Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Cloud Censorship Communications Encryption Networking The Internet

Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic (softpedia.com) 116

An anonymous reader writes: Tensions are rising between Tor Project administrators and CloudFlare, a CDN and DDoS mitigation service that's apparently making the life of Tor users a living hell. Tor administrators are saying that CloudFlare is making Tor users enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies. Additionally, a study by some UK and US researchers found that are 1.3 million websites blocking access to Tor users, 3.67% being Alexa Top 1000 sites.
This discussion has been archived. No new comments can be posted.

Tor Project Accuses CloudFlare of Mass Surveillance, Sabotaging Traffic

Comments Filter:
  • Well (Score:5, Interesting)

    by Anonymous Coward on Friday February 26, 2016 @01:29PM (#51592785)

    Although I am for an anonymous internet, all serious attempts to enter our systems have come from Russian, Chinese, Korean and Tor ips. And an ignorable part of traffic from those IPs is legitimate.

    How do you stop Tor from being abusive?

    • by mspohr ( 589790 )

      How do you stop the Internet from being abusive?

      • by Anonymous Coward

        Block it.

      • IP blocklists. Thats kind of the point. I flat out block large portions of the addressable space from my web server as 99.999% of those requests appear malicious. A few users get dragged into the net, but the internet hitting my site is as the discussion has defined it, "less abusive"

    • Re: (Score:3, Insightful)

      by phorm ( 591458 )

      Yeah, this seems to be a result of one of these factors:
      a) Tor lets good people do good things anonymously so as to avoid persecution
      b) Tor lets bad people do bad things anonymously so as to avoid persecution

      In this case, a lot of site would either legitimately block Tor or add extra hoops to stop (b). The same thing that lets some dude avoid censorship in his country also lets another dude attack somebody's site while obscuring his origin.

      • a) Tor lets good people do good things anonymously so as to avoid persecution

        b) Tor lets bad people do bad things anonymously so as to avoid persecution

        but also...

        c) Tor lets everyone search out their curiosities online without having that curiosity permanently attached to their profile.

        I think far too many people quote extreme examples of who might want to use tor. When in reality, the anonymous features of tor is useful for the average citizen living in a "free" country. We all know that everything is being collected on mass and often sold to 3rd parties or used by authorities to profile and monitor their citizens. Tor is for the masses. It is unreason

    • Re:Well (Score:5, Interesting)

      by Aighearach ( 97333 ) on Friday February 26, 2016 @03:42PM (#51593963)

      What I would do is to increase the presence of US law enforcement on Tor.

      Tor was created by the US government, not for privacy but for freedom of political and cultural speech under oppressive regimes. The whole premise of Tor was that a citizen of a repressive regime would be able to access the internet as if they were in a free nation; they would appear on the internet as being from there, and the only people who would have enough network access to identify them would be the people on the western side.

      Those people are the "legitimate" traffic. The reason why libraries sign up as Tor nodes is to grant people under repressive regimes to view the world as it is viewed from a western library.

      It is hilarious the people who think Tor would be some sort of "privacy" service that would shield their browsing from the US Government. The whole premise was to create a safe space for communication that was locally banned, but legal in the US and like-minded States. In my opinion, if people want to prevent Tor from being banned as a source of abuse, all they have to do is limit its use to the intended use. If they want it to be broadly used for other things, eventually it will be blocked from accessing almost anything, because DoS attacks are a thing.

      • Re:Well (Score:4, Insightful)

        by Kjella ( 173770 ) on Friday February 26, 2016 @07:23PM (#51595795) Homepage

        And the Internet (ARPANET) was created because... who gives a shit, really? You talk like TOR is some kind of service like Facebook, shut it down and it's down. It's not, it's a piece of software. You can run TOR even if you ban all US nodes from touching your circuit, as long as there's someone out there willing to be your relay. That's kinda the whole point, to distribute the traffic through multiple nodes that aren't likely to collude to decrypt your traffic. So I can talk to TOR entry guard at a university in Germany that talks to a relay node in China that talks to an exit node in the US. Each link in the chain protects me against some abuse, including US abuse. Don't think the world will forgot the NSA's transgressions any time soon. Make a US panopticon if you want, but nobody will trust it.

      • by gweihir ( 88907 )

        Stop spreading FUD.

    • Re:Well (Score:4, Insightful)

      by gweihir ( 88907 ) on Friday February 26, 2016 @09:30PM (#51596347)

      You do not. You secure your systems. Do not forget that this is only the attempts you know about, i.e. amateur-level. If they represent a threat, then you are screwed anyways.

