The Trouble with CloudFlare

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.

We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.

3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.

Also see our new fact sheet about CloudFlare and Tor:


April 05, 2016


Well yeah, making up you own ground truth makes lying with statistics even easier.

Go fuck yourselves, flare clowns. I can see right through your cloud screen.


April 05, 2016


Interesting excerpt from the clownflare blogpost (retrieved via web archive):

"With most browsers, we can use the reputation of the browser from other requests it’s made across our network to override the bad reputation of the IP address connecting to our network. For instance, if you visit a coffee shop that is only used by hackers, the IP of the coffee shop's WiFi may have a bad reputation. But, if we've seen your browser behave elsewhere on the Internet acting like a regular web surfer and not a hacker, then we can use your browser’s good reputation to override the bad reputation of the hacker coffee shop's IP."

putting aside the ontological difficulties with a dichotomy between "regular web surfers" (since when does regular / legitimate entail trackable) and "hackers" (understood to be unwanted persons), this seems to indicate that it would be sufficient to copy the headers from a "regular" one to access any cloudflared web page. since they claim that tor is not getting any special treatment (for better or worse), has anyone had more success using a non-TBB browser configuration through Tor?


April 05, 2016


It is disappointing that this blog post does not address the very real problem of abusive use of the Tor network. I work for a very large network in Europe and we see constant problems with Tor exit nodes.

Akamai shows that only 0.04% of real requests come from Tor It's is not surprising that people block Tor completely when so little traffic is real. Can you blame them?


April 05, 2016


When I read this article on Ars…

I saw this statement
"If it’s possible for government actors to use denial-of-service attacks to force Tor traffic over connections that are owned and operated by them, it could present privacy problems for anonymized sites used by whistle-blowers, political activists and dissidents, journalists, and others trying to avoid the eyes of oppressive regimes."

Actually this kind of guarding traffic routes is what Cloudflare can manage by blocking exitnodes and only allow traffic to a specific list of so called controlled exitnodes they were asked to do so.
If CMU was willing to assign for special activities against all Tor network users, why wouldn't Cloudflare? They seem to be in that position and nobody knows the real facts how they choose their list of blocking extinodes.


April 05, 2016


CloudFlare needs to fix this... fast! It's a nightmare being a Tor user.

why? you should be happy to avoid visiting such absolutelly insecure https sites linked through thief clowns servers as mitm! at least you can detect them as opposite to naive zombie users!
and you can try to report to the web site owner about the stolen private key of the site :)


April 05, 2016


I've seen some scraping/etc scripts that (sadly) abuse Tor: one of their features is detecting when a 403 (or similar) error is received and then requesting a new circuit from the Tor daemon.

This causes them to somewhat quickly cycle through IPs (they will slightly lower the request rate to make a circuit last longer) and may be why CloudFlare is seeing a high percentage of exit IPs as 'bad': swapping to a new IP is easy to do automatically.

It could be as few as 10 bad bots but they'll quickly go through huge amounts of exit IPs.


April 05, 2016


This is a non issue..
If the site owner wants, he can put all Tor IPs as a whitelist with a click, and no more CAPTCHA will appear.…-

So, the last decision is up to the sysadmin not Cloudflare itself.

The akamai powerpoint leads to similar conclusion that cloudflare one

>1:11,500 non-Tor IPs contained malicious requests
>1:380 Tor exit nodes contained malicious requests

However the clouflare post is also misleading

>The problem is generating SSL certificates to encrypt traffic to the .onion sites.

There is no need to generate SSL certificate to encrypt traffic to an .onion site

Rather ironic that a leading technical journalism site in the UK that
hosts good reporters can no longer be read by whistleblower
contributors. ( )

The original site that spawned it does carry the story based on this

Thats how it got you broader publication.

Pretty stupid that edgy content tech news sites submit themselves to
CaaS ( Censorship as a Service ). I wont EVER provide any further
material to their journalists for the simple reason that I cannot read it
without risking CloudFlare playing social engineering games with my
willingness to relax access restrictions to my active browser.

