Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloudflare Ends CAPTCHAs For Tor Users (zdnet.com)

Posted by msmash on from the how-about-that dept.

Cloudflare announced on Monday a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is, said Cloudflare, that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser. A reader writes: The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser -- the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month. Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases.

Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors. Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far, and has been eventually replaced by the new Cloudflare Onion Service today.

26 of 50 comments (clear)

  1. Godamn CAPTCHAs by DontBeAMoran · · Score: 1

    You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again, never accepting that you are human.

    --
    #DeleteFacebook
    1. Re:Godamn CAPTCHAs by AmiMoJo · · Score: 1

      Google's Recaptcha is the worst, especially if you use a VPN.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Godamn CAPTCHAs by DontBeAMoran · · Score: 1

      Because of course Google's ReCAPTCHA's are only used on Tor.

      --
      #DeleteFacebook
    3. Re:Godamn CAPTCHAs by QuietLagoon · · Score: 1

      You solve more than a few per day and then you're stuck in a validation loop that asks you to complete CAPTCHAs over and over again

      I ran into the "insolvable" CAPTCHA problem this week. I wanted to sign into my account with a online retailer (large, well-known etailer), but there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

    4. Re:Godamn CAPTCHAs by Opportunist · · Score: 3, Funny

      Since they're fairly predictable (it's always 3 "correct" images, each re-validating 2-3 times) I wonder whether it wouldn't be faster to write a bot for it, requesting the page a few dozen times and randomly "solving" the pictures...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Godamn CAPTCHAs by Rick+Schumann · · Score: 1

      If you fail enough times it locks you out for a substantial time period and in fact may never allow you back in.

    6. Re:Godamn CAPTCHAs by Gavagai80 · · Score: 1

      Is being locked out a problem if you have trillions of IPv6 addresses to try from?

      --
      This space intentionally left blank
    7. Re:Godamn CAPTCHAs by JesseMcDonald · · Score: 1

      Is being locked out a problem if you have trillions of IPv6 addresses to try from?

      They're not going to block one throwaway IP address at a time; not if they're being smart about it, anyway. They'll block the entire prefix assigned to your account. No one should be allocated a subnet smaller than /64 (it would break automatic address assignment, among other things) so this is roughly equivalent to blocking a single IPv4 address.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    8. Re:Godamn CAPTCHAs by AmiMoJo · · Score: 1

      It might be that way on an unprotected connection, but on a VPN it's not unusual to get 10+ challenges every time. And for some reason the ones that refresh the images refresh at about 1/4 the normal speed.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Godamn CAPTCHAs by DontBeAMoran · · Score: 1

      Not related to VPN, I've had this problem myself. Crypto-currencies faucets use ReCaptcha and I've faced that problem many times. You need to stop using ReCaptchas for a few days before it semi-resets itself - at least enough that you can use them again.

      --
      #DeleteFacebook
  2. Sounds great by Anonymous Coward · · Score: 1

    Does anyone actually believe Tor is secure?

    Cloudflare are ideologically driven internet censors.

    You don't think this same technology is going to be used to track and report dissidents to the "new world order"?

    1. Re: Sounds great by DontBeAMoran · · Score: 1

      Back when Enemy of the State was released, most people thought it was Hollywood fantasy. These days, it's reality.

      So in reply to your comment, today's "whack jobs" are tomorrow's "I told you so".

      --
      #DeleteFacebook
    2. Re:Sounds great by AmiMoJo · · Score: 2

      TOR is secure, within the limitations of what it is designed to do.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. those captchas were a *feature* not a bug by themusicgod1 · · Score: 1

    They told us that we were being MiTM'd. Without them it's now more difficult to know.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
  4. CAPTCHA is still in place! by laie_techie · · Score: 2

    CAPTCHA is just a test to distinguish between bots and humans. CAPTCHA does not need to be images of swirled words. It sounds like Cloudfare has developed a CAPTCHA which isn't even visible to the end user (yeah!).

    1. Re:CAPTCHA is still in place! by acvh · · Score: 2

      CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

    2. Re:CAPTCHA is still in place! by laie_techie · · Score: 1

      CAPTCHAs are actually training for AI image and pattern recognition software. So I anticipate that soon there will be bots that can solve them as easily as we can.

      Google used image CAPTCHAs to help digitize books; I wouldn't be surprised if other companies were using the same sort of technology to improve OCR for nefarious purposes.

    3. Re:CAPTCHA is still in place! by AmiMoJo · · Score: 1

      Google pioneered the technique with Recaptcha. It looks at things like mouse movements, browser metrics and timing info, installed font lists, all sorts of stuff.

      Unfortunately it breaks quite easily with things like RDP. If you have an RDP session and a VPN you are basically fucked, doomed to solve 10-20 captachs before you can access the site. It's got a little better recently, but still doesn't like things you you using a less popular browser.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. For products with heavy scalper demand by tepples · · Score: 1

    there was a CAPTCHA that prevented me from logging in and placing my order. How stupid is that?

    Some online stores require passing a CAPTCHA if they sell products that have a vibrant secondary market. Making automated mass buying harder for scalpers ostensibly helps get products in front of bona fide end users. One example is Ticketmaster, as ticket scalping increases cost for people attending a show without benefiting the performers. Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

    1. Re:For products with heavy scalper demand by tlhIngan · · Score: 1

      Another is Humble Store, as a warez group might have a bot watch the site for new releases, pay the minimum, and send the DRM-free games straight to the topsites.

      I doubt that's actually a thing - because warez sites are generally about having the latest games first, and Humble Store bundles generally mean the game or program has been out a while already. Plus they aren't necessarily DRM-free since a lot of them just give Steam codes.

      GOG store on the other hand is DRM-free and there have been many new releases on it that come out same day.

    2. Re:For products with heavy scalper demand by DontBeAMoran · · Score: 1

      Limits on CAPTCHAs should be domain-based, i.e. you may have busted the limit on shadytickets.com but still be fine on ticketmaster.com

      --
      #DeleteFacebook
    3. Re:For products with heavy scalper demand by tepples · · Score: 1

      Nowadays the "warez sites" are public torrent sites (such as The Pirate Bay) and private trackers (for which I'll refer you to the essay on Install Gentoo).

  6. So in other words by Opportunist · · Score: 1

    TOR traffic can be identified by the way it looks, not by the source it comes from? Interesting...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Cloudflare dns by BrookHarty · · Score: 1

    I had to stop using cloudflare dns because some web sites wouldn't resolve. I wont say its sabotage, just poor technical ability.

  8. This can't happen soon enough by Applehu+Akbar · · Score: 1

    The problem with CAPTCHAs is that bots are now better than most humans at solving them, so they keep getting more and more difficult. The wiggly-text style was okay until they started putting in extraneous lines that look almost like letters. Do I count that skinny line as an I and that little bubble as an O?

    Then they began using the images divided by a grid. "Click on all cars in this picture" seems simple enough, but do you include the frame that has the tiny bit of car roof at the bottom or one pixel of front bumper? I have tried them both ways, and every time I have to go through at least six images before I hit one that works. At random, they will slip in an image so dark and fuzzy that you can't tell what's in it. I have totally given up on using any form of Google account, purely because I can no longer solve their CAPTCHAs.

    I want a USB hardware key that I can plug into whatever I'm using at the time, or something like having my iPhone act as my identification when it's on the same network as the device I'm using.

  9. Fake News by themusicgod1 · · Score: 1

    It's been 2 days, we're still getting CAPTCHAs.

    --
    GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.