  • by Aaden42 ( 198257 ) on Friday February 26, 2016 @01:31PM (#51592795) Homepage
    The Cloudflare DDoS stuff is really annoying. You have to enable JavaScript (and it takes a few seconds) to load pages that would otherwise display fine w/ NoScript blocking just about everything. I'm at the point where I just close most pages that use it and treat them like clickbait crap on Facebook. Yeah, that headline sounds interesting but not worth the frustration and security risk.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The javascript requirement is because that's how they de-anonymize you behind TOR. (One of several ways actually, but a key one). They're depending on people dumb enough to run arbitrary scripts from tracking agencies while somehow fooling themselves into believing they are still anonymous.

  • Exit Nodes (Score:3, Insightful)

    by Anonymous Coward on Friday February 26, 2016 @01:33PM (#51592823)

    I have my doubts that Cloudflare is doing this purposefully but what might be occurring is nefarious things occur on TOR and so a bad actor who happens to have their session exiting the same exit node as benign Tor users are setting off Cloudflare's security algorithms for all session exiting that node.

    • by SumDog ( 466607 )

      That's what I thought when I experienced this, but they do request A LOT of Captchas...like every few pages. I'm more willing to bet it's intentional.

    • You say you doubt they do it purposely, but then you go on to describe doing it purposely, for reasons.

      Yes, they likely do have reasons. It is a valuable insight that many are missing.

  • by Anonymous Coward

    With Tor, I can specifically set which country I want my exit node to be from, and I have a large selection. If I want, I can select a single exit node and stick with it until the IP is blocked.

    This is useful for scanning, brute forcing, exploitation, ex-filtrating data, or just trolling online. Anything nefarious that I don't want linked back to me easily. Malware using Tor for C&C traffic doesn't help the situation.

    Bad actors give Tor a bad rap, even if does a ton of good for countries with repressive

    • Re: (Score:2, Interesting)

      by Aighearach ( 97333 )

      One thing I've considered is maybe there should be an exit node that only accepts connections from countries that have repressive regimes, and few or no remotely-purchasable VPS hosting services. Or at least no VPS services with English or Russian sales pages. ;)

      Then you might have a safe exit node without all the American trolls and Russian criminals.

      Pre-emptive strike: No, I did not overlook that various technical changes would be required, I simply didn't go into it.

  • A living hell (Score:5, Insightful)

    by xxxJonBoyxxx ( 565205 ) on Friday February 26, 2016 @01:38PM (#51592861)

    >> making the life of Tor users a living hell: enter CAPTCHAs multiple times, tracking their Web sessions, and sharing data with other companies

    Are you sure they're not just anonymous SlashDot users?

    In any case, you have an odd definition of a "living hell" even from a first-world perspective.

    • by Anonymous Coward

      In any case, you have an odd definition of a "living hell" even from a first-world perspective.

      Right, a true first-world living hell also involves Starbucks using real cream instead of non-fat vanilla flavored soy-milk.

    • by AmiMoJo ( 196126 )

      Actually it sounds a lot like classical descriptions of hell and divine punishment. In this case it reminds me of Sisyphus, forced to enter a captcha over and over without end.

      • Yeah, what an idiot that Sisyphus was, he should have just closed the window and ignored the stone! They were sure simple-minded in the past.

    • Re: (Score:2, Funny)

      by Aighearach ( 97333 )

      In any case, you have an odd definition of a "living hell" even from a first-world perspective.

      Stop oppressing me by tracking me when I'm pretending I'm anonymous! lololol

      Once upon a time, Tor was a shining beacon of light that caused me to think fond thoughts of oppressed Persians being able to access their own cultural history via the West. These days, they have phone apps for that in their own language, and Tor is just a joke that never stops giving.

  • by Anonymous Coward

    3.67% of 1000 is 36.7 websites. I question whoever came up with those stats.

    • But that's not what the summary says! It says 3.67% of the 1.3 million are Alexa Top 1000 sites, so 47,710 of those 1000 sites are blocking Tor users. Hmm. Not much better.

      • That's not what the article says. Oh, wait, it is. The summary ripped that numerically impossible line verbatim from the article, and no one noticed.

  • CloudFlare is not targeting Tor users. They aren't doing anything not considered best practices in general and practised all over the net. Showing a CAPTCHA to a Tor user is used in many places, including Google and Yahoo, who employ this method without irking people. The issue is that the technology CloudFlare is using to accomplish this is malfunctioning, and not that they are targeting Tor users.

    So far, the Tor project hasn't accused them of surveillance publicly. That would be overkill. Adding a cookie

    • Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance.

      Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.

      You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.

      • Adding a cookie to a web browsing session (which I presume is so that session is not subjected to such measures in the future) is hardly mass surveillance.

        Not any more than any ad and analytics shit is mass surveillance ... you know, tracking people on a large scale.

        You're right, it likely has nothing specific to do with Tor, but let's not pretend the assholes who are tacking everybody on the internet aren't essentially doing mass surveillance.

