The Trouble with CloudFlare
Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.
We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:
1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.
2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.
3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.
4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.
5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).
CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.
Also see our new fact sheet about CloudFlare and Tor: https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf
Capchas are also a barrier to blind and visually impaired users accessing the free internet.
The real trouble with CloudFlare and friends is of course that they are Man-in-the-Middle-as-a-service. That people find such an invasion on the integrity of the Internet acceptable is beyond my comprehension.
*THIS!*
i agree. outside the bitcoin community nobody seems to care much, and even there some exchanges use cloudflare.
how can it even be legal for such services to give away their private key to some third party?
But 99% of the traffic on the Internet is run through "man in the middle services" including 99.99% of servers not hosted at the website owners ip. So services like CF being beyond your comprehension is understandable.
Yes, I do agree with that; they claim they don't snoop TLS, but they offer a very dangerous service called "Flexible SSL" which terminates a TLS connection at the CloudFlare node, but then passes on the data from the node to the hidden server cleartext. Perhaps the CA/B forum should investigate whether or not that is a legitimate service and instruct their member CAs as to whether or not to continue issuing certificates blindly to their services.
People have been trained (conditioned) to trust any higher authority in the form of an organization rather than trust each other. As long as this conditioning prevails expect things to drastically turn to worse. If we organize horizontally and from below without guardians and protectors and learn to trust our organization against those from above we may then begin to see the light.
Cloudflare is a business and counts on the majority as customers/individuals.
"Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs.."
Lately VPN traffic is also subjected to similar CAPTCHA harassment. I doubt website owners understand the extent of legitimate traffic they lose and/or frustrate by using Cloudfare's services.
I generally like cloudflare - they serve a useful purpose, but damn - they are really hostile towards Tor users. I generally try to avoid sites which use cloudflare because of this, luckily not all websites are using the service.
Well done Akamai though.
Akamai who ? i have never heard of them but have been blocked by cloudfarts manytimes
The fact that you haven't heard of them suggests that they are doing their job (i.e. content distribution without interfering with the user experience of ordinary internet users) properly.
Akamai is a popular CDN used by large companies like Facebook
Akamai provide lots of bandwidth related services but so far they don't disturb Tor users.
The problem is not in cloudflare but in website owners. Most of website owners do not welcome tor users because if tor user hacked his site the site owner wouldn't be able to prosecute hacker. If a tor user posted illegal content noticed by authorities, they will go for the website owner. If the website owner is unable to help authorities to identify the poster he is liable instead of the poster.
(If tor exit node owner is unable to help the authorities to identify the tor user they want he is liable instead of the poster.)
Because it is law enforcement, if the crime is detected, someone must be prosecuted. If noone is prosecuted, it will destroy the atmosphere governments are creating in order to control population, which means the cop must be fined or fired and a more professional cop must be hired instead.
> The problem is not in cloudflare but in website owners. Most of website owners do not welcome tor users because if tor user hacked his site the site owner wouldn't be able to prosecute hacker.
Are you talking about a "private prosecution" (legal in some countries), or did you mean, the website owner asks police agencies to investigate, or asks government prosecutors to bring criminal charges?
> If a tor user posted illegal content noticed by authorities, they will go for the website owner. If the website owner is unable to help authorities to identify the poster he is liable instead of the poster.
In US law (which is important internationally since it tends to set the standard for international investigations), traditionally web site operators were immunized from that hazard, but this protection is under continuing threat.
> (If tor exit node owner is unable to help the authorities to identify the tor user they want he is liable instead of the poster.)
Again, my understanding is that so far this is generally not quite true for US/EU operators of Tor nodes, but I'd be happy to hear comments from TP.
> Because it is law enforcement, if the crime is detected, someone must be prosecuted. If noone is prosecuted, it will destroy the atmosphere governments are creating in order to control population, which means the cop must be fined or fired and a more professional cop must be hired instead.
I have never heard of cops being fined simply for failing to make an arrest. Quite the opposite: in the US, cops routinely get away with murder (literally--- that is what the BLM movement is all about.)
Thanks for responding.
I hope CloudFlare customers know the damage done to them. I know I shudder at the sight of medium.com links as I recall the frustration caused by CloudFlare. It takes me 0 minues to read their posts now.
