The Trouble with CloudFlare

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.

We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.

3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.

Also see our new fact sheet about CloudFlare and Tor:

April 01, 2016


Can you guys help me? My school changed to cloud-flare during the Christmas break and i cant figure out how to get past it. I used to easily get past their firewalls but now i cant. Help, please?

April 01, 2016


> 5) A report by CloudFlare competitor Akamai found that the
> percentage of legitimate e-commerce traffic originating from
> Tor IP addresses is nearly identical to that originating from
> the Internet at large. (Specifically, Akamai found that the
> "conversion rate" of Tor IP addresses clicking on ads and
> performing commercial activity was "virtually equal" to that
> of non-Tor IP addresses).

A specious claim? Let's see...
Cherry picks supporting claims? Check
Quotes source deceptively? Check
Draws on points of limited relevance to make a case? Check
Relies on reputation of source for validity? Check

That report states unequivocally "Tor exit nodes were far more likely to contain malicious requests"
(I interpret this as meaning "[Traffic from] Tor exit nodes [was] far more likely to contain malicious requests" or equivalently "Tor exit nodes were far more likely to [send] malicious requests")

From the report...
Tor IPs: 1.26% of malicious traffic, 0.04% of legit traffic
Other IPs: 98.74% of malicious traffic, 99.96% of legit traffic

What was similar between Tor and non-Tor traffic, according to the report, was the distribution of attack types among the malicious traffic observed. This similarity is relative, not absolute, and does not contradict the statement "Tor exit nodes were far more likely to contain malicious requests".

The positive-sounding "conversion rate" is cherry-picked, but what does this mean? Conversions on the internet are typically low (<5%). Speculating now: Perhaps legit Tor users are actually *more* likely to convert than non-Tor legit users. If (speculating, remember) legit Tor users are twice as likely to convert, it would require half the Tor traffic to be malicious for these numbers to add up.

But who was actually talking about the conversion rate? No one. We were talking about whether bad actors as well as good use Tor, and whether there is increased risk to content providers from Tor traffic.

Is quoting a report that states "Tor exit nodes were far more likely to contain malicious requests" to support the claim that traffic Tor nodes are not more likely to send malicious requests valid? No (for all values of No).

I concede the point to those who've made it that labelling traffic legitimate or malicious has some devilish details - I hope that _that_ discussion can be considered outside the scope of my simple point: the claim to which I was responding was made without adequate attention to truth.

The morale of the story:
Sometimes the first step in dealing with a problem is admitting that you have a problem.

April 02, 2016


> 94%
Because Cloudflare declares that most exit IPs are malicious, it sees normal TBB traffic from those exits as malicious. Simply they are blind (their software is not smart enough).

Cloudflare is responsible in that it must educate its users (webmasters), so that they understand proxies, to avoid deploying not-so-smart filters.

April 02, 2016


Coming from Europe.

I would like to point out that CloudFare violates European privacy laws by requiring me to accept cookies. So blocking me when coming from an European exit node is illegal in Europe.

Not that I care very much, because any site that uses CloudFlare is a site that I don't visit. I would like to let the owner of the site know, but unfortunately that is impossible because I can't even get their contact information.

Perhaps it would help if it was possible to notify the site owner that their site won't do anything useful for Tor users. Even a list of contact addresses would help me, because I'm quite willing to give a piece of my mind to the site owners.

April 02, 2016


Well, like all of you I find myself standing in front of locked doors all the time while browsing the web. But there is something very remarkable about this: I'm blocked when I visit media sites like or, I'm blocked from visiting blogs or sites of "general interest". But I'm never ever blocked by Cloudflare, when I'm about to spend money. Either e-commerce sites are in some wondrous way inherently immune against any threat from us malicious Tor users. Or these threats aren't that threatening at all when it comes to making money. (Not that I would buy anything using Tor, since I had to de-anonymize myself by registering or logging in.)

April 02, 2016


The Tor project has failed to address abusive use of Tor for years and years and years. The Tor projects own FAQ on abuse says: "Does Tor get much abuse? Not much, in the grand scheme of things. The network has been running since October 2003, and it's only generated a handful of complaints."

That's the Tor project publically sticking its fingers in it's ears and going 'la la la la la'. The idea that Tor has generated "a handful of complaints" is a wanton ignorance of the reality of Tor network use.

Anyone who runs a network or web site of any significant size knows that Tor traffic is a cesspool of scanning, abuse, comment spam and more. It's not surprise networks block Tor outright.

