The Trouble with CloudFlare

by mikeperry | April 1, 2016

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.

We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.

3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.

Also see our new fact sheet about CloudFlare and Tor: https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf

Comments

Please note that the comment area below has been archived.

April 01, 2016

Permalink

Capchas are also a barrier to blind and visually impaired users accessing the free internet.

April 01, 2016

Permalink

The real trouble with CloudFlare and friends is of course that they are Man-in-the-Middle-as-a-service. That people find such an invasion on the integrity of the Internet acceptable is beyond my comprehension.

i agree. outside the bitcoin community nobody seems to care much, and even there some exchanges use cloudflare.
how can it even be legal for such services to give away their private key to some third party?

I'm pretty sure CF only acts as a proxy. That is, they don't know the site's private key and they only forward encrypted traffic. Although the comment below about "Flexible SSL" is worrisome.

You are wrong. CF always terminates your SSL, so they are a perfect man in the middle. It merely has the option to re-encrypt it when being forwarded to your actual site.

But 99% of the traffic on the Internet is run through "man in the middle services" including 99.99% of servers not hosted at the website owners ip. So services like CF being beyond your comprehension is understandable.

What do you mean by "man in the middle services"? I have a hard time believing CF and Akamai are /that/ popular. Look at sites like torproject.org, Gnu.org, Wikipedia.org, etc. Sure, this probably has to do with the audience of these sites, but 99.99% seems a little steep. Very many mom and pop websites use CF because they are small and they need it for protection, but if we are looking just at the most popular sites out there, I suspect that percentage would be substantially lower.

When you say 99% of Internet traffic, are you talking about traffic byte for byte, packet for packet, number of TCP connections, HTTP requests? This is an important distinction since sites like youtube and netflix are probably the biggest byte for byte, but they are already built with big pipes for high load and don't really need the likes of CF. But if you mean 99% of HTTP requests, that's slightly more believable since that's what CF is designed for and most commonly used with.

Bottom line: do you have a link to the source of these statistics?

Yes, I do agree with that; they claim they don't snoop TLS, but they offer a very dangerous service called "Flexible SSL" which terminates a TLS connection at the CloudFlare node, but then passes on the data from the node to the hidden server cleartext. Perhaps the CA/B forum should investigate whether or not that is a legitimate service and instruct their member CAs as to whether or not to continue issuing certificates blindly to their services.

That feature was used by some people to make their static Github blogs use HTTPS on custom domains. In the end, it covers part of the distance and although not perfect, maybe doesn't deserve such distaste. With Let's Encrypt now that automatic HTTPS is possible, custom domain HTTPS can be offered as part of any hosting service without full server privilege, deprecating Flexible SSL.

OTOH, a properly set up TLS session cannot be inspected without some exploits, such as NSA/CIA's one on D-H key exchange, which is not economically viable for a CDN to execute.

People have been trained (conditioned) to trust any higher authority in the form of an organization rather than trust each other. As long as this conditioning prevails expect things to drastically turn to worse. If we organize horizontally and from below without guardians and protectors and learn to trust our organization against those from above we may then begin to see the light.

Cloudflare is a business and counts on the majority as customers/individuals.

I have had bad experiences with certain websites that Cloudflare is suppose to protect, such as getting scammed out of my money. And, when I've tried to track down who the host is for that website, I find that is non-other than Cloudflare themselves who just claim to be a security protocol for the real host of the scam-site. But, I believe Cloudflare themselves are the real crooks, and are indeed the host. Websites such as bitcoincloudservices.com continue to remain up without ever getting taken down.

April 01, 2016

Permalink

"Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs.."

Lately VPN traffic is also subjected to similar CAPTCHA harassment. I doubt website owners understand the extent of legitimate traffic they lose and/or frustrate by using Cloudfare's services.

I agree, I've start giving up because the CAPTCHAs are just pissing me off. I'm brain-damaged, so I don't have a CS degree but even my dumb self knows that an algorithm that includes the logic: IF [IP matches TOR blacklist] AND [traffic pattern matches known attack pattern] THEN [offer aggressive CAPTCHA] + IF [pattern is repeated] THEN [add IP to blocklist].
Something like that. It's not rocket science, and Cloudflare are REALLY weak to not implement a more intelligent setup. Or they're actively trying to harvest data on behalf of the usual Big Brother powers that be, using their market share to change culture.

The case against captcha has has to go legal. My time is valuable. Captcha has to stop, Its censorship. It also prevents people from the truth. I know Cloudfare knows i am no robot. One answer is enough. Its discriminatory.

April 01, 2016

Permalink

I generally like cloudflare - they serve a useful purpose, but damn - they are really hostile towards Tor users. I generally try to avoid sites which use cloudflare because of this, luckily not all websites are using the service.

Well done Akamai though.

The fact that you haven't heard of them suggests that they are doing their job (i.e. content distribution without interfering with the user experience of ordinary internet users) properly.

To the best of my knowledge, Facebook has become so huge they decided to operate their own CDN.
As an added bonus, their self-hosted approach ensures they can run their site from a .onion domain.

Akamai has been around since 1998, and they don't put themselves in the news for tunnelling dodgy sites (they have an acceptable use policy), in blogs for bad HTTPS (secure sites have dedicated IPs by the way), and now on the Tor blog for blocking Tor.
With about 18 years of experience, they likely have seen and deflected just about every attack out there, and have been around through the full evolution of Tor as well as other proxy services, likely putting in significant engineering effort to maintain compatibility with these proxies while not compromising protection against threats.

Akamai was founded by Daniel "Danny" Mark Lewin was an American-Israeli mathematician and entrepreneur who co-founded internet company Akamai Technologies. He died in the 911 attacks (suspicious). At the very top level of Akamai is the "Akamai Web Intelligence" that does on their network what NSA does on every other network.

April 01, 2016

Permalink

The problem is not in cloudflare but in website owners. Most of website owners do not welcome tor users because if tor user hacked his site the site owner wouldn't be able to prosecute hacker. If a tor user posted illegal content noticed by authorities, they will go for the website owner. If the website owner is unable to help authorities to identify the poster he is liable instead of the poster.
(If tor exit node owner is unable to help the authorities to identify the tor user they want he is liable instead of the poster.)

Because it is law enforcement, if the crime is detected, someone must be prosecuted. If noone is prosecuted, it will destroy the atmosphere governments are creating in order to control population, which means the cop must be fined or fired and a more professional cop must be hired instead.

> The problem is not in cloudflare but in website owners. Most of website owners do not welcome tor users because if tor user hacked his site the site owner wouldn't be able to prosecute hacker.

Are you talking about a "private prosecution" (legal in some countries), or did you mean, the website owner asks police agencies to investigate, or asks government prosecutors to bring criminal charges?

> If a tor user posted illegal content noticed by authorities, they will go for the website owner. If the website owner is unable to help authorities to identify the poster he is liable instead of the poster.

In US law (which is important internationally since it tends to set the standard for international investigations), traditionally web site operators were immunized from that hazard, but this protection is under continuing threat.

> (If tor exit node owner is unable to help the authorities to identify the tor user they want he is liable instead of the poster.)

Again, my understanding is that so far this is generally not quite true for US/EU operators of Tor nodes, but I'd be happy to hear comments from TP.

> Because it is law enforcement, if the crime is detected, someone must be prosecuted. If noone is prosecuted, it will destroy the atmosphere governments are creating in order to control population, which means the cop must be fined or fired and a more professional cop must be hired instead.

I have never heard of cops being fined simply for failing to make an arrest. Quite the opposite: in the US, cops routinely get away with murder (literally--- that is what the BLM movement is all about.)

"Quite the opposite: in the US, cops routinely get away with murder..."

Or act like real criminals with seizing your private property -in amounting to billions- without any real charge.

In Germany there is no liability for operators of tor exit nodes but sometimes there are searches and confiscations (sometimes for months) without compensation. It's quite deterring for people running an exit-node from home (I know of a case where every computer in a household was confiscated and returned only after months and without compensation). Also the police is allowed to use evidence of completely unrelated "crimes" (from copyright to owning cannabis) found in such searches.

You never used cloudflare, but I use it... you (the site owner) can not disable that captcha for TOR users! Their is no option for that.

Even if you set the firewall protection to what they call "essentially off" it still demands captchas from TOR users. I know, I test it.

Many people like me use cloudflare, because I want to protect the real hosting provider from attacks on the web site (cloudflare is the only one they can find in the whois & DNS information)... because if someone attacks the hosting company and they think it is because of my web site, they will immediately put me out of there... unless you have millions of dollars or euros... when they may open a big $$$ €€€ exception for you, as long as you spend it like there is no tomorrow. And also helps a little in protecting against attacks on the hosting company control management to get to you (since they don't know who is, they can't attack it).

April 01, 2016

Permalink

Thanks for responding.

I hope CloudFlare customers know the damage done to them. I know I shudder at the sight of medium.com links as I recall the frustration caused by CloudFlare. It takes me 0 minues to read their posts now.

April 01, 2016

Permalink

Even if they reached their 94% by unique GET or POST requests, it is still a flawed statistic. Someone running a security scan on a host might generate 50k requests in a few hours and to compare those requests to normal requests would be ridiculous. But that is what I believe Cloudfare is doing to come up with their numbers.

Dropping the bad reputation for Tor nodes quicker after any such bad activity has stopped does not appear to be happening either. The bad rep is too sticky.

April 01, 2016

Permalink

It might be that cloudflares malicious statement is exagerated, but I can see how if you count million of request from bots compared to humans it will come close.

Anyway, since I like both your initiatives it is sad to see this battle starting.

Please try to be constructive in finding solutions because a life depending website that is down because of a ddos is equally bad as one that is down because of captcha madness.

How about owners of such sites start serving multiple instances with and without protection?

Ken

>a life depending website that is down because of a ddos
If you think you can effectively use Tor for DDoS, you are very, I'm gonna be polite, naive.

The Tor network is not a DoS threat for any website.

April 01, 2016

Permalink

Ive run into the multiple captchas problem which has appeared recently on localbitcoins where you have to run through a few captchas to access the site then another few to access the login page, on average it takes about 10 minutes just to login after having to start over and over again with a fresh identity due to captcha server errors, and if you walk away from the computer for more than 5 minutes it makes you do another set (i think this last one is Tor's fault, exit ip's are supposed to be fixed per site/session but i see them still constantly change).

>i think this last one is Tor's fault, exit ip's are supposed to be fixed per site/session but i see them still constantly change

No. This is by design. Circuits are switched after some time (currently it's 10 minutes by default).

Read the documentation.

April 01, 2016

Permalink

Once an IP address has emitted abusive traffic, how is Cloudflare supposed to know that the address has stopped emitting abusive traffic? It's not like you can police your network and disconnect the abuser because they're anonymous, so the assumption must be that the abuser is still present. Faced with that assumption, I don't really see Cloudflare's actions as being wrong. It's simply a case of you wanting to protect your network at the expense of their network and them wanting to protect their network at the expense of your network, both aims being fundamentally incompatible.

> It's simply a case of you wanting to protect your network at the expense of their network and them wanting to protect their network at the expense of your network, both aims being fundamentally incompatible.

This is a false dilemma. We've been talking to other DDoS and website protection services in the market, and none of them blanket block Tor in perpetuity. Many of CloudFlare's competitors have sophisticated WAFs (Web Application Firewalls) or IDSs (Intrusion Detection Systems), as well as conventional spam filters that process incoming traffic to filter out malicious traffic in realtime, only while it is ongoing. Even when broad-scale scans and DDoSs require blanket bans, those companies' systems lift the ban as soon as the attack traffic subsides. They do this specifically to avoid collateral damage from infections, botnets, and IP spoofing attacks, as well as to avoid blocking users behind large-scale shared IP networks, VPNs, and Tor.

The real problem with CloudFlare in one sentence is the perma-bans and the collateral damage this causes. See also http://paulgraham.com/spamhausblacklist.html for information on how the long-term blacklist approach played out with email in the past.

We've been asking CloudFlare competitors to come forward about how they handle Tor traffic, but one of the problems is that no one wants to discuss their "secret sauce" and risk competitors catching up.

April 01, 2016

In reply to mikeperry

Permalink

The part of a WAF secret sauce that deals appropriately with Tor is straightforward to talk about: label Tor requests to origin in the same way you label German or Chinese or NIPRnet requests. Be more sophisticated in applying rules---for example, if you have a WAF attack detector that labels each request with a score from 0 to 1, you might want to say "block on 0.8, warn on 0.5; but if it's from China or from Tor, block on 0.5". Those are still deterministic fast rules, so cheap enough for Bot mitigation.