Even if they reached their 94% by unique GET or POST requests, it is still a flawed statistic. Someone running a security scan on a host might generate 50k requests in a few hours and to compare those requests to normal requests would be ridiculous. But that is what I believe Cloudfare is doing to come up with their numbers.
Dropping the bad reputation for Tor nodes quicker after any such bad activity has stopped does not appear to be happening either. The bad rep is too sticky.
It might be that cloudflares malicious statement is exagerated, but I can see how if you count million of request from bots compared to humans it will come close.
Anyway, since I like both your initiatives it is sad to see this battle starting.
Please try to be constructive in finding solutions because a life depending website that is down because of a ddos is equally bad as one that is down because of captcha madness.
How about owners of such sites start serving multiple instances with and without protection?
Ken
Ive run into the multiple captchas problem which has appeared recently on localbitcoins where you have to run through a few captchas to access the site then another few to access the login page, on average it takes about 10 minutes just to login after having to start over and over again with a fresh identity due to captcha server errors, and if you walk away from the computer for more than 5 minutes it makes you do another set (i think this last one is Tor's fault, exit ip's are supposed to be fixed per site/session but i see them still constantly change).
Once an IP address has emitted abusive traffic, how is Cloudflare supposed to know that the address has stopped emitting abusive traffic? It's not like you can police your network and disconnect the abuser because they're anonymous, so the assumption must be that the abuser is still present. Faced with that assumption, I don't really see Cloudflare's actions as being wrong. It's simply a case of you wanting to protect your network at the expense of their network and them wanting to protect their network at the expense of your network, both aims being fundamentally incompatible.
> It's simply a case of you wanting to protect your network at the expense of their network and them wanting to protect their network at the expense of your network, both aims being fundamentally incompatible.
This is a false dilemma. We've been talking to other DDoS and website protection services in the market, and none of them blanket block Tor in perpetuity. Many of CloudFlare's competitors have sophisticated WAFs (Web Application Firewalls) or IDSs (Intrusion Detection Systems), as well as conventional spam filters that process incoming traffic to filter out malicious traffic in realtime, only while it is ongoing. Even when broad-scale scans and DDoSs require blanket bans, those companies' systems lift the ban as soon as the attack traffic subsides. They do this specifically to avoid collateral damage from infections, botnets, and IP spoofing attacks, as well as to avoid blocking users behind large-scale shared IP networks, VPNs, and Tor.
The real problem with CloudFlare in one sentence is the perma-bans and the collateral damage this causes. See also http://paulgraham.com/spamhausblacklist.html for information on how the long-term blacklist approach played out with email in the past.
We've been asking CloudFlare competitors to come forward about how they handle Tor traffic, but one of the problems is that no one wants to discuss their "secret sauce" and risk competitors catching up.
The part of a WAF secret sauce that deals appropriately with Tor is straightforward to talk about: label Tor requests to origin in the same way you label German or Chinese or NIPRnet requests. Be more sophisticated in applying rules---for example, if you have a WAF attack detector that labels each request with a score from 0 to 1, you might want to say "block on 0.8, warn on 0.5; but if it's from China or from Tor, block on 0.5". Those are still deterministic fast rules, so cheap enough for Bot mitigation.
I'm not a big fan of WAFs as a product category---but if you are going to have one, it's a funny threat model that leads to blocking requests whose responses will be highly cachable. A GET forward to the origin, sure---but if you're serving from cache and setting long TTLs for the browser cache, or even just marking it Public---what's the point of blocking that? I hear "deterring vulnerability scanning," and I don't get it.
I sort of understand for ecommerce scraper not handling, but that's not meaningfully correlated with Tor---and anyway, you want to handle that at layer 8 or higher by serving interesting prices.
Tor user for almost a decade here. I've been using tor exclusively for a majority of that time. I have no reason to give my physical location to each server I contact. For me it looks like this:
before CloudFlare (a few years ago): almost every website works on tor
after CloudFlare: almost no website works on tor
From what I've seen, the entire debate so far is bikeshed, including the CloudFlare blogpost, which is the pinnacle of bikeshed.