April 02, 2016


I've been 100% Tor for a while now but.. using the Internet has transformed from a wondrous experience to one of great frustration.

I think about giving up using Tor on a daily basis due to the sheer volume of CAPTCHAs I have to solve. I hate the idea of using my ISP's connection directly (they monitor and sell consumer HTTP data for profit and I'd rather my habits not be on file for eternity) and the idea of choosing a 'good' VPN leaves me with a lot of doubt and worry.

Some days I want to just give up on using the Internet. Throw all my equipment away and analogue. Thanks CloudFlare. :/

"I think about giving up using Tor on a daily basis due to the sheer volume of CAPTCHAs I have to solve."

I wont give up Tor but I will stop buying products and services from Cloudflare customers. I will not refer any client to a Cloudflare customer site either.

"I hate the idea of using my ISP's connection directly (they monitor and sell consumer HTTP data for profit)"

That's a great point which no one else has mentioned: this practice is far more common than most people realize. In most jurisdictions there are no laws which prevent the collection and sale of customer data. When that data gets stored, it's often stolen by hackers. And sometimes those hackers are inside the company. The identity theft ring that was busted at AT&T* is the tip of the iceberg. Only a few get caught.

If the ISP catches a hacker without external help, they will often risk a fine for failing to report the breach rather than tell the public their service is insecure. Politicians and potential business competitors are particularly at risk for ISP-based spying. But even some ordinary customers will get junk mail and telemarketing calls because their ISP sold their browsing history. If banks and governments cannot protect their customer records, why would your ISP be any more secure? You can never trust your ISP because you don't know who has access to what. So everyone on the internet has a valid use case for some kind of anonymous proxy until encryption is built into the internet at the protocol level.


Thanks. Now I least know whos responsible for turning the free web into a captcha-mess.

best tool,

Thank you Tor Project for writing this. It is very important.

Cloudfare is a commercial service requiring people to use it. Simple answer tell everyone you know not to use their service. Simple marketing, don't use and force them out of business. If only people would do the same with google, oh what a lovely internet we would have.

I am happy to block Tor on my sites. Nothing ever good comes from it.

I guess the 2+ million daily Tor users are not a large enough percentage of total internet users for companies to be concerned about losing revenue from them.

Google too started to show captcha.

I don't work for Cloudflare.

The "94% of traffic" figure can come from two different measures.

The first is "the number of malicious requests", where "malicious" is defined as "attempts to identify or exploit weaknesses which could lead to unauthorized levels of access".

The second is "the raw size of traffic which is malicious". I don't know if this percentage would be as high as the number of malicious requests.

Given that most malicious requests tend to be automated at this point (mass scanners tend to scan and move on when they don't find a vulnerability), it's quite likely that there's a few people using the Tor network to provide anonymity for their probes -- and those probes are massive scans, some number for every site that they try to find vulnerabilities in. That could -easily- overpower (even by an order of magnitude) the number of legitimate, "I know what I'm doing and I'm not exploring to find any holes around what I'm doing" kinds of traffic.

Cloudflare isn't wrong, here. Insisting that Tor isn't a concentrator for malicious traffic (precisely because of its vaunted anonymity features) isn't the correct answer, here. Tor needs a means of accountability for its users to prevent them from abusing the network. This is going to be incredibly difficult to accomplish, but there are potentially ways to do it (some of which might involve authentication through multiple chains of ECDH agreements, using the output of one agreement as a private key for the next).

April 05, 2016

In reply to by Anonymous (not verified)


Now please explain why only the "I'm not exploring" kind is legitimate traffic. A scan isn't abuse. Saying that security can be outsourced like this would mean that irresponsibly buggy website design is OK as long as you think you're protected from the evil, evil internet by some NSA MitM behemoth ...

You shouldn't be prevented from viewing a website because of how you choose to access it.

re: "I don't work for Cloudflare."
I don't necessarily believe you. And you could be an investor who profits from the false claim of security benefits.

re: "the raw size of traffic which is malicious"
And therein lies the rub:

Cloudflare has declared things like content scraping and banner-ad click fraud to be "harmful" and "malicious" when it actually represents no security threat to the customer's web server. There are more efficient ways to deal with this traffic which would not require Cloudflare to break or disrupt every website under its control by default.