I'm not a big fan of WAFs as a product category---but if you are going to have one, it's a funny threat model that leads to blocking requests whose responses will be highly cachable. A GET forward to the origin, sure---but if you're serving from cache and setting long TTLs for the browser cache, or even just marking it Public---what's the point of blocking that? I hear "deterring vulnerability scanning," and I don't get it.

I sort of understand for ecommerce scraper not handling, but that's not meaningfully correlated with Tor---and anyway, you want to handle that at layer 8 or higher by serving interesting prices.

April 01, 2016

Permalink

Tor user for almost a decade here. I've been using tor exclusively for a majority of that time. I have no reason to give my physical location to each server I contact. For me it looks like this:

before CloudFlare (a few years ago): almost every website works on tor

after CloudFlare: almost no website works on tor

From what I've seen, the entire debate so far is bikeshed, including the CloudFlare blogpost, which is the pinnacle of bikeshed.

Correct me if I'm wrong but the reason people use CloudFlare is because it's either bundled in their web hosting package, or because they want CDN/anti-DDOS. None of the above require a captcha gate. Anti-DDOS already existed before and such services simply eat up as much bandwidth as possible. CloudFlare *still* has to do this. The captcha gate changes no aspect of that.

The problem here seems to be that CloudFlare bundles in some sort of IDS/IPS system. As they admit, the captcha is not part of the anti-DDOS. Instead, the captcha is pupportedly there for a bunch of reasons, but in reality all it can do is mitigate bot activity. An attacker doing SQL injection on a website will *not* be stopped by a captcha gate or even the flat out blocking of any IP detected as malicious. I thought the industry already figured this out in the 90's or early 2000's. Then again, HN and the California software developer crowd love to reinvent things.

Their claim is:

> A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network.

In other words, the captcha gate does nothing other than reduce the number of bot requests. Scraping, scanning, and spam are still possible, but for the ones that CloudFlare can detect, they are blocked, and thus they have something to sell to their clients. The idea of stopping bots from crawling your page and harvesting emails is laughable. Sure since CloudFlare control most of the web, in total it may even half the amount of spam I get, but I'm *still* getting spam. Someone will paste my email on some page that's accessible to a bot. Bots routinely harvest emails from malware. For me it makes no difference.

However, CloudFlare is selling a magical security device. The client thinks it's making their website more secure, when in reality at most it's simply reducing spam to unrelated people. Don't treat me like a 5 year old and tell me it's stopping my content from being scraped. There are two separate concepts here:

1. A bot from a well known blacklisted IP scraping millions of pages from different websites. It will just hit the captcha gate and its effectiveness reduced. If such bot was harvesting email addresses, then yes, some unrelated people will not be spammed as much.
2. Someone scraping your site to get your content. He's going to bypass CloudFlare no matter what. He can just buy an IP address for a few dollars and scrape from there. If CloudFlare does any sort of human activity verification (e.g, monitoring page load rate, measuring mouse movement, verifiying the browser), it can be bypassed through trial and error, or simply by distributing the scrape across IPs. Such is what you've signed up for when you published your content to the public internet. If anyone tells you they have a solution for this, they are lying.

Basically, CloudFlare sell some popular services, and as a Value Add, there is this dubious feature which ruins tor, and it's on by default. The only reason people use this is because either they're sold on the idea of a magic security enhancing device, or because it's just on by default and they aren't aware of it and the consequences. It's very clear that CloudFlare is only caring about their own interests. Since a big set of their customers are HN users, they have to answer to their dilittante concerns about tor. That's the only reason their blog post exists.

And it's only going to get worse. Since client behavior analyzing gates like CloudFlare and recaptcha are trending, pretty soon they will be writing browser authenticity checks which rely on *exact timings* and other browser-specific behavior to authenticate you to view a website. It will no longer be possible to create an open source browser without getting it adopted by major players. You'll just have to emulate Firefox or Chrome.

> Tor user for almost a decade here. I've been using tor exclusively for a majority of that time.

Likewise.

> I have no reason to give my physical location to each server I contact.

I put it like this: I feel I have good reason to avoid giving up geolocation and other abusable information.

> For me it looks like this:
> before CloudFlare (a few years ago): almost every website works on tor
> after CloudFlare: almost no website works on tor

Not quite as bad for me, but I also simply stopped visiting sites which require CloudFlare captchas.

> Someone scraping your site to get your content. He's going to bypass CloudFlare no matter what. He can just buy an IP address for a few dollars and scrape from there.

Just wanted to point out that US DOD (Dept of Defense) and LEO (law enforcement organization) agencies also scrape content (that's what "social media monitoring" is all about). USIC even breaks into social media servers to grab private information of users, particularly on-forum chats and messages. And LEOs hire private companies to do likewise. Years ago Nielsen company was notorious for aggressive scraping of private messages from web forums which appeared to the forum operators to resemble hacking (in that Nielsen appeared to exploit zero day flaws to grab huge amounts of nonpublic information). More recently, Nielsen seems to engaged in "internet use surveys" without disclosing that they have been hired by USG agencies (USMS? USSS? FBI?) to target rather specific populations with an "innocuous" survey.

BTW, CloudFlare adversely reduces privacy even if you just want to browse a single website. On sites without CloudFlare, you can view each document with a unique identity (no cookies, cache, js, etc. browse each page with a random exit node). With CloudFlare, you'd have to solve a captcha for each document. The only way around this without bypassing the captcha somehow is to save all the documents on the website under one identity, and browse the few you care about offline. Ironically, I've had no trouble doing this for sets of 100-1000 documents. Meanwhile, my most commonly used website, Wikipedia, doesn't have the CloudFlare gate so far, so I don't have such a problem with them.

Totally agree. Cloudflare is a purveyor of fine snake-oil. No wonder they don't really respond to criticism. Pretending to listen to take the edge off criticism, stalling for time, sidetracking (just have a look at the bugtracker ticket!), hiding behind smokescreens (clouds?), while claiming to be on the good side, yes. But no effort to really address the damage they are inflicting on the Tor project. Of course not. The king of MitM pseudo-security services is naked.

That last point you raise is a very dangerous development. Forget about browsers. Forget about the web. Behavioral profiling will increasingly be seen as something normal. Sensors everywhere, and if you don't conform to model, WHAM: malicious. Locked out. No more house keys. No more tickets. No more passwords. Google will know it's them. A sheeple's dream, a misfit's nightmare.

April 01, 2016

Permalink

Thank you for finally addressing this problem.

In my view services like cloudflare are by far the greatest threat for the tor project. What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

Furthermore I doubt most of cloudflare's customers understand that they agree to a man-in-the-middle attack on their traffic.

The two main problems with cloudflare are
1)They get to decide who is 'good' or 'bad' and filter trafffic by intransparent means
2)They at least theoretically have the ability to view, collect and analyze their clients https traffic
This gives them enormous power over an increasingly large part of the internet.
Do we really want to let such companies decide who is allowed to view a certain website and who is not? Their approach must not be left unchallanged.

But as said the problem is of course bigger than cloudflare.
Nowadays anything even a little outside of the norm is being flagged as malicious traffic and subsequently blocked.

I think the best approach would be to get civil rights organizations like the EFF involved in this. They have the necessary legal and PR ressources and would provide a more neutral point of view than the tor project team.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

That is a good point. CloudFlare could eventually make make Tor almost unusable for most surfers, which would thwart our attempts to convert a sizable fraction of ordinary citizens into regular users of Tor Browser and other TP products. Which is crtically important to
*wean TP from the USG teat,
* grow our user base and thus our political leverage,
* better protect anonymity.

But I can't agree with this:

> In my view services like cloudflare are by far the greatest threat for the tor project.

I think the biggest threat is by far the very real possibility that the USG will attempt to outlaw Tor Browser, and to designate Tor Project as an "illegal organization". Currently, I believe the most worrisome scenario involves intolerable pressure being brought upon Debian Project (upon which Tails and much of Tor development work relies), Tor Project, or individual developers to abuse their cryptographic signing keys by "authenticating" a Debian software update or a Tor Browser bundle tarball which have been maliciously modified by state-sponsored attackers--- today USG; tomorrow India, Kazakhstan, Nigeria...

>today USG; tomorrow India, Kazakhstan, Nigeria

ha! there's that formula again!

"the real concern is that all this nastiness will later end up in the hands of
because even when the USA has the most developed surveillance apparatus on earth, it isn't actually oppressive, we are good guys you know, we have our checks and balances after all!"

yanks seriously are brainwashed, xD

The Debian project has already recognized this threat. This is part of the reason they are so interested in reproducible builds.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

Well, we have our internal onion network, remember? This is yet another good opportunity to emphasise its goodness.

> What's the point of sophisticated methods to avoid censorship on ISP level when all exit nodes are blocked by a majority of websites?

The solution, ironically, is more Tor. If Tor were as ubiquitous, then CloudFare would have no choice but to re-engineer their security to address legitimate issues without taking draconian shortcuts. Otherwise, they would risk losing everyone's traffic.

actually the solution is maidsafe, a distributed internet that cant be ddosd or censored since everyone is both a client and a server. Its like if bittorrent went 2.0 but everyone held an encrypted chunk of a file instead of an unencrypted whole file and no one knew which chunk they had and therefore could not be held accountable or actively censor it.

This is also serves as a replacement for Tor.

April 01, 2016

Permalink

@ Mike Perry:

Thanks so much for your prompt response to CloudFare's latest scare-mongering!

I surfed to TP intending to try to post a suggestion that TP respond and was delighted to find that you have already had done so--- this is exactly the kind of fast response TP needs to ensure, at a time when TP is apparently facing an existential threat of a political nature (on top of all the technical threats from Hacking Team, CMU/SEI, GCHQ/NSA, etc), exemplified by the ongoing intensive top-priority PR offensive by FBI, aka CWII, which continues unabated:

http://www.theregister.co.uk/2016/03/30/fbi_aims_to_win_war_w_apple/
The FBI lost this round against Apple – but it aims to win the war
Courts or Congress – Hobson's choice on privacy
Iain Thomson
30 Mar 2016

> While fans of strong crypto and privacy are celebrating the US Department of Justice decision to back down in the San Bernardino case against Apple, it's important not to get too giddy – this is going to be a long battle and the FBI has nothing but time.

http://arstechnica.com/tech-policy/2016/03/us-says-it-would-use-court-s…
US says it would use “court system” again to defeat encryption
Feds say they can force entire tech sector, not just Apple, to disable security.
David Kravets
29 Mar 2016

> ...
> The Justice Department now says it will not hesitate to invoke the precedent it won in its iPhone unlocking case. The authorities had obtained a court order weeks ago ordering Apple to write code to help the authorities unlock Farook's phone, all in hopes that data on it could stop another terror attack or shed light on the one that killed 14 people in San Bernardino in December. On Monday, however, the authorities said they didn't need Apple's help, asking the judge presiding over the case to withdraw the order because they had cracked the phone and obtained the desired information, all with the help of an "outside" party.

A big problem for we who support privacy technologies is that the international public's understanding of Tor (and of on-line privacy and cybersecurity generally) is very poor, according to a recently released CIGI survey:

http://www.theregister.co.uk/2016/03/30/internet_users_dont_understand_…
Internet users don't understand security or privacy, says survey
'Shut down the dark net, give governments backdoors', CIGI study finds
Richard Chirgwin
30 Mar 2016

> Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims more than 70 per cent want the “dark net” shut down (which rests on the assumption that 70 per cent of people actually know what the “dark net” is). Dark net hostility is greatest in Indonesia, India and Mexico (all above 80 per cent saying it should be eliminated), with the US and Australia tied at 72 per cent.
>
> At the same time, an average of more than 26 per cent of users don't trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases; The Register pulled out those numbers from the survey data.).

Tor Project needs to work tirelessly to try to work with reporters to correct our image problem, since our enemies are working tirelessly to promote the kind of false/misleading claims made by Cloudfare. This should be one aspect of TP's efforts to help organize the kind of SOPA fight against "rubberhosing" which Sen. Ron Wyden (D-OR) is urging:

http://www.theregister.co.uk/2016/03/30/senator_wyden_bid_to_defeat_enc…
Senator Wyden recalls SOPA fight in bid to defeat encryption-weakening efforts
It's not privacy versus security; it's security versus more security
Kieren McCarthy
30 Mar 2016

> Senator Ron Wyden (D-OR) has put out a call to arms to digital rights activists, asking them to join in a SOPA-style effort to defeat upcoming efforts to weaken encryption.
>
> In a wide-ranging speech that covered J Edgar Hoover, Miranda Rights, the Founding Fathers and the Amazon Echo, the Oregon Senator warned that despite the recent decision by the FBI to drop its case against Apple, "as sure as night follows day," the issue is going to return and it will be necessary to fight legislative efforts to reduce the effectiveness of encryption.
>
> "I will block any plan that would weaken strong encryption," he told the RightsCon conference in San Francisco.
>
> "The expected legislation will be a lose-lose for all of us: less security and less liberty."

