward · · Score: 0

    I always got stuck on storefront. Really haven't figured out if a colored tent is a storefront or not.
    How about identifying bus, when there's a blurry street sign pictured from behind which appears to be very similar (optically) to a bus. I have encountered such difficulty when the pic is blurry and it looks like a street sign pictured from behind (because of the post) which also looks like a silver bus!
    I am sure there are other better ways than Image Captchas provided by Cloudflare. Tor is a very slow network, and loading it with a bunch of images would take ages.
    Captcha similar to the one used here at /. would suffice, seriously.

  14. Cloudflare dns by BrookHarty · · Score: 1

    I had to stop using cloudflare dns because some web sites wouldn't resolve. I wont say its sabotage, just poor technical ability.

    1. Re:Cloudflare dns by Anonymous Coward · · Score: 0

      DNS over HTTPS (DOH) over TOR works fine --- Albeit it adds a nominally noticeable amount of latency -- when also used with DNSCrypt, it allows for relatively assured to be un-tampered and anonymous DNS requests.

      Too bad TLS 1.0-1.2 then allows for SNI which still allows for spying on requested sites by ISP / Carrier / Govt / Cloud Providers.

      Seems TLS 1.3 also implements this 'feature' to spying entities.

  15. You AREN'T worried about TLAs? by Anonymous Coward · · Score: 0

    Is it livestock syndrome? Or how can one be so willfully ignorant? (Where "willful" does not imply one's own will, as that is usually not present with humanoid drones.)

  16. This can't happen soon enough by Applehu+Akbar · · Score: 1

    The problem with CAPTCHAs is that bots are now better than most humans at solving them, so they keep getting more and more difficult. The wiggly-text style was okay until they started putting in extraneous lines that look almost like letters. Do I count that skinny line as an I and that little bubble as an O?

    Then they began using the images divided by a grid. "Click on all cars in this picture" seems simple enough, but do you include the frame that has the tiny bit of car roof at the bottom or one pixel of front bumper? I have tried them both ways, and every time I have to go through at least six images before I hit one that works. At random, they will slip in an image so dark and fuzzy that you can't tell what's in it. I have totally given up on using any form of Google account, purely because I can no longer solve their CAPTCHAs.

    I want a USB hardware key that I can plug into whatever I'm using at the time, or something like having my iPhone act as my identification when it's on the same network as the device I'm using.

  17. Google CAPTCHAs are worst by Anonymous Coward · · Score: 0

    How many times do I have to click on a god damn bus, sign, or traffic light? ONE TIME is enough, you fucker.

  18. This is not a valid solution. by Anonymous Coward · · Score: 0

    The real problem is that Cloudflare is MITMing all traffic.
    https://notabug.org/themusicgo...

  19. Tor Browser 8.0 sends OS+kernel+TOTAL_PING_COUNT i by Anonymous Coward · · Score: 0

    Tor Browser 8.0 sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla

    - Tails 3.9, which ships with TB 8.0, is also affected.

    ######

    User report:[1]
    https://blog.torproject.org/co...

    Sanitize the add-on blocklist update URL
    https://trac.torproject.org/pr...

    related, old, closed ticket (unresolved):

    TBB-Firefox sends OS+kernel in update queries to Mozilla
    https://trac.torproject.org/pr...

    [1]: "TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/pr... without fix this privacy issue.

    From Ubuntu 18.04.1 LiveCD /v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/"

    "about:config
    extensions.blocklist.url"

    "Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB."

    ######

  20. Fake News by themusicgod1 · · Score: 1

    It's been 2 days, we're still getting CAPTCHAs.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  21. dontblocktor by Anonymous Coward · · Score: 0

    No news articles are reporting this accurately in their headlines. This is something that the website operator must opt-into. "Onion Routing is now available to all Cloudflare customers, enabled by default for Free and Pro plans".

    Yes, "of course they are misleading, they are headlines!" Still, you would think someone could get this right:

    Tor users will not get Captcha Challenges anymore on Cloudflare protected websites
    https://latesthackingnews.com/2018/09/21/tor-users-will-not-get-captcha-challenges-anymore-on-cloudflare-protected-websites/

    Cloudflare Solves The Problem of CAPTCHAs For Tor Users with Cloudflare Onion Service
    https://appuals.com/cloudflare-solves-the-problem-of-captchas-for-tor-users-with-cloudflare-onion-service/

    Cloudflare ends CAPTCHA challenges for Tor users
    https://www.zdnet.com/article/cloudflare-ends-captcha-challenges-for-tor-users/

    Tor Users Will no Longer Have to Face CAPTCHA on Sites Protected by Cloudflare
    https://evil-security.com/tor-users-will-no-longer-face-captcha-sites-protected-cloudflare/

    Tor users will not get Captcha Challenges anymore on Cloudflare protected websites
    https://www.zerosuniverse.com/2018/09/tor-users-will-not-get-captcha-Challenges-anymore-on-Cloudflare-protected-websites.html

    Cloudflare Ends CAPTCHAs for Tor Users While Blocking Bad Actors
    http://cyber.tn/?p=6864

    Does anyone know a single site that has stopped showing them Captchas as a result??