The statistics don't prove that most Tor users are malicious, nor do they prove that HTTP GET requests represent a security issue. What do you think web servers were made for? Even if CAPTCHAs had some security value, Cloudflare can't explain how they plan to secure millions of public WiFi access points unless they make everyone on the internet pass a Turing test for every website under Cloudflare's control. This is just nonsense. CAPTCHAs might prevent forum spam, but they do not prevent security flaws from being exploited, and you should not deploy them across your entire domain just because you can. This is the adult equivalent of a child's security blanket: it might feel good, but it serves no practical purpose in terms of security.

> There are more efficient ways to deal with this traffic which would not require Cloudflare to break or disrupt every website under its control by default.

They want to disrupt Tor. Tor supporters are an extremely small minority of people. The consensus among network professionals is that Tor should not be allowed to exist.

> The statistics don't prove that most Tor users are malicious, nor do they prove that HTTP GET requests represent a security issue.

They are not required to offer evidence of anything.

> you should not deploy them across your entire domain just because you can.

They are doing it to attack Tor users. The net is not neutral and they can block anything they want for any or no reason. An alternative to outlawing Tor outright would be for various autonomous systems to reject traffic to and from known Tor relays.

Cloudflare rates anything that might block ads, modify header, block scripts or web bugs, or anything recognised as possibly VPN IP or Tor IP blocks as MALICIOUS

Guys, just use a proxy after the tor exit node. *cheers*

Another problem with the 94% statistic is that spammers send more requests than normal users. It could be that 1000 people send 100,000 requests to a website, but it was one spammer that sent 94,000 of them. So even if 99.9% of tor users are harmless, Cloudflare can still claim "94% of tor traffic is malicious."

Another post farther up the list contains the most accurate and succinct explanation. It’s so right on point that the sentence deserves to be repeated:

“CloudFlare is selling a magical security device. The client thinks it's making their website more secure, when in reality at most it's simply reducing spam to unrelated people.”


Indeed, the majority of people with something to sell will exaggerate the value of their product or service. This is a fact of life. We encounter it every day, mentally note it where applicable, and go on about our business. But when they begin to interfere with the conversations and commerce of others, we have a right and obligation to protest. For many people who are opposing tyranny and corruption, using Tor is not a choice, it is a requirement. And Cloudflare wants to break Tor’s functionality just for the sake of profit. It always comes down to freedom or fortune:

For a company as big as Cloudflare which mirrors a significant chunk of the internet, it’s simply not credible that all of the CAPTCHA looping and the endless redirects (or failure to display after solving) could be an innocent mistake. It’s constant, it’s everywhere, and it’s all broken on purpose. But Cloudflare is pretending like they don’t know something is wrong. There is a method to the madness here:

They are just using you to train an A.I. to recognise things like street signs, house numbers and landmarks that a vehicle would encounter. At some point this A.I. product will be sold or licensed to car manufacturers for a vast profit. This is why Cloudflare keeps asking you to solve far more CAPTCHA’s than would be necessary to prove you’re not a bot. Surely you did not think that Cloudflare expected to get nothing in return for giving free service to millions of web sites. Cloudflare’s primary purpose is to exploit everyone who uses a proxy. The intercept page they display to proxy users should just say: STOP! PAY TROLL!

I think we need a dedicated site that explains all of this to the admins who get suckered into using the service without realising how they are harming defenders of human rights (and their own customer base.) They also seem to forget that many people are using Tor because someone at their ISP is doing something sinister with their traffic logs. If Cloudflare maintains this antagonistic stance towards privacy, maybe Tor should inject a special button into every Cloudflare intercept page which sends a complaint to the webmaster or domain owner explaining why they should stop using that service. Cloudflare may not be entirely evil, but it’s the next best thing.

A warrant canary is a cryptographically signed, dated, and regularly updated statement that you (or your company or organization) has never received

o an NSL or other court/government order with an "eternal gag order",
o a demand to insert a govt backdoor (a serious demand, not phrased as a "joke"),
o a demand to abuse your cryptographic signing key by signing a "specially modified" version of a legitimate software update,
o &c.

Here is an example from a critically important partner of Tails Project, a Tor Project partner:

(Note that Riseup Networks updates its canary quarterly.)

For years, some Tor users have requested Tor Project to rectify the odd omission of any warrant canary from its home page. And for years, TP has refused to explain the absence of any warrant canary.

Is the reason that TP has long since received just such a request? TP won't say, and that is worrisome.