(Wyden is referring to a long-threatened bill from Sens. Feinstein/Burr, which would mandate that hardware/software providers--- presumably including TP--- "assist" USIC/FBI/LEOs by putting in various kinds of backdoors.)

"It is all of them (government agencies) against all of us (The People)."

A senior FBI official has dramatically confirmed the truth of this statement in the following letter published by Buzzfeed:

> Since recovering an iPhone from one of the San Bernardino shooters on December 3, 2015, the FBI sought methods to gain access to the data stored on it. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention generated by the litigation with Apple, others outside the US government continued to contact the US government offering avenues of possible research. In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone. That method for unlocking that specific iPhone proved successful.

> We know that the absence of lawful, critical investigative tools due to the "Going Dark" problem is a substantial state and local law enforcement challenge that you face daily. As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners. Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.

> Kerry Sleeper
> Assistant Director
> Office of Partner Engagement
> FBI

See:

http://arstechnica.com/tech-policy/2016/04/fbi-offers-crypto-assistance…
FBI offers crypto assistance to local cops: “We are in this together”
After iPhone unlock in San Bernardino, FBI re-assures police it will try to help.
Cyrus Farivar
2 Apr 2016

And for another stark indication of FBI's naked-duplicity-as-routine-policy, see this:

https://www.techdirt.com
FBI Won't Tell Apple How It Got Into iPhone... But Is Apparently Eager To Help Others Break Into iPhones
Tim Cushing
31 Mar 2016

>> as iPhone forensics guru Jonathan Zdziarski succinctly summarized:

>>> FBI: You should do it, it's just one phone
>>> Apple: No it isn't
>>> FBI: We got in
>>> Apple: You should say how, it's just one phone
>>> FBI: No it isn't

But FBI must take second place to USIC for sheer audacity in misleading/inaccurate official statements. ODNI GC Robert Litt has been assuring inquiring reporters that NSA's new information sharing rules (which remove restrictions on sharing of raw "full take" NSA data trawls of the communications and data, e.g. PC disk drive content, of US citizens) only apply to "intelligence". But FBI has rebranded itself as an "intelligence agency", and DEA has always considered itself both an intelligence agency and an LEO. This is worrisome because DEA has for decades treated every citizen of at least some countries as a felony suspect, and one receives the impression that NSA is trying to disguise the fact that DEA/FBI now treats all US citizens as felony suspects, and thus, treats them as suitable targets for warrantless intrusive espionage. See for example the Snowden leaked documents on how NSA abuses national telecom contracts with US companies such as ATT to illegally record the full content of every telephone call to or from or within Bahamas and then gives DEA free access to all this stolen information, and see:

https://www.techdirt.com/articles/20160401/odni-lawyer-bob-litt-says-th…
ODNI Lawyer Bob Litt Says There's No NSA Data Sharing With Law Enforcement... If You Don't Count The FBI, DEA, Etc.
1 Apr 2016

Meanwhile, it seems that various "Western" LEOs are joining the national police forces of nations like Uzbekistan in exploiting the terrorism card to demand access to devices used by investigative reporters. For example, RCMP:

https://www.techdirt.com/articles/20160331/canadian-court-says-vice-mag…
Journalism
Tim Cushing
1 Apr 2016

A Canadian court -- granting a request made by the Royal Canadian Mounted Police (RCMP) -- is in the process of dismantling protections for Canadian journalists. The case involves a Skype interview by Vice Magazine with an alleged terrorist currently located in Syria. The interview, in which the self-avowed terrorist (Farad Mohamed Shirdon) claimed an attack in New York City was imminent, appeared back in October 2015 and led directly to his being charged in absentia with several terrorism-related offenses.

See also this from a tech-savvy resident of Brussels:

http://arstechnica.com/tech-policy/2016/04/brussels-terror-attacks-surv…
Brussels terror attacks: Why ramping up online surveillance isn’t the answer
Op-ed: Brief moratorium needed on calls for new spying laws after atrocities.
Jennifer Baker
2 April 2016

> I am in Brussels. And I am scared. Very scared... of the probable security backlash following last month’s terrorist attacks.

It's all of them (governments) against all of us (The People).

April 01, 2016

Permalink

Maybe provide a viable alternative suggestion to how CloudFlare should be detecting and blocking malicious traffic that would accommodate Tor?

One really easy alternative, that they could do immediately, is to stop preventing Tor users from accessing static pages. How could "GET /index.html" be malicious?

But I find your question odd. Are CloudFlare only hiring people too incompetent to get jobs at other CDNs? I don't believe that, which means they can think of a better solution themselves: every major competitor did. I'll stop short of claiming they have some anti-Tor agenda, for now—but at best, they just don't give a shit. (Maybe I'm overlooking something explained in their blog post, but that's hosted by CloudFlare, so...)

Maybe provide a less stupid question?
Maybe properly define "malicious traffic"?
Maybe question if any such wholesale blocking is necessary at all?
Maybe Tor Project should receive payment if they are to provide implementations for Cloudflare's bullshit "protection" product?

As the original post above already pointed out that Cloudflare's competitors manage to do this successfully but somehow Cloudflare does not, it makes you sound like a Cloudflare employee attempting image mitigation.

Good to see someone is looking for a compromise.

Tor is understandably upset that their legitimate use is being blocked, but has no way to measure or control their abuse. Companies like CloudFlare have no choice but to block when the abuse gets too high.

This is a stalemate. Suggesting that CloudFlare whitelist all Tor traffic is just as silly as suggesting that all Tor traffic should be blocked. We need a viable solution (javascript challenges and captchas are the best anyone's found so far).

Ask the site owner to setup a hidden service. In most cases, it only takes a few commands and can be done in literally about one minute. The Tor protocol already has protections against network-level DDoS attacks built-in, because the designers recognized long ago that Tor would be a prime tool for those kinds of attacks.

If protecting against network-level DDoS attacks is your only concern, then an HS can coexist just fine with CloudFlare. You just point the hidden service at your server's (secret) IP just like you do with CF, and your server will remain hidden and protected yet accessible to Tor users. Unfortunately many Tor users will not know about the .onion address if they are blocked by CF the first and every time they try to access your site by its domain name. (Do I hear a need for a ".onion Everywhere" extension for Firefox/TB?)

The downside (or upside, depending on who you ask) here is that the HS will bypass CloudFlare entirely, and sites wanting features other than network-level DDoS protection will have to use something on their local server.

Just to be clear: this is **not** a technical limitation. If CloudFlare wanted to, they could set up their own Tor hidden service addresses (one for each site behind them), and terminate the Tor connection there, scan the traffic and forward it to the site (according to its "Host:" header or addr:port pair). You'd be trading privacy for accessibility, but it's your choice. The site could even get a TLS certificate with the .onion address on it and pass only end-to-end encrypted traffic, but that would defeat the purpose of CloudFlare-over-Tor entirely!

If it works for Facebook, it can work for anyone. I see no reason why a Tor hidden service address is not a good idea for any site.

Or provide the site operators with an alternative, such as Akamai, Amazon Cloudfront, Google Shield, and numerous other CDNs and reverse proxies. Not that they'll take any advice from a mere Tor user.

April 01, 2016

Permalink

We now have some answers about the infamous CMU/SEI breakage of Tor (or maybe just hidden services?): it seems that Army Research Laboratory (ARL) hired SEI (Software Engineering Institute) to "research" dragnet style Tor breakage, and FBI then subpoenaed CMU to get the "experimental" data.

This procedure (agency A commissions "research" then agency B subpoenas the raw data) could quickly become commonplace since many recently passed laws contains very broad exceptions to privacy rules for "research" (not further specified).

Here are the most relevant portions of the document (a ruling by Judge Richard A. Jones in the Farrell case being heard in Seattle, WA) which contains the revelations:

> the defendant’s IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”). The government previously produced information to the defense that Farrell’s IP address was observed when SEI was operating its computers on the Tor network.
> ...
> SEI’s identification of the defendant’s IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny.
> ...
> In the instant case, it is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. Again, according to the parties’ submissions, such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.

Ars asked some lawyers to comment and they made some useful points:

http://arstechnica.com/tech-policy/2016/02/judge-confirms-what-many-sus…
Judge confirms what many suspected: Feds hired CMU to break Tor
A 1992 case about paper shredders may also shed some light on Tor privacy question.
Cyrus Farivar
24 Feb 2016

> A federal judge in Washington has now confirmed what has been strongly suspected: that Carnegie Mellon University (CMU) researchers at its Software Engineering Institute were hired by the federal government to do research into breaking Tor in 2014. The judge also made a notable statement in his court order that "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network."
> ...
> Neil Richards, a law professor at Washington University in St Louis, said that this "reasonable expectation of privacy" for Internet users is "an open one." The so-called third-party doctrine, which stemmed from the 1979 Supreme Court decision Smith v. Maryland, found that telephone users do not have a privacy interest in the phone numbers that they dial, as the phone company has access to them.
>
> "Law enforcement have argued that this sharing rationale applies to all Internet and digital data held by third parties—ISPs, e-mail providers, fitness trackers, cloud storage providers, etc," Richards told Ars. "The strong form of this argument is nonsense. Law enforcement in the past also argued that they didn’t need warrants to open mail or tap telephones, and ultimately lost on both counts. The Supreme Court hasn’t ruled on e-mail yet, but lower courts require a warrant for e-mail, and the Supreme Court has made clear in recent cases that a majority of Justices are very concerned about digital privacy and are eager to extend the Fourth Amendment to that, just like they did for telephone calls in the 1960s."
>
> Mark Rumold, an attorney with the Electronic Frontier Foundation, concurred.
>
> "The expectation of privacy analysis has to change when someone is using Tor," he said. "Rotely applying precedent leads to bad results, like courts finding that someone 'clearly' lacks a privacy interest in their IP address, even though they're using technology specifically designed to protect that privacy interest."

Vice has cited Mike Perry's previous post in an update to its story on the ARL/CMU/SEI revelation:

https://motherboard.vice.com/read/carnegie-mellon-university-attacked-t…
Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Feds
Joseph Cox
24 Feb 2016

> Update 25 Feb: In a statement, the Tor Project told Motherboard that "the Tor network is secure and has only rarely been compromised. The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online."

Not surprisingly, FBI is refusing to divulge how the SEI attack worked:

http://www.theregister.co.uk/2016/03/29/fbi_tor/
FBI: Er, no, we won't reveal how we unmask and torpedo Tor pedos
No NIT software exploit code for you
Iain Thomson
29 Mar 2016

ACLU has uncovered at least 63 other cases in which DOJ has invoked the All Writs Act of 1789 to force "technical assistance" in unlocking smart phones:

http://arstechnica.com/tech-policy/2016/03/feds-used-1789-law-to-force-…
Feds used 1789 law to force Apple, Google to unlock phones 63 times
"These cases predominantly arise out of investigations into drug crimes."
David Kravets
30 Mar 2016

> ...
> the law allows for judges to issue orders for people or companies to do something despite Congress not passing laws to cover specific instances. The All Writs Act is the law that led a federal magistrate ordering Apple to write code and unlock Farook's phone, an order that was no longer necessary because the authorities said Monday they cracked the phone without Apple's assistance. The government also said it wouldn't hesitate to use the "court system" to require other tech companies to weaken their security, too.
>
> According to the American Civil Liberties Union, the US government has cited the All Writs Act in 63 cases since 2008 to compel Apple or Google to assist in accessing data stored on an iPhone or Android device. Most of the orders involved Apple. "To the extent we know about the underlying facts, these cases predominantly arise out of investigations into drug crimes," said Eliza Sweren-Becker, an ACLU attorney.