Correct me if I'm wrong but the reason people use CloudFlare is because it's either bundled in their web hosting package, or because they want CDN/anti-DDOS. None of the above require a captcha gate. Anti-DDOS already existed before and such services simply eat up as much bandwidth as possible. CloudFlare *still* has to do this. The captcha gate changes no aspect of that.
The problem here seems to be that CloudFlare bundles in some sort of IDS/IPS system. As they admit, the captcha is not part of the anti-DDOS. Instead, the captcha is pupportedly there for a bunch of reasons, but in reality all it can do is mitigate bot activity. An attacker doing SQL injection on a website will *not* be stopped by a captcha gate or even the flat out blocking of any IP detected as malicious. I thought the industry already figured this out in the 90's or early 2000's. Then again, HN and the California software developer crowd love to reinvent things.
Their claim is:
> A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.
In other words, the captcha gate does nothing other than reduce the number of bot requests. Scraping, scanning, and spam are still possible, but for the ones that CloudFlare can detect, they are blocked, and thus they have something to sell to their clients. The idea of stopping bots from crawling your page and harvesting emails is laughable. Sure since CloudFlare control most of the web, in total it may even half the amount of spam I get, but I'm *still* getting spam. Someone will paste my email on some page that's accessible to a bot. Bots routinely harvest emails from malware. For me it makes no difference.
However, CloudFlare is selling a magical security device. The client thinks it's making their website more secure, when in reality at most it's simply reducing spam to unrelated people. Don't treat me like a 5 year old and tell me it's stopping my content from being scraped. There are two separate concepts here:
1. A bot from a well known blacklisted IP scraping millions of pages from different websites. It will just hit the captcha gate and its effectiveness reduced. If such bot was harvesting email addresses, then yes, some unrelated people will not be spammed as much.
2. Someone scraping your site to get your content. He's going to bypass CloudFlare no matter what. He can just buy an IP address for a few dollars and scrape from there. If CloudFlare does any sort of human activity verification (e.g, monitoring page load rate, measuring mouse movement, verifiying the browser), it can be bypassed through trial and error, or simply by distributing the scrape across IPs. Such is what you've signed up for when you published your content to the public internet. If anyone tells you they have a solution for this, they are lying.
Basically, CloudFlare sell some popular services, and as a Value Add, there is this dubious feature which ruins tor, and it's on by default. The only reason people use this is because either they're sold on the idea of a magic security enhancing device, or because it's just on by default and they aren't aware of it and the consequences. It's very clear that CloudFlare is only caring about their own interests. Since a big set of their customers are HN users, they have to answer to their dilittante concerns about tor. That's the only reason their blog post exists.
And it's only going to get worse. Since client behavior analyzing gates like CloudFlare and recaptcha are trending, pretty soon they will be writing browser authenticity checks which rely on *exact timings* and other browser-specific behavior to authenticate you to view a website. It will no longer be possible to create an open source browser without getting it adopted by major players. You'll just have to emulate Firefox or Chrome.
> Tor user for almost a decade here. I've been using tor exclusively for a majority of that time.
Likewise.
> I have no reason to give my physical location to each server I contact.
I put it like this: I feel I have good reason to avoid giving up geolocation and other abusable information.
> For me it looks like this:
> before CloudFlare (a few years ago): almost every website works on tor
> after CloudFlare: almost no website works on tor
Not quite as bad for me, but I also simply stopped visiting sites which require CloudFlare captchas.
> Someone scraping your site to get your content. He's going to bypass CloudFlare no matter what. He can just buy an IP address for a few dollars and scrape from there.
Just wanted to point out that US DOD (Dept of Defense) and LEO (law enforcement organization) agencies also scrape content (that's what "social media monitoring" is all about). USIC even breaks into social media servers to grab private information of users, particularly on-forum chats and messages. And LEOs hire private companies to do likewise. Years ago Nielsen company was notorious for aggressive scraping of private messages from web forums which appeared to the forum operators to resemble hacking (in that Nielsen appeared to exploit zero day flaws to grab huge amounts of nonpublic information). More recently, Nielsen seems to engaged in "internet use surveys" without disclosing that they have been hired by USG agencies (USMS? USSS? FBI?) to target rather specific populations with an "innocuous" survey.
Thank you for finally addressing this problem.
In my view services like cloudflare are by far the greatest threat for the tor project. What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?