Some people like to claim that warrant canaries are useless. I don't agree. Indeed, something horrible seems to have happened to Reddit, which until very recent *did* offer a yearly warrant canary. One reason why that should concern every Tor user is that we rely on what is almost a single point of failure, Ars Technica, a news outlet which is owned by the same company which operates Reddit:…
Reddit removes “warrant canary” from its latest transparency report
CEO is staying mum: "I've been advised not to say anything one way or the other."
Cyrus Farivar
31 Mar 2016

> Reddit has removed the warrant canary posted on its website, suggesting that the company may have been served with some sort of secret court order or document for user information.
> At the bottom of its 2014 transparency report, the company wrote: "As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed."
> That language was conspicuously missing from the 2015 transparency report that was published Thursday morning. (Disclaimer: Ars and Reddit are owned by the same parent company, Advance Publications.)

See also:
Reddit's Warrant Canary On National Security Letters... Disappears
Mike Masnick
1 Apr 2016

> On Thursday, Reddit posted its latest transparency report concerning government requests for user information or content removal. This is the second such report, following its 2014 report. As one Reddit user quickly noted, the 2014 transparency report had something of a "warrant canary" concerning National Security Letters (NSLs):

There are many so-called "services" like cloudflare or google or blogspot or webmail providers and so on that are hostile towards Tor because they are hostile against privacy and security for the individual as a principle.

This should be the incentive towards more onion-based sites like duckduckgo and hopefully in the future we will have a full parallel universe in the dark web with no need to interact with the privacy-invading clear web.

CloudFlare is the malicious part here. Other than that they are currently kind of fucking up in other areas too and there customer support is horrible.

Well, if you can call that customer support, because from my experience (working at a company that was until recently using their service) their customer support is only a sales team and talking to them about anything close to technical will result in weeks, if not months of communication even for things that are urgent, even for paid accounts.

I was really excited about CloudFlare until recently. Their blogs, their earlier responses to inquires, their pretended wish to help to make things more pleasurable for Tor user, their open source projects, etc. all sounded like a great company, but the recent months were hugely disappointing.

Anyone up for creating a CloudFlare competitor?

It's already in development! And it does not require a huge investment either. The basic idea here is that you buy a Network Attached Storage system, then lease the disk space and some of your internet bandwidth to web site operators through a digital currency system. The software replicates portions of a web site across thousands or millions of storage devices in response to consumer demand. You could tweak the cost/bandwidth tradeoff however you like:

Depending on the level of traffic that your site gets, you could potentially have your site hosted for free on a global content delivery network in exchange for your participation as a host on that same network. Or you could just earn money being a server. We will eventually beat Cloudflare on price, performance and reliability with a distributed system that nobody owns. And no one who hosts your site can tamper with it because they only have part of it and the files are encrypted. That is better than Cloudflare in every way I can think of. Here are some links to current projects if you want to follow their progress. I don't manage these projects, I just think they represent the future of hosting for most of the internet.

or just ask insane web servers owners to get us the private keys...

Just read the abstract of the research you linked to.
Don't get me wrong. I hate CloudFlare just as much as the next Tor user, but wording the issue as mistreatment of "second-class Web citizens" made me chuckle.
Are these connotations really useful?
Should we start accusing CloudFlare of being "anonymist" now?

Why are you calling out Cloudflare when Akamai is way worse? Akamai silently blocks Tor (just try visiting with Tor) and isn't interested end any dialog, whereas as CF has been working with you us. This is a dumb move.

"Access Denied
You don't have permission to access "" on this server.

Reference #18.cd041002.1460366234.c7eaace"

So, this is generated by Akamai then! This message is almost as prolific as Cloufare's capchas!

I'm not saying you're right or wrong, but are you sure doesn't just happen to be blocking Tor exit nodes via the X-Forwarded-For (or simillar) HTTP header? A lot of other comments suggest Akamai is indifferent to Tor traffic.

Because CloudFlare isn't owning up to their blocking; Akamai users must deliberately block Tor while CloudFlare requires users to deliberately whitelist it.

Lately on the Cloudflare landing page I got quite often the error "reCAPTCHA / Sorry, an error has occurred". No capture is displayed. I wonder how this is counted at Cloudflare?

Sorry for adding one to flooding comments (mostly spammy) at this blog.

The conclusion is: posting a large number of spam comments is enough to silence many useful comments to suppress free speech. Not blaming busy volunteer moderators though. Something should be done on the comment system...