One of the most difficult web pages to reach (CF seems to be adjustable by how hard it comes down on blocking Tor users) is a very trivial IT and Computer news web site such as
What is it a hacker or spammer could do with this webpage besides leave a comment to the articles??
I have also discovered that if I try to get directly to which naturally will be blocked by CF, then the same particular article on Ghacks wont work even through Startpage proxy, hmm... Big Brother knows where I am moving on the net despite using TBB.

CloudFlare is the "bot" guardian just like the NSA is the "NatSec" guardian against terrorism. It's not about security - it's about $$$ and control.

The ironic hypocrisy of CloudFlare: in protecting it's alleged clients from malicious "bots", CloudFlare, of course, operates like a bot.

And, of course, most of CF's alleged clients, there mostly against privacy, or anonymity of location, because they need related information to support their business models.

When I reach a site with a cloudflare captcha I simply don't use the site. They obviously don't want ad revenue or my traffic.

I also have moderators delete all cloudflare captcha wall links from my forums, some of which are high traffic. Cloudflare has cost websites we've deleted links to well over $15,000 since last week by my estimates. Cloudflare hinders tor traffic, but when I delete a link it stops both tor and non-tor traffic from my sites. As far as I'm concerned, if I can't easily check a website using tor to ensure it's not spam, then it's spam and I delete the link.

Tor isn't going away. Tor traffic is only increasing.

Website owners need to take a look at their pre-captcha traffic and ask themselves if they can really afford to use Cloudflare's traffic blocking features.

So what's our workaround for "Cloudflared" sites?

You can't make this up. I've been to a web site that opened another tab to show a third-party ad. Only this ad-service ( is behind Cloudflare and instead of an ad the "One more step" Cloudflare page was displayed. Needless to say no one will ever solve these captures. Tor and Cloudflare, the new ad-blocker combo in town.

Someone wanting to have an exit relay flagged as malicious by Cloudflare need only deliberately route "malicious traffic through that exit. That flag can last an arbitrary amount of time. One tactic could be to create a chilling effect on the amount of new exit relays. Another tactic could be to use this kind of harassment against exits that an attacker does not control.

This is an attack on the entire Tor network. To me, the next step is to create exit bridges, the risk being that those exit bridge relays would be largely unable to exonerate themselves as being part of the Tor network unless we create a technical means by which they can. Unfortunately, an attacker good at discovering exit bridges would be able to get them flagged as malicious as well, but we could take steps to mitigate that, such as requiring users to have a password in order to use them. And of course, having the exit bridges only accessible by a few users could give away their identities.

The anti-privacy forces have won the hearts and minds of the people. The vast majority do not support anonymity, and that majority is still growing. Most people believe that anything a person does online should be subject to oversight.

Some background:

Google's new CAPTCHA security login raises 'legitimate privacy concerns'. (2015)…

How to block CLOUDFLARE dot CREEPO (Akamai research project?) from ever using your Mac to grab traffic and hence con subscription fees (criminal intent).…

sudo nano /etc/hosts
[return then password, scroll down to first blank line]
[type Ctrl-O, press Return, confirm save, Ctrl-X to exit]

Why does Cloudflare need to fix anything? They are using a popular browser without BIG-OS legal protection to force suckers to play captcha. Every captcha is pennies in Akamai (oops) Cloudflare pocket. Lotts of pised off people equals lots of pennies. Billions of pennies.

If I get a CloudFlare CAPTCHA then I click on 'New Tor Circuit for this Site' a couple times. If that doesn't work then I simply give up on the website and move on. I never try to solve the CAPTCHA because I have javascript and cookies disabled which makes solving CAPTCHA impossible.

CloudFlare strikes me as a "If it doesn't make dollars, then it doesn't make cents" type of publicly traded company. The only way they'll change their behavior towards Tor is if it starts impacting their bottom line profits.

CloudFlare has sufficiently degraded the TOR experience to extent that is has greatly altered the web activity of TOR users. The NSA couldn't be happier. Businesses are, unbeknownst the them, losing customers and advertising revenue as surfers subconsciously shift away from CloudFlare clients.