Furthermore I doubt most of cloudflare's customers understand that they agree to a man-in-the-middle attack on their traffic.
The two main problems with cloudflare are
1)They get to decide who is 'good' or 'bad' and filter trafffic by intransparent means
2)They at least theoretically have the ability to view, collect and analyze their clients https traffic
This gives them enormous power over an increasingly large part of the internet.
Do we really want to let such companies decide who is allowed to view a certain website and who is not? Their approach must not be left unchallanged.
But as said the problem is of course bigger than cloudflare.
Nowadays anything even a little outside of the norm is being flagged as malicious traffic and subsequently blocked.
I think the best approach would be to get civil rights organizations like the EFF involved in this. They have the necessary legal and PR ressources and would provide a more neutral point of view than the tor project team.
> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?
That is a good point. CloudFlare could eventually make make Tor almost unusable for most surfers, which would thwart our attempts to convert a sizable fraction of ordinary citizens into regular users of Tor Browser and other TP products. Which is crtically important to
*wean TP from the USG teat,
* grow our user base and thus our political leverage,
* better protect anonymity.
But I can't agree with this:
> In my view services like cloudflare are by far the greatest threat for the tor project.
I think the biggest threat is by far the very real possibility that the USG will attempt to outlaw Tor Browser, and to designate Tor Project as an "illegal organization". Currently, I believe the most worrisome scenario involves intolerable pressure being brought upon Debian Project (upon which Tails and much of Tor development work relies), Tor Project, or individual developers to abuse their cryptographic signing keys by "authenticating" a Debian software update or a Tor Browser bundle tarball which have been maliciously modified by state-sponsored attackers--- today USG; tomorrow India, Kazakhstan, Nigeria...
> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?
The solution, ironically, is more Tor. If Tor were as ubiquitous, then CloudFare would have no choice but to re-engineer their security to address legitimate issues without taking draconian shortcuts. Otherwise, they would risk losing everyone's traffic.
@ Mike Perry:
Thanks so much for your prompt response to CloudFare's latest scare-mongering!
I surfed to TP intending to try to post a suggestion that TP respond and was delighted to find that you have already had done so--- this is exactly the kind of fast response TP needs to ensure, at a time when TP is apparently facing an existential threat of a political nature (on top of all the technical threats from Hacking Team, CMU/SEI, GCHQ/NSA, etc), exemplified by the ongoing intensive top-priority PR offensive by FBI, aka CWII, which continues unabated:
http://www.theregister.co.uk/2016/03/30/fbi_aims_to_win_war_w_apple/
The FBI lost this round against Apple – but it aims to win the war
Courts or Congress – Hobson's choice on privacy
Iain Thomson
30 Mar 2016
> While fans of strong crypto and privacy are celebrating the US Department of Justice decision to back down in the San Bernardino case against Apple, it's important not to get too giddy – this is going to be a long battle and the FBI has nothing but time.
http://arstechnica.com/tech-policy/2016/03/us-says-it-would-use-court-system-again-to-defeat-encryption/
US says it would use “court system” again to defeat encryption
Feds say they can force entire tech sector, not just Apple, to disable security.
David Kravets
29 Mar 2016
> ...
> The Justice Department now says it will not hesitate to invoke the precedent it won in its iPhone unlocking case. The authorities had obtained a court order weeks ago ordering Apple to write code to help the authorities unlock Farook's phone, all in hopes that data on it could stop another terror attack or shed light on the one that killed 14 people in San Bernardino in December. On Monday, however, the authorities said they didn't need Apple's help, asking the judge presiding over the case to withdraw the order because they had cracked the phone and obtained the desired information, all with the help of an "outside" party.
A big problem for we who support privacy technologies is that the international public's understanding of Tor (and of on-line privacy and cybersecurity generally) is very poor, according to a recently released CIGI survey:
http://www.theregister.co.uk/2016/03/30/internet_users_dont_understand_security_or_privacy_survey/
Internet users don't understand security or privacy, says survey
'Shut down the dark net, give governments backdoors', CIGI study finds
Richard Chirgwin
30 Mar 2016
> Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims more than 70 per cent want the “dark net” shut down (which rests on the assumption that 70 per cent of people actually know what the “dark net” is). Dark net hostility is greatest in Indonesia, India and Mexico (all above 80 per cent saying it should be eliminated), with the US and Australia tied at 72 per cent.