For the court documents uncovered by ACLU, see:

https://www.aclu.org/court-documents-related-all-writs-act-orders-techn…
Court Documents Related to All Writs Act Orders for Technical Assistance
All Writs Act Orders for Assistance from Tech Companies

And new cases are rapidly arising. I urge TP to track these and continually formulate how TP would respond legally if a (politically/legally, not technically) similar situation to these smart phone cases arises which involves Tor:

http://thehill.com/policy/cybersecurity/274884-fbi-not-sure-it-can-unlo…
FBI not sure it can unlock iPhone in Arkansas homicide
Cory Bennett
1 Apr 2016

> The case is being closely watched as it comes on the heels of the FBI announcing it had been able to hack into an iPhone used by one of shooters in the San Bernardino, Calif., terrorist attack. The FBI had previously claimed such a hack was impossible without Apple’s help, even seeking a court order compelling the tech giant to assist. The bureau’s success has raised questions about what other devices it may now be able to access. Police have hundreds of seized iPhones around the country they would like to access. The Arkansas request was quickly taken up as the potential first test case of the FBI’s method, although it was not clear the same tactic would work for the devices in the homicide case.

http://arstechnica.com/tech-policy/2016/03/father-begs-apple-ceo-to-hel…
Father begs Apple CEO to help unlock his dead 13-year-old son’s iPhone
"I think Apple should offer solutions for exceptional cases like mine."
Cyrus Farivar
31 Mar 2016

> An Italian father has reportedly written to Apple CEO Tim Cook, pleading for help to unlock his dead 13-year-old son’s iPhone 6 so that he can retrieve the photos stored on it.
> ...
According to the AFP, Fabbretti’s son Dama was diagnosed with bone cancer in 2013, and he passed away in September 2015.
>
> In a February 2016 interview with the Italian newspaper La Repubblica (Google Translate), Fabbretti said that Dama had given his father access to the phone via TouchID fingerprint authentication, which was saved on the phone, but that wasn’t enough, as the phone was powered off when he found it. Newer iPhones running iOS 8 or later, including this one, require the full passcode after reboot.
>
> Fabbretti said that he has contacted Apple tech support, which told him they were sorry for his plight but lamented that there was nothing they could do.

In a somewhat analogous case in the UK, Lauri Love has been ordered by the UK's principal state-sponsored-criminality agency, NCA (National Crime Authority), to divulge the passphrases to the encrypted devices seized back in 2013:

http://arstechnica.com/tech-policy/2016/03/uk-cops-tell-suspect-to-hand…
UK cops tell suspect to hand over crypto keys in US hacking case
Lauri Love faces extradition to US over hitting Federal Reserve, among others.
J.M. Porup
31 Mar 2016

> At a court hearing earlier this month, the UK's National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused "millions of dollars in damage," decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government's favor could set a worrisome precedent for journalists and whistleblowers.

https://theintercept.com/2016/04/01/british-authorities-demand-encrypti…
British Authorities Demand Encryption Keys in Case With “Huge Implications”
Ryan Gallagher
1 Apr 2016

> BRITISH AUTHORITIES are attempting to force a man accused of hacking the U.S. government to hand over his encryption keys in a case that campaigners believe could have ramifications for journalists and activists.
> ...
> Naomi Colvin, a campaigner for transparency advocacy group the Courage Foundation, told The Intercept that she believed the case could have “huge implications for journalists, activists, and others who need to guard confidential information” — potentially setting a precedent that could make it easier in the future for British police and security agencies to gain access to, or to seize and retain, encrypted material.
>
> Colvin said that the Courage Foundation, which is raising funds for Love’s legal defense, is backing him because “his case fits in to a pattern of political prosecutions of hacktivists and other truthtellers.” She added: “From our work with some of our other beneficiaries — particularly Jeremy Hammond and Barrett Brown — we’re very familiar with the prosecutorial overreach, inflated damage figures, absurd sentencing, and discriminatory prison treatment, including frequent spells in solitary confinement, that is common in these kinds of cases.”
>
> The encryption key demand is set to be the focus of an April 12 court hearing, at which a judge is expected to rule on whether Love should be ordered to turn over his passwords. But regardless of the hearing’s outcome, Love has no intention of turning over his encryption keys.
>
> “I don’t have any alternative but to refuse to comply,” he told The Intercept. “The NCA are trying to establish a precedent so that an executive body — i.e., the police — can take away your computers and if they are unable to comprehend certain portions of data held on them, then you lose the right to retain them. It’s a presumption of guilt for random data.”

I applaud his courage, and urge all Tor staffers to consider how they would act if they encounter "rubberhose cryptanalysis".

Sen. Ron Wyden, Rep. Ted Lieu, and others in the US Congress have been warning that the public does not understand the nature of the recent loosening of NSA's rules for sharing the personal information of US citizens gleaned from its dragnet with FBI.

https://theintercept.com/2016/04/01/intelligence-community-olive-branch…
Intelligence Community Olive Branch on Data Sharing Greeted With Skepticism
Jenna McLaughlin
1 Apr 2016

> In a post on one of the intelligence community’s favorite blogs on Wednesday, [Robert] Litt, general counsel for the Office of the Director of National Intelligence, outlined new intelligence data-sharing guidelines that he said will be released soon. The post, on Just Security, was essentially a response to reporting last month from the New York Times’s Charlie Savage that the NSA would soon be sharing with other government agencies the raw, unfiltered intelligence from the depths of its massive overseas spying programs.
> ...
> Patrick Toomey, staff attorney for the ACLU’s National Security Project, questioned Litt’s assumptions. “The premise of Litt’s response seems to be that there is an impermeable barrier — or ‘wall’ — between the FBI’s intelligence and law-enforcement roles. But that’s the wall the [intelligence community] spent the last 15 years tearing down,” Toomey wrote in an email. In fact, ever since the September 11 terror attacks, the intelligence community has been working to get information out of agency “stovepipes” so that it can be better used to stop terrorist attacks — even though that was not actually the problem pre-9/11. When conducting criminal investigations, the FBI can currently search through data the NSA gives it from programs run under Section 702 of the Foreign Intelligence Surveillance Act. Those programs are designed to target the communications of overseas persons, but “incidentally” grab some American communications, too. Those FBI searches have been likened to “backdoor surveillance.” “It seems very likely that the new 12333 procedures will permit the same thing, giving the FBI nearly unfettered access to an even bigger pool of data,” wrote Toomey.

An essential point for Tor users: NSA documents leaked by Snowden show that NSA regards all Tor users as "un-American" by default, a policy which I believe they eventually admitted in public.

USG spokespersons, including Litt, claim that "privacy is respected" and "civil liberties are protected", but Wyden and Lieu says quite the opposite is true:

http://thehill.com/policy/national-security/274773-spy-office-denies-al…
Spy office denies allegations that NSA data will be used for policing
Julian Hattem
31 Mar 2016

> A top lawyer for the nation’s intelligence agencies is pushing back on mounting criticism about new plans to widely share intercepted data throughout the federal government. Robert Litt, the general counsel for the Office of the Director of National Intelligence, confirmed that the change in policy is “in the final stages of development and approval,” in a post on national security legal blog Just Security on Wednesday. But Litt denied allegations that the change would allow the FBI and other agencies to use the sensitive data for domestic law enforcement matters, which members of Congress had speculated could be unconstitutional.
> ...
> Earlier this month, a bipartisan pair of House lawmakers warned that the potentially “unconstitutional” and “dangerous” move might allow law enforcement agencies like the FBI to use the NSA’s data — which is collected in the course of its foreign intelligence work — for policing matters within the U.S. “NSA’s mission has never been, and should never be, domestic policing or domestic spying,” Reps. Blake Farenthold (R-Texas) and Ted Lieu (D-Calif.) wrote.

This new controversy may explain the sudden resignation of the head of the PCLOB (Privacy and Civil Liberties Oversight Board):

https://www.truthdig.com/eartotheground/item/david_medine_leading_us_pr…
David Medine, Leading U.S. Privacy Watchdog, Resigns Unexpectedly
31 Mar 2016

> After years of service, David Medine is resigning as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). The board was established after the 9/11 attacks to bolster counterterrorism efforts in the United States and protect Americans’ privacy rights in the face of expanding surveillance.

It would be impossible to overstress the fact that the threat faced by The People in CWII can be characterized in decreasing order of importance as:

* political
* legal
* technical

April 01, 2016

Permalink

When not visiting a specific site, but browsing and opening multiple tabs from a search result or a news collector site, I often just close the tabs with Cloudflare. I wonder if they have any statistics about users like me, who "see a captcha and leave".

April 01, 2016

Permalink

One thing cloudflare could do is provide an onion proxy service with javascript disabled like how startpage does it so we can at least view the sites. I would be happy with the freedom to read.

Since disabling JS increases risk I like many others just close the tab when a CF site comes up.

As always peace love and respect to the tor team and everyone fighting the good fight.

Nice idea!

Enabling JS for cloudflare also allows JS for the site you will visit after solving the captcha. This renders noscript ineffective for those sites. Thats a bad thing.

Just close the tab when you are asked for captchas. The site is not part of the internet then.

Actually, disabling JS doesn't really protect the site at all, and if anything the site will want it enabled for user experience reasons. As such, the decision to disable JS should be left to the user.

You might be confusing JS with something else startpage does which is blocking POST requests. By definition (according to the HTTP RFC) a GET request must not alter the site in any persistent way, and thus they are mostly harmless, save application-level DDoS attacks and certain web application exploits. This is a valid, albeit read-only, means of thwarting spam, and would certainly be one step closer to equality for Tor users.

April 01, 2016

Permalink

Here is one of the 94% evil content scrapers - not.

I visit a web site that has about 50 new pages every day.
They have about 15 images on each page. These images are hosted on another domain that uses Cloudflare.

For a Tor user all these pages are displayed without images. Because Cloudflare serves a captcha page for each image and the browser silently drops those as invalid images.

So skimming through the new pages my browser tries to load around 750 images, which cannot be displayed. And Cloudflare pads itself on the shoulder and says it has stopped an evil scraper from taking that content. Their evidence - not one captcha has been solved for all these requests!

This is not an isolated case. I have seen other sites hosting their images on a seperate domain managed by Cloudflare. Must add up to millions of "attacks" by Tor users each day that Cloudflare fends off ;D

More problematic is Javascript libraries. Some of the CDN domains that serve JS libraries apparently block/captcha Tor, which breaks many websites.

April 01, 2016

Permalink

I will never stop using Tor for any reason. I circumvent things like cloudflare by using proxies additional to Tor. Pages are loading fast enough despite of it. Pages that don't work this way are abandoned. So cloudflare may as well keep their services for themselves. They couldn't stop me so far. Those captchas are useless, i am not wasting time like that.

But it is not a real solution. To dispose of cloudflare would be far better.

> I will never stop using Tor for any reason.

You won't have the choice if TP does not relocate and if encryption becomes illegal in the US, because Tor Project would then become an illegal organization.

The Burr-Feinstein anti-encryption bill soon to be introduced in the US Senate (the draft text was just leaked to The Hill and is available at cryptome.org) would appear to make Tor illegal in any US jurisdiction. Also, serving Tor from any US jurisdiction to anyone in any other jurisdiction.

Tor Project must as a matter of urgency prepare contingency plans to relocate all crucial people, headquarters, and NRO registration to another country. Considering the response of the Icelandic people to the revelations from The Panama Papers, Iceland might be one possibility. Norway might be another. Sweden and Germany might also be worth looking into.

April 01, 2016

Permalink

I'm glad you're addressing this at last.

But I've noticed two things in my own experience. Cloudflare makes the web less interesting in Tor. YouTube not working properly in Tor makes the web less interesting. As I'm not willing to give in and use my other browsers, or at least not too much, I find I'm being conditioned into thinking maybe I'll just get rid of the internet and not make it such a big part of my life. I like to see the positive. Slow Tor, no Cloudflare sites, YouTube trashed, my custom is being lost not to some deanonymising browser but rather to books and thinking about other things to do with my time. The slow death of a free internet is closer than I ever thought possible.

I like the spin you put in it. "Books and thinking about other things to do with my time" seems a clear victory.

Cheers :-)

(Not to spoil your new found meaning outside of the internet but things like youtube work absolutely fine over Tor. Maybe you just need to change some habits? See for example youtube-dl.)

What
do you mean by youtube not working properly? I am a new tor user here, I
install html5 everywhere and everything works fine even if javascript
is forbidden.

April 01, 2016

Permalink

The can be no doubt that Cloudfare is doing this out of the goodness of their hearts, and that their vagueness is just a silly mistake.
Right, guys?

guys?

April 01, 2016

Permalink

The cloudflare blog post contains this statement:

Unfortunately, to solve that, we'd need to track Tor users across sites which would sacrifice Tor’s anonymity so we’ve deemed it unacceptable."

...which makes it sound like they could track Tor users across the web if they wanted to.

Is there anything in this?