We decided to block cloudflare completely for any reach from our maintained network and only allow access to a very small selected number of cloudflare IP addresses. That's because we found out that a huge amount of trackers and addvertising sides are hidden behind unreadable cloudflare host names. Until today our blocking has no negative effect for our customers but keep out unwanded adds and user tracking. I'm only aware of a handful services worth access hosted by cloudflare.

CloudFlare is indeed an important problem, but not the most urgent one facing TP.

The published draft (available at and only 9 pages long) of the Burr-Feinstein "backdoor" bill would appear to outlaw PFS (perfect forward secrecy), unbackdoored TLS, GPG, and other essential components of Tor and Debian.

This is a very real and immediate existential threat to the continued existence of Tor.

Does TP have any comment on the Burr-Feinstein draft?

The issue here is that Cloudflare CAN control access to a large part of the Web, not that they WANT to do so. Cloudflare can deny (and modify unencrypted) traffic passing through their servers to either Tor or non-Tor users, secretly or openly. We shouldn't have trust them, we shouldn't be asking them to be nice. Website owners are ultimately responsible for this. Centralization is not good.

The solve for this is simple, contact all the web sites using cloudflare and tell them to ask cloudunfair to provide for them all the data on hits they have turned away from your fabulous web side you spent months building so you can go over the data as a HUMAN and see if those BLOCKED were really bad. Also have a unblock feature so you can quickly unblock IPs that maybe your own scripts have figured out are OK and send a browser retry or something.

Point is, give the customer the means to see that you are blocking traffic and let them decide if it's garbage or not! Also tell those webmasters at those sites that you could not get to see his site and that you don't even know what is on his site.

I bet most people would turn cloudflare off if they actually knew how many hits they are not getting.

Most host providers already supply ddos protection.

The CAPTCHA is done via GOOGLE, which means if google has flagged your IP for some reason it all fails, the least they could do is do their own CAPTCHA so the stupid system doesn't think you tried when you COULD NOT.

Cloudflare clients have made their websites unreachable if JavaScript is blocked or only run from trusted sites the captcha never displays

In this talk at the 31c3 Chaos Commication Congress in Berlin, 2015, Nick Sullivan from Cludflare promises to end blocking Tor within one year (end of 2016):…

Watch our from seconds




When I saw this, I already knews that it was a lie...

I wouldn't mind these captchas so much were they not from Google.

I prefer to access Google-controlled domains as infrequently as possible. After all, Google is some of the most surveillance-happy companies out there. I do realize it's difficult for them to track people on TOR (unless they sign into Google), but I still prefer to block Google out of my life, if only because it make me feel better to not contribute any traffic to Google.

But, I can't avoid Google because of these stupid Google captchas. If I don't do the captcha, I am locked out of whatever cloudflare-based website I'm trying to use. :(

iblocklist provides a blocklist for Cloudflare servers. My social network (which is Tor friendly) now uses this list to block all incoming traffic with a Cloudflare IP or referrer, while notifying that Cloudflare users have been blocked because Cloudflare harasses Tor users. If Cloudflare users want to access it, the HAVE to use TOR.

Ironic isnt it?

Out of curiosity I just clicked on the 'Internet Defense League' logo on the bottom of the Tor Project homepage -> One more step...

Is this a joke?
And it gets even better.
Not only is the hp of the so called 'Internet Defense League' which includes Tor Project and the EFF and that is claiming to fight for freedom of the internet behind cloudflare and thereby unreachable for tor users, if you look at 'Who's behind it?' at the bottom you'll find:
...'and a growing group of volunteers, including Cloudflare.'

I don't want to live on this planet anymore...

Had a hearty laugh, thanks

Cloudflare is indeed a Silicon Valley security protocol company; while maybe protecting some, instead are running protected scam-sites. In otherwords, are pretending not to be the host of some websites, when in actuality are the real host.

i would use tor a lot more if they fixed this, i get pissed off and stop using it :/

Not only do we want to have our own autonomous open/free/anonymous network we want to have full access to "their" network. Autonomy and dependency on capitalist and state structures are not on the same route. It may be possible that the time has come to choose and create our other internet, but this requires funding for servers and a "medium". We still own shortwave but at astonishingly slow speeds. Soon even wikipedia and wikileaks may become unreachable from the onion network or any anonymous user. .

