Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic (softpedia.com) 116
An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.
Re: (Score:2)
Yep I noticed that as well. I thought it just had to do with so many bots or spam scripts utilizing Tor.
Re: (Score:3)
Yeah - the exit nodes that the person is using is likely also being used for DDoS or some other attack.
Re: (Score:3, Interesting)
Its not just TOR but also anyone using a VPN.
Sometimes I have to verify 3 times in sucession just to visit a single website only to find that there was not much on that site.
More and more sites are using Cloudflare and it's really annoying me and if they are tracking as well then bang goes you anomity, so your going to have to randomise agent strings with gibberish to try and fool the software from tracking
Re: (Score:2)
Haven't you read the fucking manual on how to manipulate corporations by denying them business?
OK, there is also the possibility that they'll say, "fuck that idiot, we're going to continue using $COMPANY_OR_SERVICE$," and wave
Re: (Score:2)
I don't even use Tor and cloudflare pesters me about once a week to prove I'm human.
Re:Yeah I've noticed that... (Score:5, Interesting)
And even if it doesn't, it manages to break the 'web in all sorts of interesting ways. Javascript really shouldn't be a basic requirement just to load a page, for one.
Aside: Math fail? 0.0367 * 1.3*10^6 = 47710, those don't all fit in the alexa top 1000, or it secretly isn't a top 1000.
Re: (Score:3)
Re:Yeah I've noticed that... (Score:5, Funny)
.. What 0.7 of a web site?
Yahoo. That's what.
Re: (Score:3)
Re: (Score:2)
They probably just missed a digit. Same thing happened to Solon when he related the story of Atlantis from the Egyptian priests to Plato; for thousands of years nobody could find the buried palace at Thera because of it, too. They were looking for a whole continent, instead of an island, because the dot in the center of a circle was misplaced. I blame the Egyptians, but it might have even been Solon's mistaken translation.
Yahoo! is real, it is out there somewhere, buried under the rubble of category-based b
Re: (Score:2)
It isn't, and you already have the page if you realized that the javascript app doesn't work for you.
It is entirely up to the individual if they want to consume data from javascript apps, or only from "web pages." But if you're using a web browser, you can't generally even get the app until you have the page. If the page doesn't have content, that is easy to solve by closing it and surfing the next wave, or by finding better information sources.
Take responsibility for the pixels you consume; there are way t
Re: Yeah I've noticed that... (Score:1)
Re: Yeah I've noticed that... (Score:1)
Well (Score:5, Interesting)
Although I am for an anonymous internet, all serious attempts to enter our systems have come from Russian, Chinese, Korean and Tor ips. And an ignorable part of traffic from those IPs is legitimate.
How do you stop Tor from being abusive?
Re: (Score:3)
How do you stop the Internet from being abusive?
Re: Well (Score:1)
Block it.
Re: (Score:2)
I also have to block about 10% of Brazil that is still on shared IPs. Sad but true. It used to be like 25%, but as their ISPs upgrade to modern systems and give out IPs to individual users it is improving. IPv6 will mostly solve that.
Re: (Score:1)
IPv6 will mostly solve that.
So, by about 2060 all will be good.
Re: (Score:3)
IP blocklists. Thats kind of the point. I flat out block large portions of the addressable space from my web server as 99.999% of those requests appear malicious. A few users get dragged into the net, but the internet hitting my site is as the discussion has defined it, "less abusive"
Re: (Score:3, Insightful)
Yeah, this seems to be a result of one of these factors:
a) Tor lets good people do good things anonymously so as to avoid persecution
b) Tor lets bad people do bad things anonymously so as to avoid persecution
In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.
Re: (Score:1)
a) Tor lets good people do good things anonymously so as to avoid persecution
b) Tor lets bad people do bad things anonymously so as to avoid persecution
but also...
c) Tor lets everyone search out their curiosities online without having that curiosity permanently attached to their profile.
I think far too many people quote extreme examples of who might want to use tor. When in reality, the anonymous features of tor is useful for the average citizen living in a "free" country. We all know that everything is being collected on mass and often sold to 3rd parties or used by authorities to profile and monitor their citizens. Tor is for the masses. It is unreason
Re:Well (Score:5, Interesting)
What I would do is to increase the presence of US law enforcement on Tor.
Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes. The whole premise of Tor was that a citizen of a repressive regime would be able to access the internet as if they were in a free nation; they would appear on the internet as being from there, and the only people who would have enough network access to identify them would be the people on the western side.
Those people are the "legitimate" traffic. The reason why libraries sign up as Tor nodes is to grant people under repressive regimes to view the world as it is viewed from a western library.
It is hilarious the people who think Tor would be some sort of "privacy" service that would shield their browsing from the US Government. The whole premise was to create a safe space for communication that was locally banned, but legal in the US and like-minded States. In my opinion, if people want to prevent Tor from being banned as a source of abuse, all they have to do is limit its use to the intended use. If they want it to be broadly used for other things, eventually it will be blocked from accessing almost anything, because DoS attacks are a thing.
Re:Well (Score:4, Insightful)
And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.
Re: (Score:2)
Stop spreading FUD.
Re:Well (Score:4, Insightful)
You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.
Cloudflare is annoying (Score:5, Interesting)
Re: (Score:2, Interesting)
The javascript requirement is because that's how they de-anonymize you behind TOR. (One of several ways actually, but a key one). They're depending on people dumb enough to run arbitrary scripts from tracking agencies while somehow fooling themselves into believing they are still anonymous.
Exit Nodes (Score:3, Insightful)
I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.
Re: (Score:3)
That's what I thought when I experienced this, but they do request A LOT of Captchas...like every few pages. I'm more willing to bet it's intentional.
Re: (Score:2)
I've been stuck in infinite CAPTCHAs when using Tor ... is pretty effing annoying.
Re: (Score:2)
You say you doubt they do it purposely, but then you go on to describe doing it purposely, for reasons.
Yes, they likely do have reasons. It is a valuable insight that many are missing.
It's easy to see why (Score:2, Insightful)
With Tor, I can specifically set which country I want my exit node to be from, and I have a large selection. If I want, I can select a single exit node and stick with it until the IP is blocked.
This is useful for scanning, brute forcing, exploitation, ex-filtrating data, or just trolling online. Anything nefarious that I don't want linked back to me easily. Malware using Tor for C&C traffic doesn't help the situation.
Bad actors give Tor a bad rap, even if does a ton of good for countries with repressive
Re: (Score:2, Interesting)
One thing I've considered is maybe there should be an exit node that only accepts connections from countries that have repressive regimes, and few or no remotely-purchasable VPS hosting services. Or at least no VPS services with English or Russian sales pages. ;)
Then you might have a safe exit node without all the American trolls and Russian criminals.
Pre-emptive strike: No, I did not overlook that various technical changes would be required, I simply didn't go into it.
A living hell (Score:5, Insightful)
>> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies
Are you sure they're not just anonymous SlashDot users?
In any case, you have an odd definition of a "living hell" even from a first-world perspective.
Re: (Score:1)
In any case, you have an odd definition of a "living hell" even from a first-world perspective.
Right, a true first-world living hell also involves Starbucks using real cream instead of non-fat vanilla flavored soy-milk.
Re: (Score:2)
Because no baby animal ever died to replace a dairy with a chemical factory!
Oh, wait...
Re: (Score:2)
Actually it sounds a lot like classical descriptions of hell and divine punishment. In this case it reminds me of Sisyphus, forced to enter a captcha over and over without end.
Re: (Score:2)
Yeah, what an idiot that Sisyphus was, he should have just closed the window and ignored the stone! They were sure simple-minded in the past.
Re: (Score:2, Funny)
In any case, you have an odd definition of a "living hell" even from a first-world perspective.
Stop oppressing me by tracking me when I'm pretending I'm anonymous! lololol
Once upon a time, Tor was a shining beacon of light that caused me to think fond thoughts of oppressed Persians being able to access their own cultural history via the West. These days, they have phone apps for that in their own language, and Tor is just a joke that never stops giving.
3.67% of 1000? (Score:1)
3.67% of 1000 is 36.7 websites. I question whoever came up with those stats.