(If they can track Tor users across sites and could reduce CAPTCHAs by doing so, then they should go ahead and do it; not doing so would only give a false sense of anonymity)

April 01, 2016

Permalink

Perhaps part of the problem is also that the binary distinction between malicious and non-malicious is too simplistic.

Some kinds of abuse aren't really feasible with Tor, e.g. DDOS. Other kinds are feasible with Tor, but are only a concern for some sites, e.g. scraping. In cases like comment spam, completely blocking access to the site before the user enters a CAPTCHA is an overkill.

Systems would do well to distinguish between different kinds of malicious behavior and allow sites to take countermeasures only in those cases they are concerned about.

April 01, 2016

Permalink

CloudFlare needs to let website owners choose whether to inconvenience Tor users or not. Just like they have other web application firewall settings (a myriad in fact), they should have a big switch somewhere to let Tor exit nodes access the site unhindered.

The use cases for Tor are broad and deep. Cutting it off universally is potentially exposing your clients to privacy-related lawsuits.

April 01, 2016

Permalink

One thing that I absolutely detest, and that spurred rabid killing impulses when I read it in Cloudflare's post (which, incidentally, I had to read on web.archive.org, because, of course, it's behind the CF firewall), one thing I detest I was saying, is people to casually equate "automatic" requests or traffic (quaintly referred to as "bot" activity) with "maliciousness" (whatever that means) or "illegitimacy".

Since fucking when does HTTP _require_ a human to be sitting behind the monitor for it to work??? How in hell is my cronjob for retrieving a page, or making a post, or firing an xmlrpc call illegitimate??? In which goddamn way are the automatic fetches of my newsreader suddenly "malicious"???

Turing tests like captchas have zero (ZERO, YOU HEAR ME?!), relationship with determining the "legitimacy" (whatever that even means?) of some protocol exchange.

Your type of traffic represents less than .00001% of legitimate webtraffic and for 59% of all malicious webtraffic and bot stealing data traffic. No one gives a shit if they block you, well no one except you

> one thing I detest I was saying, is people to casually equate "automatic" requests or traffic (quaintly referred to as "bot" activity) with "maliciousness" (whatever that means) or "illegitimacy".

Yes, for example, even some USG agencies would most likely disagree with CloudFlare's unstated premise, because they want to automatically scrape web forums and such, without paying a human analyst to do it manually, because not infrequently their intention is to only look at the scraped data after the fact, if "something happens".

But taking a wider view, unexamined false assumptions such as the one you describe permeate the algorithmic prediction software used by USG (and other governments) to make the majority of decisions in how to treat individual citizens: who to hire, fire, counsel, sponsor, investigate, audit, watchlist, charge, parole. Likewise by banks which want to decide whom to loan money to, landlords who wish to decide who to rent to, employers who want to decide whom to hire, etc. The CN and US governments are leading the charge in replacing human bureaucrats with computer algorithms. This may downsize their social service and law enforcement employees, but it is very likely to ultimately prove enormously costly in terms of human suffering. Who can defend himself against a judgment made in secret by proprietary software hidden behind an NDA? Whom can muckraking journalists name and shame when all the most horrific bad governmental decisions are made by a computer? What defense lawyer can cross-examine a neural net? How many public defenders even understand enough about probability theory and computer science to even try?

I concur, but the point we tend to forget is that the web is not ours. It's built from millions of sites that are their respective owners' property, just like an apartment or a shop. And they decide who can visit and who can't, that's entirely legitimate. The fact that many people in the old internet were used to know that they can practically do anything in a website does not mean that's a legal or god given right, unfortunately. The bastards changed the rules, and they are fully entitled to do so. They can shut down their sites, they can password protect them, they can require ID or phone verification, they can do whatever their like because that's their private property you are trying to access.

Not to forget that they are the ones leveling automatic weapons against humans ... servers eating up our valuable time by DDOSing us human readers with CAPTCHAs ... how ironic.

Malicious users, possibly backed by a competing business, might have the money to distribute their "attacks" and evade detection.

People trying to just collect statistics or do something cool with a website's data for fun might not necessarily have the money to evade detection and are prevented from doing so. Imagine all the cool things we haven't seen because CloudFlare prevented it.

April 01, 2016

Permalink

Cloudflare reminds me of Antabuse for alcoholics. Breaking internet addiction site by site. Cloudflare must the the NSA's wet dream, I bet they wish they'd thought of such a simple solution. Hang on....

April 01, 2016

Permalink

Can you guys help me? My school changed to cloud-flare during the Christmas break and i cant figure out how to get past it. I used to easily get past their firewalls but now i cant. Help, please?

April 01, 2016

Permalink

> 5) A report by CloudFlare competitor Akamai found that the
> percentage of legitimate e-commerce traffic originating from
> Tor IP addresses is nearly identical to that originating from
> the Internet at large. (Specifically, Akamai found that the
> "conversion rate" of Tor IP addresses clicking on ads and
> performing commercial activity was "virtually equal" to that
> of non-Tor IP addresses).

A specious claim? Let's see...
Cherry picks supporting claims? Check
Quotes source deceptively? Check
Draws on points of limited relevance to make a case? Check
Relies on reputation of source for validity? Check

That report states unequivocally "Tor exit nodes were far more likely to contain malicious requests"
(I interpret this as meaning "[Traffic from] Tor exit nodes [was] far more likely to contain malicious requests" or equivalently "Tor exit nodes were far more likely to [send] malicious requests")

From the report...
Tor IPs: 1.26% of malicious traffic, 0.04% of legit traffic
Other IPs: 98.74% of malicious traffic, 99.96% of legit traffic

What was similar between Tor and non-Tor traffic, according to the report, was the distribution of attack types among the malicious traffic observed. This similarity is relative, not absolute, and does not contradict the statement "Tor exit nodes were far more likely to contain malicious requests".

The positive-sounding "conversion rate" is cherry-picked, but what does this mean? Conversions on the internet are typically low (<5%). Speculating now: Perhaps legit Tor users are actually *more* likely to convert than non-Tor legit users. If (speculating, remember) legit Tor users are twice as likely to convert, it would require half the Tor traffic to be malicious for these numbers to add up.

But who was actually talking about the conversion rate? No one. We were talking about whether bad actors as well as good use Tor, and whether there is increased risk to content providers from Tor traffic.

Is quoting a report that states "Tor exit nodes were far more likely to contain malicious requests" to support the claim that traffic Tor nodes are not more likely to send malicious requests valid? No (for all values of No).

I concede the point to those who've made it that labelling traffic legitimate or malicious has some devilish details - I hope that _that_ discussion can be considered outside the scope of my simple point: the claim to which I was responding was made without adequate attention to truth.

The morale of the story:
Sometimes the first step in dealing with a problem is admitting that you have a problem.

April 02, 2016

Permalink

> 94%
Because Cloudflare declares that most exit IPs are malicious, it sees normal TBB traffic from those exits as malicious. Simply they are blind (their software is not smart enough).

Cloudflare is responsible in that it must educate its users (webmasters), so that they understand proxies, to avoid deploying not-so-smart filters.

April 02, 2016

Permalink

Coming from Europe.

I would like to point out that CloudFare violates European privacy laws by requiring me to accept cookies. So blocking me when coming from an European exit node is illegal in Europe.

Not that I care very much, because any site that uses CloudFlare is a site that I don't visit. I would like to let the owner of the site know, but unfortunately that is impossible because I can't even get their contact information.

Perhaps it would help if it was possible to notify the site owner that their site won't do anything useful for Tor users. Even a list of contact addresses would help me, because I'm quite willing to give a piece of my mind to the site owners.

April 02, 2016

Permalink

Well, like all of you I find myself standing in front of locked doors all the time while browsing the web. But there is something very remarkable about this: I'm blocked when I visit media sites like medium.com or theregister.co.uk, I'm blocked from visiting blogs or sites of "general interest". But I'm never ever blocked by Cloudflare, when I'm about to spend money. Either e-commerce sites are in some wondrous way inherently immune against any threat from us malicious Tor users. Or these threats aren't that threatening at all when it comes to making money. (Not that I would buy anything using Tor, since I had to de-anonymize myself by registering or logging in.)

April 02, 2016

Permalink

The Tor project has failed to address abusive use of Tor for years and years and years. The Tor projects own FAQ on abuse says: "Does Tor get much abuse? Not much, in the grand scheme of things. The network has been running since October 2003, and it's only generated a handful of complaints."

That's the Tor project publically sticking its fingers in it's ears and going 'la la la la la'. The idea that Tor has generated "a handful of complaints" is a wanton ignorance of the reality of Tor network use.

Anyone who runs a network or web site of any significant size knows that Tor traffic is a cesspool of scanning, abuse, comment spam and more. It's not surprise networks block Tor outright.

April 02, 2016

Permalink

I've been 100% Tor for a while now but.. using the Internet has transformed from a wondrous experience to one of great frustration.

I think about giving up using Tor on a daily basis due to the sheer volume of CAPTCHAs I have to solve. I hate the idea of using my ISP's connection directly (they monitor and sell consumer HTTP data for profit and I'd rather my habits not be on file for eternity) and the idea of choosing a 'good' VPN leaves me with a lot of doubt and worry.

Some days I want to just give up on using the Internet. Throw all my equipment away and analogue. Thanks CloudFlare. :/

"I think about giving up using Tor on a daily basis due to the sheer volume of CAPTCHAs I have to solve."

I wont give up Tor but I will stop buying products and services from Cloudflare customers. I will not refer any client to a Cloudflare customer site either.

"I hate the idea of using my ISP's connection directly (they monitor and sell consumer HTTP data for profit)"

That's a great point which no one else has mentioned: this practice is far more common than most people realize. In most jurisdictions there are no laws which prevent the collection and sale of customer data. When that data gets stored, it's often stolen by hackers. And sometimes those hackers are inside the company. The identity theft ring that was busted at AT&T* is the tip of the iceberg. Only a few get caught.

If the ISP catches a hacker without external help, they will often risk a fine for failing to report the breach rather than tell the public their service is insecure. Politicians and potential business competitors are particularly at risk for ISP-based spying. But even some ordinary customers will get junk mail and telemarketing calls because their ISP sold their browsing history. If banks and governments cannot protect their customer records, why would your ISP be any more secure? You can never trust your ISP because you don't know who has access to what. So everyone on the internet has a valid use case for some kind of anonymous proxy until encryption is built into the internet at the protocol level.

* https://www.consumeraffairs.com/news/first-sentence-handed-down-in-att-…

April 02, 2016

Permalink

Thanks. Now I least know whos responsible for turning the free web into a captcha-mess.

April 02, 2016

Permalink

Cloudfare is a commercial service requiring people to use it. Simple answer tell everyone you know not to use their service. Simple marketing, don't use and force them out of business. If only people would do the same with google, oh what a lovely internet we would have.

April 02, 2016

Permalink

I guess the 2+ million daily Tor users are not a large enough percentage of total internet users for companies to be concerned about losing revenue from them.

April 02, 2016

Permalink

I don't work for Cloudflare.

The "94% of traffic" figure can come from two different measures.

The first is "the number of malicious requests", where "malicious" is defined as "attempts to identify or exploit weaknesses which could lead to unauthorized levels of access".

The second is "the raw size of traffic which is malicious". I don't know if this percentage would be as high as the number of malicious requests.

Given that most malicious requests tend to be automated at this point (mass scanners tend to scan and move on when they don't find a vulnerability), it's quite likely that there's a few people using the Tor network to provide anonymity for their probes -- and those probes are massive scans, some number for every site that they try to find vulnerabilities in. That could -easily- overpower (even by an order of magnitude) the number of legitimate, "I know what I'm doing and I'm not exploring to find any holes around what I'm doing" kinds of traffic.

Cloudflare isn't wrong, here. Insisting that Tor isn't a concentrator for malicious traffic (precisely because of its vaunted anonymity features) isn't the correct answer, here. Tor needs a means of accountability for its users to prevent them from abusing the network. This is going to be incredibly difficult to accomplish, but there are potentially ways to do it (some of which might involve authentication through multiple chains of ECDH agreements, using the output of one agreement as a private key for the next).

Now please explain why only the "I'm not exploring" kind is legitimate traffic. A scan isn't abuse. Saying that security can be outsourced like this would mean that irresponsibly buggy website design is OK as long as you think you're protected from the evil, evil internet by some NSA MitM behemoth ...

re: "I don't work for Cloudflare."
-->
I don't necessarily believe you. And you could be an investor who profits from the false claim of security benefits.

re: "the raw size of traffic which is malicious"
-->
And therein lies the rub:

Cloudflare has declared things like content scraping and banner-ad click fraud to be "harmful" and "malicious" when it actually represents no security threat to the customer's web server. There are more efficient ways to deal with this traffic which would not require Cloudflare to break or disrupt every website under its control by default.