Leaving doubts about methodology aside (how do they differentiate humans who were too pissed off to solve the captcha once again form bots?)…

Cloudflare does not provide free CDN and anti-abuse service. Cloudflare needs valuable user behavior & tracking data and gives the service in return.

Google does not provide free captcha service. Google needs valuable user behavior & tracking data and gives the service in return.

(By the way, I really doubt Cloudflare simply chose Recaptcha and it just worked on such a large scale. There had to be an agreement on terms of service — and on mutual benefits — between both companies.)

What Cloudflare worries about is not convenience of Tor users. What Cloudflare worries about is that their captchas for Tor clients on every served website make it painfully obvious to even an average user how widespread their tracking system is and that people might actually start to question the practice. They would really prefer to gather the data without anyone noticing it, just like internet service and hosting providers do today.

PSA: if you have to use third party services, only use them when it's necessary. If you use Recaptcha for comments, only load it when someone uses the reply form. Do not defend from potential DoS attacks in the future by selling your users now, have a hot/cold backup subdomain that is served through Cloudflare.

As an owner of multiple successful eccomerce stores I can tell you 99% of TOR traffic is fraudulent, just the way it is I suppose.

I brought it up with CloudFlare too. I'm an investigative journalist who's prosecuted by the Canadian regime for exposing the inconvenient facts about the police state. I urge all my readers to use Tor browser when accessing not only my site, but any site.

It happened a few months ago when CloudFlare updated their algorithm and virtually every request to my site from the Tor network was challenged, even though I have the security set to "Essentially Off". I wrote a ticket to CloudFlare to explain why they are doing this, but got unhelpful, cut and paste type of response.

The biggest triumph of anonymity-enhancing software to date?

No, not the Snowden leaks.

The Panama Papers.

2.6 terabytes of data.

11.5 million documents:

o 5 million emails
o 3 million database files
o 2 million PDF documents
o more.

210 thousand shell companies registered in Panama and 20 other jurisdictions.

Implicated in four decades of financial corruption and other irregularities:

o heads of state of RU, UA, IS, PK
o 600 people sanctioned by US and other governments (politicians, generals, terrorists)
o FIFA (not just Sepp Blatter, the whole shebang, even their "ethics officer")
o dozens of Russian oligarchs
o thousands of mega-rich "Western" plutocrats
o bank thieves (the non-cyber kind)
o Mafia chiefs
o military chiefs
o politicians
o banks
o lawyers

Researching the trove: 400 investigative journalists, from

o Sueddeutsche Zeitung
o International Consortium of Investigative Journalists (ICIJ)
o The Guardian
o and more

This is the biggest single leak *ever*. Take it from someone who knows about big leaks:

Edward Snowden ‏@Snowden
3 Apr 2016

> Biggest leak in the history of data journalism just went live, and it's about corruption.

And what else might yet to be found in the trove? I venture to suggest:

o some of the missing trillions the USG lost in post-invasion Iraq
o LEOs
o US politicians and military leaders
About the Panama Papers
Frederik Obermaier, Bastian Obermayer, Vanessa Wormer and Wolfgang Jaschensky
3 Apr 2016

> Over a year ago, an anonymous source contacted the Süddeutsche Zeitung (SZ) and submitted encrypted internal documents from Mossack Fonseca, a Panamanian law firm that sells anonymous offshore companies around the world. These shell firms enable their owners to cover up their business dealings, no matter how shady.…
Enormous document leak exposes offshore accounts of world leaders
Rebecca Savransky
3 Apr 2016

> A massive leak of more than 11.5 million documents exposed the offshore accounts of current and former world leaders, The Center for Public Integrity reported Sunday.
> The investigation of the files, known as the Panama Papers, was published Sunday by the International Consortium of Investigative Journalists.
> The investigation "exposes a cast of characters who use offshore companies to facilitate bribery, arms deals, tax evasion, financial fraud and drug trafficking," according to the website.
> "Behind the email chains, invoices and documents that make up the Panama Papers are often unseen victims of wrongdoing enabled by this shadowy industry."
> The report exposes hidden information about how banks and lawyers hide dealings with people such as prime ministers, plutocrats and criminals.
> The documents have information about Russian President Vladimir Putin, details about England's gold heist in 1983 and information about bribery allegations regarding soccer's governing body, FIFA.
> The files include nearly 40 years of records and information about more than 210,000 companies in 21 offshore jurisdictions.…
A world of hidden wealth: why we are shining a light offshore
Huge leak reveals how the powerful exploit secretive tax regimes – and widen the gulf between rich and poor
The Panama papers
Juliette Garside
3 Apr 2016