A one click button to get a new tor circuit could at least mitigate the Cloudflare annoyance. Then I might be willing to try 10 new circuits before giving up instead of 2 or 3.

Google can fingerprint a tor user by how they fill in the captcha. The speed, accuracy, navigation patterns, clicking direction, and general habits while completing the sometimes lengthy puzzles can id you.


So I decided to test out CloudFlare on a disposable subdomain.
I set the firewall setting to "Essentially off" which is the least restrictive setting, pulled up Tor, and tried to connect.
Guess what? CAPTCHA!
That's right, even "Essentially off" challenges Tor. Tor has to be specifically whitelisted in the Access Rules section.

OK now that kind of pisses me off. They know that people will not specifically whitelist it. People will think it's especially dangerous and has its own section "for a reason", and if they have no reason to whitelist it, they won't.

the akamai powerpoint leads to similar conclusion that cloudflare one

1:11,500 non-Tor IPs contained malicious requests

1:380 Tor exit nodes contained malicious requests

However the clouflare post is also misleading

The problem is generating SSL certificates to encrypt traffic to the .onion sites.

There is no need to generate SSL certificate to encrypt traffic to an .onion site

The solution I see is a successful campaign like Let’sEncrypt which would be something like "Make your website an ONION". Making an ONION URL is easy, and that gets rid of CloudFlare, according to what is said in this discussion.

>The real trouble with CloudFlare and friends is of course that they are Man-in-the-Middle-as-a-service. That people find such an invasion on the integrity of the Internet acceptable is beyond my comprehension.

Couldn’t agree more.
And the Captcha sells us to Google. Very nice.

OT but even the tor bug tracker itself requires tor users to solve a captcha before allowing the user to register

If cloudflair is indeed training their AI with our futile attempts to solve unsolvable captcha's etc., intending to monetize our frustration, maybe we should poison their well by, instead of just going away when presented with a captcha etc., taking the time to click on random images a few times.

I don't know...

Did you ever try to utilize laws like the "Gesetz gegen Wettbewerbsbeschränkungen (GWB)
§ 19 Verbotenes Verhalten von marktbeherrschenden Unternehmen"?

Have you considered that fact that several site authors are threated on a daily basis with DDOS? Not every individual blogger has a multiple private datacenters and the technical expertise to block DDOS attacks. CloudFlare is the easiest way to block such attacks. If the Tor Project is willing to release their own DDOS Protection Scheme that blocks 500+GBPS DDOS Attacks on a server with a 100MBPS Port then I'm all for it. I seriously doubt though that this is possible. Due to the fact I am forced to use a reverse-proxy provider in my case CloudFlare to protect myself.

seriously ... on CloudFlare is offensive. Really

Cloudflare asegura algo que es **falso** y el motivo para hacerlo no es otro que ampliar su negocio.

Como consumidor rechazo entrar en sitios que bloqueen Tor o que usen Cloudflare.

"The design of the Tor browser intentionally makes building a reputation for an individual browser very difficult. And that's a good thing. The promise of Tor is anonymity. Tracking a browser's behavior across requests would sacrifice that anonymity.

****** So, while we could probably do things using super cookies or other techniques to try to get around Tor's anonymity protections,****** we think that would be creepy and choose not to because we believe that anonymity online is important."~Matt Prince, Cloudflare Blog.

He is saying they could break TOR with super cookies.



If true, obviously state actors are already there.

It appears that Cloudflare recaptcha greatly simplifies traffic analysis and identifying the real browser IP.

The traffic pattern timing of human clicking on the recaptcha puzzle - multiple clicks at specific points in time - can be easily observed between browser and the first node, and compared with the timing observed by Cloudflare for particular session. The match links the real IP with the exit node session. The user-side signatures can be made more unique by pacing the delivery of the additional images. Jitter introduced by onion routing cannot mask this.

Assume that recaptcha makes your IP known.