The statistics don't prove that most Tor users are malicious, nor do they prove that HTTP GET requests represent a security issue. What do you think web servers were made for? Even if CAPTCHAs had some security value, Cloudflare can't explain how they plan to secure millions of public WiFi access points unless they make everyone on the internet pass a Turing test for every website under Cloudflare's control. This is just nonsense. CAPTCHAs might prevent forum spam, but they do not prevent security flaws from being exploited, and you should not deploy them across your entire domain just because you can. This is the adult equivalent of a child's security blanket: it might feel good, but it serves no practical purpose in terms of security.

> There are more efficient ways to deal with this traffic which would not require Cloudflare to break or disrupt every website under its control by default.

They want to disrupt Tor. Tor supporters are an extremely small minority of people. The consensus among network professionals is that Tor should not be allowed to exist.

> The statistics don't prove that most Tor users are malicious, nor do they prove that HTTP GET requests represent a security issue.

They are not required to offer evidence of anything.

> you should not deploy them across your entire domain just because you can.

They are doing it to attack Tor users. The net is not neutral and they can block anything they want for any or no reason. An alternative to outlawing Tor outright would be for various autonomous systems to reject traffic to and from known Tor relays.

Cloudflare rates anything that might block ads, modify header, block scripts or web bugs, or anything recognised as possibly VPN IP or Tor IP blocks as MALICIOUS

April 02, 2016

Permalink

Another problem with the 94% statistic is that spammers send more requests than normal users. It could be that 1000 people send 100,000 requests to a website, but it was one spammer that sent 94,000 of them. So even if 99.9% of tor users are harmless, Cloudflare can still claim "94% of tor traffic is malicious."

April 02, 2016

Permalink

TL ; DR
Another post farther up the list contains the most accurate and succinct explanation. It’s so right on point that the sentence deserves to be repeated:

“CloudFlare is selling a magical security device. The client thinks it's making their website more secure, when in reality at most it's simply reducing spam to unrelated people.”

+++++++++++

Indeed, the majority of people with something to sell will exaggerate the value of their product or service. This is a fact of life. We encounter it every day, mentally note it where applicable, and go on about our business. But when they begin to interfere with the conversations and commerce of others, we have a right and obligation to protest. For many people who are opposing tyranny and corruption, using Tor is not a choice, it is a requirement. And Cloudflare wants to break Tor’s functionality just for the sake of profit. It always comes down to freedom or fortune:

For a company as big as Cloudflare which mirrors a significant chunk of the internet, it’s simply not credible that all of the CAPTCHA looping and the endless redirects (or failure to display after solving) could be an innocent mistake. It’s constant, it’s everywhere, and it’s all broken on purpose. But Cloudflare is pretending like they don’t know something is wrong. There is a method to the madness here:

They are just using you to train an A.I. to recognise things like street signs, house numbers and landmarks that a vehicle would encounter. At some point this A.I. product will be sold or licensed to car manufacturers for a vast profit. This is why Cloudflare keeps asking you to solve far more CAPTCHA’s than would be necessary to prove you’re not a bot. Surely you did not think that Cloudflare expected to get nothing in return for giving free service to millions of web sites. Cloudflare’s primary purpose is to exploit everyone who uses a proxy. The intercept page they display to proxy users should just say: STOP! PAY TROLL!

I think we need a dedicated site that explains all of this to the admins who get suckered into using the service without realising how they are harming defenders of human rights (and their own customer base.) They also seem to forget that many people are using Tor because someone at their ISP is doing something sinister with their traffic logs. If Cloudflare maintains this antagonistic stance towards privacy, maybe Tor should inject a special button into every Cloudflare intercept page which sends a complaint to the webmaster or domain owner explaining why they should stop using that service. Cloudflare may not be entirely evil, but it’s the next best thing.

April 02, 2016

Permalink

A warrant canary is a cryptographically signed, dated, and regularly updated statement that you (or your company or organization) has never received

o an NSL or other court/government order with an "eternal gag order",
o a demand to insert a govt backdoor (a serious demand, not phrased as a "joke"),
o a demand to abuse your cryptographic signing key by signing a "specially modified" version of a legitimate software update,
o &c.

Here is an example from a critically important partner of Tails Project, a Tor Project partner:

https://help.riseup.net/en/canary

(Note that Riseup Networks updates its canary quarterly.)

For years, some Tor users have requested Tor Project to rectify the odd omission of any warrant canary from its home page. And for years, TP has refused to explain the absence of any warrant canary.

Is the reason that TP has long since received just such a request? TP won't say, and that is worrisome.

Some people like to claim that warrant canaries are useless. I don't agree. Indeed, something horrible seems to have happened to Reddit, which until very recent *did* offer a yearly warrant canary. One reason why that should concern every Tor user is that we rely on what is almost a single point of failure, Ars Technica, a news outlet which is owned by the same company which operates Reddit:

http://arstechnica.com/tech-policy/2016/03/reddit-removes-warrant-canar…
Reddit removes “warrant canary” from its latest transparency report
CEO is staying mum: "I've been advised not to say anything one way or the other."
Cyrus Farivar
31 Mar 2016

> Reddit has removed the warrant canary posted on its website, suggesting that the company may have been served with some sort of secret court order or document for user information.
>
> At the bottom of its 2014 transparency report, the company wrote: "As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed."
>
> That language was conspicuously missing from the 2015 transparency report that was published Thursday morning. (Disclaimer: Ars and Reddit are owned by the same parent company, Advance Publications.)

See also:

https://www.techdirt.com
Reddit's Warrant Canary On National Security Letters... Disappears
Mike Masnick
1 Apr 2016

> On Thursday, Reddit posted its latest transparency report concerning government requests for user information or content removal. This is the second such report, following its 2014 report. As one Reddit user quickly noted, the 2014 transparency report had something of a "warrant canary" concerning National Security Letters (NSLs):

April 02, 2016

Permalink

There are many so-called "services" like cloudflare or google or blogspot or webmail providers and so on that are hostile towards Tor because they are hostile against privacy and security for the individual as a principle.

This should be the incentive towards more onion-based sites like duckduckgo and hopefully in the future we will have a full parallel universe in the dark web with no need to interact with the privacy-invading clear web.

April 03, 2016

Permalink

CloudFlare is the malicious part here. Other than that they are currently kind of fucking up in other areas too and there customer support is horrible.

Well, if you can call that customer support, because from my experience (working at a company that was until recently using their service) their customer support is only a sales team and talking to them about anything close to technical will result in weeks, if not months of communication even for things that are urgent, even for paid accounts.

I was really excited about CloudFlare until recently. Their blogs, their earlier responses to inquires, their pretended wish to help to make things more pleasurable for Tor user, their open source projects, etc. all sounded like a great company, but the recent months were hugely disappointing.

It's already in development! And it does not require a huge investment either. The basic idea here is that you buy a Network Attached Storage system, then lease the disk space and some of your internet bandwidth to web site operators through a digital currency system. The software replicates portions of a web site across thousands or millions of storage devices in response to consumer demand. You could tweak the cost/bandwidth tradeoff however you like:

Depending on the level of traffic that your site gets, you could potentially have your site hosted for free on a global content delivery network in exchange for your participation as a host on that same network. Or you could just earn money being a server. We will eventually beat Cloudflare on price, performance and reliability with a distributed system that nobody owns. And no one who hosts your site can tamper with it because they only have part of it and the files are encrypted. That is better than Cloudflare in every way I can think of. Here are some links to current projects if you want to follow their progress. I don't manage these projects, I just think they represent the future of hosting for most of the internet.

https://ipfs.io/
http://www.swirl-project.org/
http://p2pfoundation.net/

April 03, 2016

Permalink

Just read the abstract of the research you linked to.
Don't get me wrong. I hate CloudFlare just as much as the next Tor user, but wording the issue as mistreatment of "second-class Web citizens" made me chuckle.
Are these connotations really useful?
Should we start accusing CloudFlare of being "anonymist" now?

April 03, 2016

Permalink

Why are you calling out Cloudflare when Akamai is way worse? Akamai silently blocks Tor (just try visiting www.foxnews.com with Tor) and isn't interested end any dialog, whereas as CF has been working with you us. This is a dumb move.

I'm not saying you're right or wrong, but are you sure foxnews.com doesn't just happen to be blocking Tor exit nodes via the X-Forwarded-For (or simillar) HTTP header? A lot of other comments suggest Akamai is indifferent to Tor traffic.

Because CloudFlare isn't owning up to their blocking; Akamai users must deliberately block Tor while CloudFlare requires users to deliberately whitelist it.

April 03, 2016

Permalink

Lately on the Cloudflare landing page I got quite often the error "reCAPTCHA / Sorry, an error has occurred". No capture is displayed. I wonder how this is counted at Cloudflare?

April 03, 2016

Permalink

Sorry for adding one to flooding comments (mostly spammy) at this blog.

The conclusion is: posting a large number of spam comments is enough to silence many useful comments to suppress free speech. Not blaming busy volunteer moderators though. Something should be done on the comment system...

April 03, 2016

Permalink

Leaving doubts about methodology aside (how do they differentiate humans who were too pissed off to solve the captcha once again form bots?)…

Cloudflare does not provide free CDN and anti-abuse service. Cloudflare needs valuable user behavior & tracking data and gives the service in return.

Google does not provide free captcha service. Google needs valuable user behavior & tracking data and gives the service in return.

(By the way, I really doubt Cloudflare simply chose Recaptcha and it just worked on such a large scale. There had to be an agreement on terms of service — and on mutual benefits — between both companies.)

What Cloudflare worries about is not convenience of Tor users. What Cloudflare worries about is that their captchas for Tor clients on every served website make it painfully obvious to even an average user how widespread their tracking system is and that people might actually start to question the practice. They would really prefer to gather the data without anyone noticing it, just like internet service and hosting providers do today.

PSA: if you have to use third party services, only use them when it's necessary. If you use Recaptcha for comments, only load it when someone uses the reply form. Do not defend from potential DoS attacks in the future by selling your users now, have a hot/cold backup subdomain that is served through Cloudflare.

April 03, 2016

Permalink

As an owner of multiple successful eccomerce stores I can tell you 99% of TOR traffic is fraudulent, just the way it is I suppose.

April 03, 2016

Permalink

I brought it up with CloudFlare too. I'm an investigative journalist who's prosecuted by the Canadian regime for exposing the inconvenient facts about the police state. I urge all my readers to use Tor browser when accessing not only my site, but any site.

It happened a few months ago when CloudFlare updated their algorithm and virtually every request to my site from the Tor network was challenged, even though I have the security set to "Essentially Off". I wrote a ticket to CloudFlare to explain why they are doing this, but got unhelpful, cut and paste type of response.

April 03, 2016

Permalink

The biggest triumph of anonymity-enhancing software to date?

No, not the Snowden leaks.

The Panama Papers.

2.6 terabytes of data.

11.5 million documents:

o 5 million emails
o 3 million database files
o 2 million PDF documents
o more.

210 thousand shell companies registered in Panama and 20 other jurisdictions.

Implicated in four decades of financial corruption and other irregularities:

o heads of state of RU, UA, IS, PK
o 600 people sanctioned by US and other governments (politicians, generals, terrorists)
o FIFA (not just Sepp Blatter, the whole shebang, even their "ethics officer")
o dozens of Russian oligarchs
o thousands of mega-rich "Western" plutocrats
o bank thieves (the non-cyber kind)
o Mafia chiefs
o military chiefs
o politicians
o banks
o lawyers

Researching the trove: 400 investigative journalists, from

o Sueddeutsche Zeitung
o International Consortium of Investigative Journalists (ICIJ)
o The Guardian
o and more

This is the biggest single leak *ever*. Take it from someone who knows about big leaks:

Edward Snowden ‏@Snowden
3 Apr 2016

> Biggest leak in the history of data journalism just went live, and it's about corruption.