>
> At the same time, an average of more than 26 per cent of users don't trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases; The Register pulled out those numbers from the survey data.).
Tor Project needs to work tirelessly to try to work with reporters to correct our image problem, since our enemies are working tirelessly to promote the kind of false/misleading claims made by Cloudfare. This should be one aspect of TP's efforts to help organize the kind of SOPA fight against "rubberhosing" which Sen. Ron Wyden (D-OR) is urging:
http://www.theregister.co.uk/2016/03/30/senator_wyden_bid_to_defeat_encryption_weakening/
Senator Wyden recalls SOPA fight in bid to defeat encryption-weakening efforts
It's not privacy versus security; it's security versus more security
Kieren McCarthy
30 Mar 2016
> Senator Ron Wyden (D-OR) has put out a call to arms to digital rights activists, asking them to join in a SOPA-style effort to defeat upcoming efforts to weaken encryption.
>
> In a wide-ranging speech that covered J Edgar Hoover, Miranda Rights, the Founding Fathers and the Amazon Echo, the Oregon Senator warned that despite the recent decision by the FBI to drop its case against Apple, "as sure as night follows day," the issue is going to return and it will be necessary to fight legislative efforts to reduce the effectiveness of encryption.
>
> "I will block any plan that would weaken strong encryption," he told the RightsCon conference in San Francisco.
>
> "The expected legislation will be a lose-lose for all of us: less security and less liberty."
(Wyden is referring to a long-threatened bill from Sens. Feinstein/Burr, which would mandate that hardware/software providers--- presumably including TP--- "assist" USIC/FBI/LEOs by putting in various kinds of backdoors.)
Maybe provide a viable alternative suggestion to how CloudFlare should be detecting and blocking malicious traffic that would accommodate Tor?
When not visiting a specific site, but browsing and opening multiple tabs from a search result or a news collector site, I often just close the tabs with Cloudflare. I wonder if they have any statistics about users like me, who "see a captcha and leave".
These are what they call malicious traffic -- because no captcha is solved. They must be spammers :) from CF's viewpoint.
One thing cloudflare could do is provide an onion proxy service with javascript disabled like how startpage does it so we can at least view the sites. I would be happy with the freedom to read.
Since disabling JS increases risk I like many others just close the tab when a CF site comes up.
As always peace love and respect to the tor team and everyone fighting the good fight.
Here is one of the 94% evil content scrapers - not.
I visit a web site that has about 50 new pages every day.
They have about 15 images on each page. These images are hosted on another domain that uses Cloudflare.
For a Tor user all these pages are displayed without images. Because Cloudflare serves a captcha page for each image and the browser silently drops those as invalid images.
So skimming through the new pages my browser tries to load around 750 images, which cannot be displayed. And Cloudflare pads itself on the shoulder and says it has stopped an evil scraper from taking that content. Their evidence - not one captcha has been solved for all these requests!
This is not an isolated case. I have seen other sites hosting their images on a seperate domain managed by Cloudflare. Must add up to millions of "attacks" by Tor users each day that Cloudflare fends off ;D
More problematic is Javascript libraries. Some of the CDN domains that serve JS libraries apparently block/captcha Tor, which breaks many websites.
I will never stop using Tor for any reason. I circumvent things like cloudflare by using proxies additional to Tor. Pages are loading fast enough despite of it. Pages that don't work this way are abandoned. So cloudflare may as well keep their services for themselves. They couldn't stop me so far. Those captchas are useless, i am not wasting time like that.
But it is not a real solution. To dispose of cloudflare would be far better.
CloudFlare: jumping on FBI's anti-crypto media blitz?
I'm glad you're addressing this at last.
But I've noticed two things in my own experience. Cloudflare makes the web less interesting in Tor. YouTube not working properly in Tor makes the web less interesting. As I'm not willing to give in and use my other browsers, or at least not too much, I find I'm being conditioned into thinking maybe I'll just get rid of the internet and not make it such a big part of my life. I like to see the positive. Slow Tor, no Cloudflare sites, YouTube trashed, my custom is being lost not to some deanonymising browser but rather to books and thinking about other things to do with my time. The slow death of a free internet is closer than I ever thought possible.