Re: (Score:2)
But that's not what the summary says! It says 3.67% of the 1.3 million are Alexa Top 1000 sites, so 47,710 of those 1000 sites are blocking Tor users. Hmm. Not much better.
Re: (Score:2)
That's not what the article says. Oh, wait, it is. The summary ripped that numerically impossible line verbatim from the article, and no one noticed.
Re: (Score:3)
"...a lone Anonymous Coward will find the courage to correct them! A hero will rise, and an Editor will fall. Things are about to get trollish on Slashdot, this year [and every year]. And this time, it's serious business!"
Re: (Score:3)
You mistakenly believe that they are targeting Tor directly, rather than indirectly. They don't download a list of these IPs, they have the list based on what IPs are being used in attacks. An unpublished exit node would have just as many attacks appearing to originate from it as a published exit node, and would make the blacklist in the exact same amount of time.
These are lists created by software, not lists input by humans. That is silly, there are actually lots of IPs that need blocking. Lots and lots. A
This is a technical malfunction, not surveillance. (Score:2)
CloudFlare is not targeting Tor users. They aren't doing anything not considered best practices in general and practised all over the net. Showing a CAPTCHA to a Tor user is used in many places, including Google and Yahoo, who employ this method without irking people. The issue is that the technology CloudFlare is using to accomplish this is malfunctioning, and not that they are targeting Tor users.
So far, the Tor project hasn't accused them of surveillance publicly. That would be overkill. Adding a cookie
Re: (Score:2)
Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.
You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.
Re: (Score:2)
Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.
You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.
It worth remembering that these "assholes" are not going around hacking websites and forcing their tags onto them, website owners are adding third party tracking websites and ad networks to their site to cover the cost of running a website. Instead of bitching about ad networks, just stop using ad supported sites.
Running a website costs money, like everything else in this world.
Re: (Score:2)
So what if CloudFlare is carrying out surveillance, isnt Tor supposed to be immune to that? No one granted Tor users the unmitigated right to browse the internet and be treated the same as everyone else, especially if they can be picked out from the crowd...
Re: (Score:2)
Is it still a "malfunction" if some percent of Tor users are in fact treating the hosts they connect to with mal-intent? And what if frequent captchas are believed to reduce specific forms of malicious behavior?
It may simply be a feature that is unpopular with some small subset of users.
This is Tor's fault (Score:2)
It has to be able to blend in better, or it's not doing its job.
Perens.com and is on Cloudflare (Score:5, Insightful)
I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.
One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.
Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.
Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.
Re: (Score:1, Interesting)
> Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions [...]
This is simply not true.
Re: (Score:1)
Oh, sorry, answered my own question. carry on, then.
Re: (Score:1)
So, within the confines of basic security and usability practices, care to explain this again?
Re: (Score:3)
Re: (Score:2)
HTTP protocol: the Hypertext Transfer Protocol protocol. Text is transmitted in a hyper, super active state that is stateful and aware of itself. Sessions are irrelevant.
Right?
Re: (Score:2)
Put that copy of A Fire on the Deep down, before there's no hope for you.
Re: (Score:1)
Giving up the freedom of other people appears to be the convenient option.
Re: (Score:2)
No, not particularly. I had never heard of a Tor interaction until today, one reason is that I don't use Tor.
If you want to talk about Freedom, let's allow users to choose not to use HTTPS instead of forcing it upon them as most sites do today. Even the browsers are starting to do it, Chrome won't run getUserMedia() over HTTP any longer. I know when I need to hide my web transactions, and resent being forced to do it the rest of the t
Re: (Score:2)
Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate.
If you hand out session IDs prior to authentication, you're vulnerable to session fixation [owasp.org]. So giving session cookies to all visitors is not required for the purpose of supporting logins, since you're going to have to give them a new session ID after logging in.
Re: (Score:2)
There are session-oriented features that don't depend on logging in, too. I'm going to hope the developers of at least two wikis and Wordpress got it right, and that Debian is keeping an eye on them for me :-)
Re: (Score:2)
How do you know about anyone's character? By watching their actions. I'm really sensitive about companies, because there are a lot of self-serving ones out there who don't deserve my business.