And what else might yet to be found in the trove? I venture to suggest:

o some of the missing trillions the USG lost in post-invasion Iraq
o LEOs
o CIA
o US politicians and military leaders

http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/
About the Panama Papers
Frederik Obermaier, Bastian Obermayer, Vanessa Wormer and Wolfgang Jaschensky
3 Apr 2016

> Over a year ago, an anonymous source contacted the Süddeutsche Zeitung (SZ) and submitted encrypted internal documents from Mossack Fonseca, a Panamanian law firm that sells anonymous offshore companies around the world. These shell firms enable their owners to cover up their business dealings, no matter how shady.

http://thehill.com/blogs/blog-briefing-room/275033-massive-document-lea…
Enormous document leak exposes offshore accounts of world leaders
Rebecca Savransky
3 Apr 2016

> A massive leak of more than 11.5 million documents exposed the offshore accounts of current and former world leaders, The Center for Public Integrity reported Sunday.
>
> The investigation of the files, known as the Panama Papers, was published Sunday by the International Consortium of Investigative Journalists.
>
> The investigation "exposes a cast of characters who use offshore companies to facilitate bribery, arms deals, tax evasion, financial fraud and drug trafficking," according to the website.
>
> "Behind the email chains, invoices and documents that make up the Panama Papers are often unseen victims of wrongdoing enabled by this shadowy industry."
>
> The report exposes hidden information about how banks and lawyers hide dealings with people such as prime ministers, plutocrats and criminals.
>
> The documents have information about Russian President Vladimir Putin, details about England's gold heist in 1983 and information about bribery allegations regarding soccer's governing body, FIFA.
>
> The files include nearly 40 years of records and information about more than 210,000 companies in 21 offshore jurisdictions.

http://www.theguardian.com/news/2016/apr/03/a-world-of-hidden-wealth-wh…
A world of hidden wealth: why we are shining a light offshore
Huge leak reveals how the powerful exploit secretive tax regimes – and widen the gulf between rich and poor
The Panama papers
Juliette Garside
3 Apr 2016

> They are known as the CDOTs – the UK’s crown dependencies and overseas territories – island states such as the Caymans and the British Virgin Islands.
>
> On maps they appear no bigger than a full stop, but each year billions of dollars in capital sail into the global banking system along the warm currents of the Caribbean.
>
> Economists are charting an unrelenting, escalating transfer of wealth, enabled by the offshore system, often from the very poorest to the very richest nations.
>
> The money is sometimes spent in obvious ways – funding super-yachts, private jets, fine art auctions and, of course, property. But there is the unseen damage. It harms the ecology of vibrant cities by making them unaffordable to ordinary people.

Encourage everyone to read all about it, using Tor Browser, of course.

The world will be the better for this leak, and the world is in your debt, Tor Project!

April 03, 2016

Permalink

I use Tor a lot and it's really painful to browse a website with cloudflare sometime I've also a captcha loop which is impossible to pass trough (sometime I resolve 4+ captcha and they still ask me for more captcha)
This method is certainly to discourage people from using Tor, cloudflare share data with intelligence agencies for sure

April 04, 2016

Permalink

For me, the captcha request is equal to a Cookie-Monster which tracks you everywhere you go. And it is even more important when it comes the first time you load Tor.
In Tor, no cookies+no java=private and anonymous.

April 04, 2016

Permalink

This makes me quite mad to be honest. First of all, I think it's a shame that such a large part of the surface web is already being hosted or accessible via CloudFlare. Instead of decentralizing, people centralize again. That's a damn shame and exactly not how it (the internet) should work, goddamnit.

I experienced the same issues you stated, e.g. non-solvable captchas or captchas that don't even load. As if that's not even enough, they constantly use Google recaptcha, which also does not respect any privacy, as we all know.
And now they even start spreading FUD.

Mad. Damn mad.

April 04, 2016

Permalink

Decade long, always on, Tor user here :D

Over the last three years or so, CloudFlare hosted sites become more and more annoying. Recently theregister.co.uk changed their hosting to CloudFlare, and I always got the usual "one more step..." landing page. I complained to the admin of their site via email that blocking Tor users just because of CloudFlare's default settings amuses me since as an IT news outlet they always seemed to be in favour of the free internet... Dunno if it is because of my post, but about two or three weeks later I got a different kind of landing page. It reads: "Please turn JavaScript on and reload the page. DDoS protection by CloudFlare Ray ID: XXXXX". If you do turn on JavaScript and reload the page you will get full access to the site without the need of performing a CAPTCHA or anything. In other words, there might be alternative and more unobtrusive ways to deal with DDoS protection and Tor users, and these are even possibly provided by CloudFlare!

Another really annoying problem are site owners that only host their multimedia content on CloudFlare but not their entire domain. For example, if only the images are hosted on CloudFlare you will see a rendered page but without images. Because the html request of your torified client results into fetching the CAPTCHA landing page (i.e. web content) instead of the anticipated image content, your browser might just silently ignore the "image" - due to wrong content type - and neither display free space nor anything to remind you of the missing image content...

What is also interesting is the behavior of Amazon regarding Tor. During the last six or twelve months CAPTCHAs are becoming more common here. Interestingly, after I've got a CAPTCHA at amazon.de (the German site) I can often access amazon.com immediately thereafter without problems (I suspect that I am using the same Tor exit node with both amazon.de and amazon.com). Also, sometimes I will get a CAPTCHA directly when trying to access their homepage, and at other times I can view their homepage without problems but when doing a product search through their search field I will see their CAPTCHA (dunno if the Tor exit node changed between those two page loads, but since this happened quite a few times I do suspect that the exit node did not change). Again, CAPTCHAs are much more common on their *.de site but very rare with their *.com domain.

For me, a very effective trick to circumvent CloudFlare (and Amazon) CAPTCHAs is to use another web proxy through the Tor browser.

April 04, 2016

Permalink

whats the deal w/ romania?
recently had noted "repeated romania exit node sequences" on some sessions.
it goes like: one romania exit node, ask for a new exit, comes a second romania exit node... had seen 4 sequences.
Not that Im segregating Romania, but the behaviour is odd!

April 04, 2016

Permalink

Bull shits cloudflare protect this client only for you don't have uniques IP and this is the problem many client of this compagny have torrent tracker of not but. But this client don't like tor network because i like to control the network with the IP. Tor network permit you to have any ip and i have anonymously. This provider write a lot of bullshit and this it a bullshit ban this provider and the client behind.

April 05, 2016

Permalink

Well yeah, making up you own ground truth makes lying with statistics even easier.

Go fuck yourselves, flare clowns. I can see right through your cloud screen.

April 05, 2016

Permalink

Interesting excerpt from the clownflare blogpost (retrieved via web archive):

"With most browsers, we can use the reputation of the browser from other requests it’s made across our network to override the bad reputation of the IP address connecting to our network. For instance, if you visit a coffee shop that is only used by hackers, the IP of the coffee shop's WiFi may have a bad reputation. But, if we've seen your browser behave elsewhere on the Internet acting like a regular web surfer and not a hacker, then we can use your browser’s good reputation to override the bad reputation of the hacker coffee shop's IP."

putting aside the ontological difficulties with a dichotomy between "regular web surfers" (since when does regular / legitimate entail trackable) and "hackers" (understood to be unwanted persons), this seems to indicate that it would be sufficient to copy the headers from a "regular" one to access any cloudflared web page. since they claim that tor is not getting any special treatment (for better or worse), has anyone had more success using a non-TBB browser configuration through Tor?

April 05, 2016

Permalink

It is disappointing that this blog post does not address the very real problem of abusive use of the Tor network. I work for a very large network in Europe and we see constant problems with Tor exit nodes.

Akamai shows that only 0.04% of real requests come from Tor It's is not surprising that people block Tor completely when so little traffic is real. Can you blame them?

April 05, 2016

Permalink

When I read this article on Ars
http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-sit…

I saw this statement
"If it’s possible for government actors to use denial-of-service attacks to force Tor traffic over connections that are owned and operated by them, it could present privacy problems for anonymized sites used by whistle-blowers, political activists and dissidents, journalists, and others trying to avoid the eyes of oppressive regimes."

Actually this kind of guarding traffic routes is what Cloudflare can manage by blocking exitnodes and only allow traffic to a specific list of so called controlled exitnodes they were asked to do so.
If CMU was willing to assign for special activities against all Tor network users, why wouldn't Cloudflare? They seem to be in that position and nobody knows the real facts how they choose their list of blocking extinodes.

why? you should be happy to avoid visiting such absolutelly insecure https sites linked through thief clowns servers as mitm! at least you can detect them as opposite to naive zombie users!
and you can try to report to the web site owner about the stolen private key of the site :)

April 05, 2016

Permalink

I've seen some scraping/etc scripts that (sadly) abuse Tor: one of their features is detecting when a 403 (or similar) error is received and then requesting a new circuit from the Tor daemon.

This causes them to somewhat quickly cycle through IPs (they will slightly lower the request rate to make a circuit last longer) and may be why CloudFlare is seeing a high percentage of exit IPs as 'bad': swapping to a new IP is easy to do automatically.

It could be as few as 10 bad bots but they'll quickly go through huge amounts of exit IPs.

April 05, 2016

Permalink

The akamai powerpoint leads to similar conclusion that cloudflare one

>1:11,500 non-Tor IPs contained malicious requests
>1:380 Tor exit nodes contained malicious requests

However the clouflare post is also misleading

>The problem is generating SSL certificates to encrypt traffic to the .onion sites.

There is no need to generate SSL certificate to encrypt traffic to an .onion site

April 05, 2016

Permalink

Rather ironic that a leading technical journalism site in the UK that
hosts good reporters can no longer be read by whistleblower
contributors. ( theregister.co.uk )

The original site that spawned it does carry the story based on this
blog: http://www.theinquirer.net/inquirer/news/2453292/tor-calls-out-cloudfla…

Thats how it got you broader publication.

Pretty stupid that edgy content tech news sites submit themselves to
CaaS ( Censorship as a Service ). I wont EVER provide any further
material to their journalists for the simple reason that I cannot read it
without risking CloudFlare playing social engineering games with my
willingness to relax access restrictions to my active browser.

April 05, 2016

Permalink

One of the most difficult web pages to reach (CF seems to be adjustable by how hard it comes down on blocking Tor users) is a very trivial IT and Computer news web site such as http://www.ghacks.net/
What is it a hacker or spammer could do with this webpage besides leave a comment to the articles??
I have also discovered that if I try to get directly to Ghacks.net which naturally will be blocked by CF, then the same particular article on Ghacks wont work even through Startpage proxy, hmm... Big Brother knows where I am moving on the net despite using TBB.

April 06, 2016

Permalink

CloudFlare is the "bot" guardian just like the NSA is the "NatSec" guardian against terrorism. It's not about security - it's about $$$ and control.

The ironic hypocrisy of CloudFlare: in protecting it's alleged clients from malicious "bots", CloudFlare, of course, operates like a bot.

And, of course, most of CF's alleged clients, there mostly against privacy, or anonymity of location, because they need related information to support their business models.

April 06, 2016

Permalink

When I reach a site with a cloudflare captcha I simply don't use the site. They obviously don't want ad revenue or my traffic.

I also have moderators delete all cloudflare captcha wall links from my forums, some of which are high traffic. Cloudflare has cost websites we've deleted links to well over $15,000 since last week by my estimates. Cloudflare hinders tor traffic, but when I delete a link it stops both tor and non-tor traffic from my sites. As far as I'm concerned, if I can't easily check a website using tor to ensure it's not spam, then it's spam and I delete the link.

Tor isn't going away. Tor traffic is only increasing.

Website owners need to take a look at their pre-captcha traffic and ask themselves if they can really afford to use Cloudflare's traffic blocking features.

April 08, 2016

Permalink

You can't make this up. I've been to a web site that opened another tab to show a third-party ad. Only this ad-service (popmyads.com) is behind Cloudflare and instead of an ad the "One more step" Cloudflare page was displayed. Needless to say no one will ever solve these captures. Tor and Cloudflare, the new ad-blocker combo in town.

April 08, 2016

Permalink

Someone wanting to have an exit relay flagged as malicious by Cloudflare need only deliberately route "malicious traffic through that exit. That flag can last an arbitrary amount of time. One tactic could be to create a chilling effect on the amount of new exit relays. Another tactic could be to use this kind of harassment against exits that an attacker does not control.

This is an attack on the entire Tor network. To me, the next step is to create exit bridges, the risk being that those exit bridge relays would be largely unable to exonerate themselves as being part of the Tor network unless we create a technical means by which they can. Unfortunately, an attacker good at discovering exit bridges would be able to get them flagged as malicious as well, but we could take steps to mitigate that, such as requiring users to have a password in order to use them. And of course, having the exit bridges only accessible by a few users could give away their identities.

The anti-privacy forces have won the hearts and minds of the people. The vast majority do not support anonymity, and that majority is still growing. Most people believe that anything a person does online should be subject to oversight.