> They are known as the CDOTs – the UK’s crown dependencies and overseas territories – island states such as the Caymans and the British Virgin Islands.
> On maps they appear no bigger than a full stop, but each year billions of dollars in capital sail into the global banking system along the warm currents of the Caribbean.
> Economists are charting an unrelenting, escalating transfer of wealth, enabled by the offshore system, often from the very poorest to the very richest nations.
> The money is sometimes spent in obvious ways – funding super-yachts, private jets, fine art auctions and, of course, property. But there is the unseen damage. It harms the ecology of vibrant cities by making them unaffordable to ordinary people.

Encourage everyone to read all about it, using Tor Browser, of course.

The world will be the better for this leak, and the world is in your debt, Tor Project!

I use Tor a lot and it's really painful to browse a website with cloudflare sometime I've also a captcha loop which is impossible to pass trough (sometime I resolve 4+ captcha and they still ask me for more captcha)
This method is certainly to discourage people from using Tor, cloudflare share data with intelligence agencies for sure

For me, the captcha request is equal to a Cookie-Monster which tracks you everywhere you go. And it is even more important when it comes the first time you load Tor.
In Tor, no cookies+no java=private and anonymous.

This makes me quite mad to be honest. First of all, I think it's a shame that such a large part of the surface web is already being hosted or accessible via CloudFlare. Instead of decentralizing, people centralize again. That's a damn shame and exactly not how it (the internet) should work, goddamnit.

I experienced the same issues you stated, e.g. non-solvable captchas or captchas that don't even load. As if that's not even enough, they constantly use Google recaptcha, which also does not respect any privacy, as we all know.
And now they even start spreading FUD.

Mad. Damn mad.

Decade long, always on, Tor user here :D

Over the last three years or so, CloudFlare hosted sites become more and more annoying. Recently changed their hosting to CloudFlare, and I always got the usual "one more step..." landing page. I complained to the admin of their site via email that blocking Tor users just because of CloudFlare's default settings amuses me since as an IT news outlet they always seemed to be in favour of the free internet... Dunno if it is because of my post, but about two or three weeks later I got a different kind of landing page. It reads: "Please turn JavaScript on and reload the page. DDoS protection by CloudFlare Ray ID: XXXXX". If you do turn on JavaScript and reload the page you will get full access to the site without the need of performing a CAPTCHA or anything. In other words, there might be alternative and more unobtrusive ways to deal with DDoS protection and Tor users, and these are even possibly provided by CloudFlare!

Another really annoying problem are site owners that only host their multimedia content on CloudFlare but not their entire domain. For example, if only the images are hosted on CloudFlare you will see a rendered page but without images. Because the html request of your torified client results into fetching the CAPTCHA landing page (i.e. web content) instead of the anticipated image content, your browser might just silently ignore the "image" - due to wrong content type - and neither display free space nor anything to remind you of the missing image content...

What is also interesting is the behavior of Amazon regarding Tor. During the last six or twelve months CAPTCHAs are becoming more common here. Interestingly, after I've got a CAPTCHA at (the German site) I can often access immediately thereafter without problems (I suspect that I am using the same Tor exit node with both and Also, sometimes I will get a CAPTCHA directly when trying to access their homepage, and at other times I can view their homepage without problems but when doing a product search through their search field I will see their CAPTCHA (dunno if the Tor exit node changed between those two page loads, but since this happened quite a few times I do suspect that the exit node did not change). Again, CAPTCHAs are much more common on their *.de site but very rare with their *.com domain.

For me, a very effective trick to circumvent CloudFlare (and Amazon) CAPTCHAs is to use another web proxy through the Tor browser.

whats the deal w/ romania?
recently had noted "repeated romania exit node sequences" on some sessions.
it goes like: one romania exit node, ask for a new exit, comes a second romania exit node... had seen 4 sequences.
Not that Im segregating Romania, but the behaviour is odd!

Bull shits cloudflare protect this client only for you don't have uniques IP and this is the problem many client of this compagny have torrent tracker of not but. But this client don't like tor network because i like to control the network with the IP. Tor network permit you to have any ip and i have anonymously. This provider write a lot of bullshit and this it a bullshit ban this provider and the client behind.