Now, if Cloudflare doesn't fix the problem or people show me that they've been giving data on democracy and freedom advocates to totalitarian governments, then I'll re-evaluate and move my business elsewhere. But if they are collecting data on Tor users who attack their own customer's sites, and handing
Re: (Score:2)
Actually, you're not being told to prove you're a human just to read a web site. You're being told that because you approach the site through what is, unfortunately, a known attack vector. Yes, Tor was created with the best intentions, to protect people who are victims of repressive governments, but its users don't always have those intentions. Some are just plain malicious.
I am also having a little trouble understanding why anyone needs to approach Perens.com, FreeDV.org, and other quite mundane sites usin
Can confirm. (Score:2)
They also do this to VPN services.
Re: (Score:3)
Yep. I use a VPN on one system and I am getting inundated with the CloudFlare CAPTCHAs, and they don't work right. It keeps coming up over and over.
Probabably because many attacks come from TOR (Score:3)
There are many script-kiddies who launch attacks using the TOR network so it isn't very surprising.
I rented a small server hosted by OVH that I used as a web proxy to make up for the poor peering of my ISP. I noticed the same thing : captcha, etc... That's because cheap servers like mine are popular for attackers and many are infected by botnets.
They're in a no-win position. (Score:3)
Sites that accept Tor connections find themselves subjected to many problems. Just one of them is being unable to identify the source of a connection to keep one person from setting up large numbers of accounts. This is happening on Voat, with a few certain users signing up hundreds of times then spamming the place -- while the rest of us are limited to one account per IP address. Got two people at your house who want accounts? Too fucking bad. Yet it does abs-olutely nothing to stop the Tor and proxy users. There is a very vocal contingent (I can't say how numerous they are) that insists that without the anonymity of Tor and proxies, they won't visit at all. These are not problem users, either, they're well-behaved. They might be spewing vile shit in /v/niggers or /v/FatPeopleHate, but they're not abusing the service and crossposting where nobody wants to see them. On the other hand, you have people like me, who want the crapfloods stopped. If it takes banning Tor and proxies, I'm afraid I have to say I'm for it -- though if it can be accomplished by less severe methods, that would be better. So far, management has taken the other side (doing nothing as best I can tell), so I've largely moved on. Rule #0 of any service should be "no unenforceable rules". If they can't or won't enforce the "one account per person" rule on Amalek and the Men's Rights Activists, then they shouldn't enforce them on anyone.
4chan, vile as it was, did not allow posting from proxies the last I checked (which would be over a year ago, now) because of the inability to stop the crapfloods. 8chan makes Tor users solve CAPTCHAs every three to five posts instead of once a day. There may actually be a good balance between preserving functionality for good Tor users while preventing abuse by the bad ones, but if a site as dedicated to free speech as Voat can't find it, then sites that aren't so gung ho about free speech are just going to say "screw it, block them". Can they really be blamed?
Re: (Score:2)
You know, the 8chan software has been really fucky since the whole Infinity Next debacle. I can't say what's normal. A couple days ago, the CAPTCHAs stopped showing up. We still had to do them, but there was no graphic displayed. The workaround came from /pol/, the first time I've ever found that bunch of Stormfront asswipes useful -- View Source, highlight the link to the image that wasn't showing up, and pull it up in another tab or window.
So I don't know if the .onion is just not high on Hotwheels' prior
Not just TOR users. (Score:2)
I whitelist cookies and javascript as needed (my whitelist is very very short really).
And I just now was asked to "Please complete the security check to access alpha.wallhaven.cc" when trying to go to http://alpha.wallhaven.cc/wall... [wallhaven.cc].
Fuck em. You don't want me to look at your site. Then I simply don't. I don't give a shit.
A fucking "security check" to look at some desktop wallpapers??!!?? For crying out loud!!
The Open Internet is indeed getting smaller and smaller by the day.
Same happens with Propel Accelerator (Score:1)
Im stuck using Propel (a relic of dial-up) on my internet connection and I regularly get intercepted by Cloudfire, shopping cart subsystems, and other third-party apps thinking im trying to do something nefarious.
Heaven help you if your browsing in a non-linear fashion (control-click) with multiple tabs set to load in the background while your browsing.
I usually just give up and look somewhere else.