April 09, 2016

Permalink

Why does Cloudflare need to fix anything? They are using a popular browser without BIG-OS legal protection to force suckers to play captcha. Every captcha is pennies in Akamai (oops) Cloudflare pocket. Lotts of pised off people equals lots of pennies. Billions of pennies.

April 10, 2016

Permalink

If I get a CloudFlare CAPTCHA then I click on 'New Tor Circuit for this Site' a couple times. If that doesn't work then I simply give up on the website and move on. I never try to solve the CAPTCHA because I have javascript and cookies disabled which makes solving CAPTCHA impossible.

CloudFlare strikes me as a "If it doesn't make dollars, then it doesn't make cents" type of publicly traded company. The only way they'll change their behavior towards Tor is if it starts impacting their bottom line profits.

April 12, 2016

Permalink

CloudFlare has sufficiently degraded the TOR experience to extent that is has greatly altered the web activity of TOR users. The NSA couldn't be happier. Businesses are, unbeknownst the them, losing customers and advertising revenue as surfers subconsciously shift away from CloudFlare clients.

April 12, 2016

Permalink

We decided to block cloudflare completely for any reach from our maintained network and only allow access to a very small selected number of cloudflare IP addresses. That's because we found out that a huge amount of trackers and addvertising sides are hidden behind unreadable cloudflare host names. Until today our blocking has no negative effect for our customers but keep out unwanded adds and user tracking. I'm only aware of a handful services worth access hosted by cloudflare.

April 13, 2016

Permalink

CloudFlare is indeed an important problem, but not the most urgent one facing TP.

The published draft (available at cryptome.org and only 9 pages long) of the Burr-Feinstein "backdoor" bill would appear to outlaw PFS (perfect forward secrecy), unbackdoored TLS, GPG, and other essential components of Tor and Debian.

This is a very real and immediate existential threat to the continued existence of Tor.

Does TP have any comment on the Burr-Feinstein draft?

April 13, 2016

Permalink

The issue here is that Cloudflare CAN control access to a large part of the Web, not that they WANT to do so. Cloudflare can deny (and modify unencrypted) traffic passing through their servers to either Tor or non-Tor users, secretly or openly. We shouldn't have trust them, we shouldn't be asking them to be nice. Website owners are ultimately responsible for this. Centralization is not good.

April 14, 2016

Permalink

The solve for this is simple, contact all the web sites using cloudflare and tell them to ask cloudunfair to provide for them all the data on hits they have turned away from your fabulous web side you spent months building so you can go over the data as a HUMAN and see if those BLOCKED were really bad. Also have a unblock feature so you can quickly unblock IPs that maybe your own scripts have figured out are OK and send a browser retry or something.

Point is, give the customer the means to see that you are blocking traffic and let them decide if it's garbage or not! Also tell those webmasters at those sites that you could not get to see his site and that you don't even know what is on his site.

I bet most people would turn cloudflare off if they actually knew how many hits they are not getting.

Most host providers already supply ddos protection.

The CAPTCHA is done via GOOGLE, which means if google has flagged your IP for some reason it all fails, the least they could do is do their own CAPTCHA so the stupid system doesn't think you tried when you COULD NOT.

April 16, 2016

Permalink

Cloudflare clients have made their websites unreachable if JavaScript is blocked or only run from trusted sites the captcha never displays

April 17, 2016

Permalink

I wouldn't mind these captchas so much were they not from Google.

I prefer to access Google-controlled domains as infrequently as possible. After all, Google is some of the most surveillance-happy companies out there. I do realize it's difficult for them to track people on TOR (unless they sign into Google), but I still prefer to block Google out of my life, if only because it make me feel better to not contribute any traffic to Google.

But, I can't avoid Google because of these stupid Google captchas. If I don't do the captcha, I am locked out of whatever cloudflare-based website I'm trying to use. :(

April 17, 2016

Permalink

iblocklist provides a blocklist for Cloudflare servers. My social network (which is Tor friendly) now uses this list to block all incoming traffic with a Cloudflare IP or referrer, while notifying that Cloudflare users have been blocked because Cloudflare harasses Tor users. If Cloudflare users want to access it, the HAVE to use TOR.

Ironic isnt it?

April 20, 2016

Permalink

Out of curiosity I just clicked on the 'Internet Defense League' logo on the bottom of the Tor Project homepage
https://internetdefenseleague.org -> One more step...

Is this a joke?
And it gets even better.
Not only is the hp of the so called 'Internet Defense League' which includes Tor Project and the EFF and that is claiming to fight for freedom of the internet behind cloudflare and thereby unreachable for tor users, if you look at 'Who's behind it?' at the bottom you'll find:
...'and a growing group of volunteers, including Cloudflare.'

I don't want to live on this planet anymore...

April 21, 2016

Permalink

Cloudflare is indeed a Silicon Valley security protocol company; while maybe protecting some, instead are running protected scam-sites. In otherwords, are pretending not to be the host of some websites, when in actuality are the real host.

April 24, 2016

Permalink

Not only do we want to have our own autonomous open/free/anonymous network we want to have full access to "their" network. Autonomy and dependency on capitalist and state structures are not on the same route. It may be possible that the time has come to choose and create our other internet, but this requires funding for servers and a "medium". We still own shortwave but at astonishingly slow speeds. Soon even wikipedia and wikileaks may become unreachable from the onion network or any anonymous user. .

April 24, 2016

Permalink

A one click button to get a new tor circuit could at least mitigate the Cloudflare annoyance. Then I might be willing to try 10 new circuits before giving up instead of 2 or 3.

April 26, 2016

Permalink

Google can fingerprint a tor user by how they fill in the captcha. The speed, accuracy, navigation patterns, clicking direction, and general habits while completing the sometimes lengthy puzzles can id you.

April 27, 2016

Permalink

So I decided to test out CloudFlare on a disposable subdomain.
I set the firewall setting to "Essentially off" which is the least restrictive setting, pulled up Tor, and tried to connect.
Guess what? CAPTCHA!
That's right, even "Essentially off" challenges Tor. Tor has to be specifically whitelisted in the Access Rules section.

OK now that kind of pisses me off. They know that people will not specifically whitelist it. People will think it's especially dangerous and has its own section "for a reason", and if they have no reason to whitelist it, they won't.

April 29, 2016

Permalink

the akamai powerpoint leads to similar conclusion that cloudflare one

1:11,500 non-Tor IPs contained malicious requests

1:380 Tor exit nodes contained malicious requests

However the clouflare post is also misleading

The problem is generating SSL certificates to encrypt traffic to the .onion sites.

There is no need to generate SSL certificate to encrypt traffic to an .onion site

May 01, 2016

Permalink

The solution I see is a successful campaign like Let’sEncrypt which would be something like "Make your website an ONION". Making an ONION URL is easy, and that gets rid of CloudFlare, according to what is said in this discussion.

>The real trouble with CloudFlare and friends is of course that they are Man-in-the-Middle-as-a-service. That people find such an invasion on the integrity of the Internet acceptable is beyond my comprehension.

Couldn’t agree more.
And the Captcha sells us to Google. Very nice.

May 17, 2016

Permalink

OT but even the tor bug tracker itself requires tor users to solve a captcha before allowing the user to register

May 19, 2016

Permalink

If cloudflair is indeed training their AI with our futile attempts to solve unsolvable captcha's etc., intending to monetize our frustration, maybe we should poison their well by, instead of just going away when presented with a captcha etc., taking the time to click on random images a few times.

I don't know...

May 27, 2016

Permalink

Have you considered that fact that several site authors are threated on a daily basis with DDOS? Not every individual blogger has a multiple private datacenters and the technical expertise to block DDOS attacks. CloudFlare is the easiest way to block such attacks. If the Tor Project is willing to release their own DDOS Protection Scheme that blocks 500+GBPS DDOS Attacks on a server with a 100MBPS Port then I'm all for it. I seriously doubt though that this is possible. Due to the fact I am forced to use a reverse-proxy provider in my case CloudFlare to protect myself.

June 02, 2016

Permalink

Cloudflare asegura algo que es **falso** y el motivo para hacerlo no es otro que ampliar su negocio.

Como consumidor rechazo entrar en sitios que bloqueen Tor o que usen Cloudflare.

June 15, 2016

Permalink

"The design of the Tor browser intentionally makes building a reputation for an individual browser very difficult. And that's a good thing. The promise of Tor is anonymity. Tracking a browser's behavior across requests would sacrifice that anonymity.

****** So, while we could probably do things using super cookies or other techniques to try to get around Tor's anonymity protections,****** we think that would be creepy and choose not to because we believe that anonymity online is important."~Matt Prince, Cloudflare Blog.

He is saying they could break TOR with super cookies.

True?

False?

If true, obviously state actors are already there.

July 14, 2016

Permalink

It appears that Cloudflare recaptcha greatly simplifies traffic analysis and identifying the real browser IP.

The traffic pattern timing of human clicking on the recaptcha puzzle - multiple clicks at specific points in time - can be easily observed between browser and the first node, and compared with the timing observed by Cloudflare for particular session. The match links the real IP with the exit node session. The user-side signatures can be made more unique by pacing the delivery of the additional images. Jitter introduced by onion routing cannot mask this.

Assume that recaptcha makes your IP known.

July 29, 2016

Permalink

https://community.akamai.com/community/cloud-security/blog/2016/04/07/w…

  1. <br />
  2. Why is Akamai blocking me?<br />
  3. Blog Post created by Lawrence Taub Employee on Apr 7, 2016<br />
  4. Like • Show 7 Likes7<br />
  5. Why is Akamai blocking me?</p>
  6. <p>Akamai does not block users from accessing our customers’ websites. However, our customers can use tools and policies which may in turn block you (the end user). Our customers use these rules to protect them and you from malicious actors on the internet. Some common reasons could include:<br />
  7. Explicit IP blocking / blacklisting<br />
  8. Location-based blacklisting<br />
  9. Rule-based blocking (i.e. web application firewall protections)<br />
  10. Reputation-based blocking<br />
  11. HTTP request rate controls (e.g. DoS protections)</p>
  12. <p>The following activities may trigger application security controls:<br />
  13. Web application layer attacks such as: SQL Injection, Cross-Site Scripting, Local File Inclusion, Remote Command Execution, Remote File Inclusion, etc.<br />
  14. Volumetric attacks or similar high rate HTTP traffic<br />
  15. Web contents scraping, data mining, web content indexing and similar automated web activities<br />
  16. Web vulnerability scanning using automated tools</p>
  17. <p>Your reputation follows you. If your IP is identified as behaving poorly on one site, you may be blocked on other websites. A first step in troubleshooting may be to determine whether your organization is performing one of the activities listed above that could affect your reputation.</p>
  18. <p>When a page cannot be accessed, whether because of a customer policy blocking access to that resource or a variety of other reasons such as a server error, the error page will typically be presented as follows:</p>
  19. <p>2016-01-27-12-21-11-137732.png<br />
  20. [eg:<br />
  21. Access Denied<br />
  22. You don't have permission to access "<a href="http://www.lowes.com/&quot" rel="nofollow">http://www.lowes.com/&quot</a>; on this server.</p>
  23. <p>Reference #18.random.string.goes.here.81n1<br />
  24. ]</p>
  25. <p>Notice the reference number. Akamai customers can use this reference number to identify why this request failed.</p>
  26. <p>If you are unable to access a web site, this may be the result of a policy configured by the site owner you are attempting to access. To make a change to this policy, the site owner (the Akamai customer) would have to change their policy. Akamai is unable to make this change without the explicit direction of the site owner. To obtain the contact information for a site owner, one avenue to explore might be via whois. Please contact the site owner directly and have them in turn contact Akamai if they believe that you should be able to access the resource.

So lookup the whois and ask them to whitelist every exit node?

I would guess auto-submitting exit nodes (which I have also run) would get black listed too.

August 05, 2016

Permalink

Is it true that cloudflare is protecting some of the most prominent members of isis the terrorist organization on its servers . If this is true then these sons of bitches want to be closed down by the government .There not above the law and should act like responsible adults not like some fucking spoilt rich kids out of some spy movie. Not sure about so called bullet proof servers or companies they seem to attract the criminal underworld more than government agencies and reputable companies .Something needs to be done

October 14, 2016

Permalink

Cloudflare redirects traffic through the USA where it can be captured by the NSA.

The Cloudflare CAPTCHA is a way to identify your computer, in spite of your use of a VPN.

October 28, 2016

Permalink

Yes, Cloudflare is so bad to hinder Tor traffic. I am going to skip sites using CF if the sites are not so irreplaceable.