The cloudflare blog post contains this statement:
Unfortunately, to solve that, we'd need to track Tor users across sites which would sacrifice Tor’s anonymity so we’ve deemed it unacceptable."
...which makes it sound like they could track Tor users across the web if they wanted to.
Is there anything in this?
(If they can track Tor users across sites and could reduce CAPTCHAs by doing so, then they should go ahead and do it; not doing so would only give a false sense of anonymity)
One thing that I absolutely detest, and that spurred rabid killing impulses when I read it in Cloudflare's post (which, incidentally, I had to read on web.archive.org, because, of course, it's behind the CF firewall), one thing I detest I was saying, is people to casually equate "automatic" requests or traffic (quaintly referred to as "bot" activity) with "maliciousness" (whatever that means) or "illegitimacy".
Since fucking when does HTTP _require_ a human to be sitting behind the monitor for it to work??? How in hell is my cronjob for retrieving a page, or making a post, or firing an xmlrpc call illegitimate??? In which goddamn way are the automatic fetches of my newsreader suddenly "malicious"???
Turing tests like captchas have zero (ZERO, YOU HEAR ME?!), relationship with determining the "legitimacy" (whatever that even means?) of some protocol exchange.
I've been 100% Tor for a while now but.. using the Internet has transformed from a wondrous experience to one of great frustration.
I think about giving up using Tor on a daily basis due to the sheer volume of CAPTCHAs I have to solve. I hate the idea of using my ISP's connection directly (they monitor and sell consumer HTTP data for profit and I'd rather my habits not be on file for eternity) and the idea of choosing a 'good' VPN leaves me with a lot of doubt and worry.
Some days I want to just give up on using the Internet. Throw all my equipment away and analogue. Thanks CloudFlare. :/
Thanks. Now I least know whos responsible for turning the free web into a captcha-mess.
Thank you Tor Project for writing this. It is very important.
I don't work for Cloudflare.
The "94% of traffic" figure can come from two different measures.
The first is "the number of malicious requests", where "malicious" is defined as "attempts to identify or exploit weaknesses which could lead to unauthorized levels of access".
The second is "the raw size of traffic which is malicious". I don't know if this percentage would be as high as the number of malicious requests.
Given that most malicious requests tend to be automated at this point (mass scanners tend to scan and move on when they don't find a vulnerability), it's quite likely that there's a few people using the Tor network to provide anonymity for their probes -- and those probes are massive scans, some number for every site that they try to find vulnerabilities in. That could -easily- overpower (even by an order of magnitude) the number of legitimate, "I know what I'm doing and I'm not exploring to find any holes around what I'm doing" kinds of traffic.
Cloudflare isn't wrong, here. Insisting that Tor isn't a concentrator for malicious traffic (precisely because of its vaunted anonymity features) isn't the correct answer, here. Tor needs a means of accountability for its users to prevent them from abusing the network. This is going to be incredibly difficult to accomplish, but there are potentially ways to do it (some of which might involve authentication through multiple chains of ECDH agreements, using the output of one agreement as a private key for the next).
Another problem with the 94% statistic is that spammers send more requests than normal users. It could be that 1000 people send 100,000 requests to a website, but it was one spammer that sent 94,000 of them. So even if 99.9% of tor users are harmless, Cloudflare can still claim "94% of tor traffic is malicious."
Anyone up for creating a CloudFlare competitor?
Just read the abstract of the research you linked to.
Don't get me wrong. I hate CloudFlare just as much as the next Tor user, but wording the issue as mistreatment of "second-class Web citizens" made me chuckle.
Are these connotations really useful?
Should we start accusing CloudFlare of being "anonymist" now?
Why are you calling out Cloudflare when Akamai is way worse? Akamai silently blocks Tor (just try visiting www.foxnews.com with Tor) and isn't interested end any dialog, whereas as CF has been working with you us. This is a dumb move.
Lately on the Cloudflare landing page I got quite often the error "reCAPTCHA / Sorry, an error has occurred". No capture is displayed. I wonder how this is counted at Cloudflare?
CloudFlare needs to fix this... fast! It's a nightmare being a Tor user.
Post new comment