        It worth remembering that these "assholes" are not going around hacking websites and forcing their tags onto them, website owners are adding third party tracking websites and ad networks to their site to cover the cost of running a website. Instead of bitching about ad networks, just stop using ad supported sites.

        Running a website costs money, like everything else in this world.

    • So what if CloudFlare is carrying out surveillance, isnt Tor supposed to be immune to that? No one granted Tor users the unmitigated right to browse the internet and be treated the same as everyone else, especially if they can be picked out from the crowd...

    • Is it still a "malfunction" if some percent of Tor users are in fact treating the hosts they connect to with mal-intent? And what if frequent captchas are believed to reduce specific forms of malicious behavior?

      It may simply be a feature that is unpopular with some small subset of users.

  • It has to be able to blend in better, or it's not doing its job.

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Friday February 26, 2016 @02:10PM (#51593093) Homepage Journal

    I've been using Cloudflare for a few years, and they've helped me handle traffic and abuse from my one-server site and have never been a problem or expensive. Nor have they been malicious. I also have some Open Source projects like FreeDV.org going through Cloudflare.

    One of the things they do is protect me from web attacks. It's an unfortunate fact that Tor really is used for web attacks.

    Obviously, if there is a problem with their capcha, they need to fix it. I think it's perfectly fair for someone who is approaching the site through a known attack vector to have to pass a capcha once.

    Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate. One would expect that Tor users understand how to deal with cookies, and with less civil attempts to nail down their identity.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      > Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions [...]

      This is simply not true.

      • How about you show us how it is not true, rather than making a blatantly false statement you can't back up?

        Oh, sorry, answered my own question. carry on, then.
      • Grasshopper, it is the time to learn the art of argument. One submits facts to make their argument, not simply contradiction. In this case, a discussion of the HTTP protocol would be appropriate.
        • HTTP protocol: the Hypertext Transfer Protocol protocol. Text is transmitted in a hyper, super active state that is stateful and aware of itself. Sessions are irrelevant.

          Right?

    • by Anonymous Coward

      Giving up the freedom of other people appears to be the convenient option.

      • Giving up the freedom of other people appears to be the convenient option.

        No, not particularly. I had never heard of a Tor interaction until today, one reason is that I don't use Tor.

        If you want to talk about Freedom, let's allow users to choose not to use HTTPS instead of forcing it upon them as most sites do today. Even the browsers are starting to do it, Chrome won't run getUserMedia() over HTTP any longer. I know when I need to hide my web transactions, and resent being forced to do it the rest of the t

    • Regarding cookies, you're always going to get one on my site, whether you are using Tor or not, to support logins. HTTP isn't session-based and you need cookies to simulate sessions, so that you can have logins and dispense privileges where appropriate.

      If you hand out session IDs prior to authentication, you're vulnerable to session fixation [owasp.org]. So giving session cookies to all visitors is not required for the purpose of supporting logins, since you're going to have to give them a new session ID after logging in.

      • There are session-oriented features that don't depend on logging in, too. I'm going to hope the developers of at least two wikis and Wordpress got it right, and that Debian is keeping an eye on them for me :-)

  • They also do this to VPN services.

    • by Gondola ( 189182 )

      Yep. I use a VPN on one system and I am getting inundated with the CloudFlare CAPTCHAs, and they don't work right. It keeps coming up over and over.

  • by GuB-42 ( 2483988 ) on Friday February 26, 2016 @03:29PM (#51593839)

    There are many script-kiddies who launch attacks using the TOR network so it isn't very surprising.
    I rented a small server hosted by OVH that I used as a web proxy to make up for the poor peering of my ISP. I noticed the same thing : captcha, etc... That's because cheap servers like mine are popular for attackers and many are infected by botnets.

  • by Mal-2 ( 675116 ) on Friday February 26, 2016 @06:57PM (#51595649) Homepage Journal

    Sites that accept Tor connections find themselves subjected to many problems. Just one of them is being unable to identify the source of a connection to keep one person from setting up large numbers of accounts. This is happening on Voat, with a few certain users signing up hundreds of times then spamming the place -- while the rest of us are limited to one account per IP address. Got two people at your house who want accounts? Too fucking bad. Yet it does abs-olutely nothing to stop the Tor and proxy users. There is a very vocal contingent (I can't say how numerous they are) that insists that without the anonymity of Tor and proxies, they won't visit at all. These are not problem users, either, they're well-behaved. They might be spewing vile shit in /v/niggers or /v/FatPeopleHate, but they're not abusing the service and crossposting where nobody wants to see them. On the other hand, you have people like me, who want the crapfloods stopped. If it takes banning Tor and proxies, I'm afraid I have to say I'm for it -- though if it can be accomplished by less severe methods, that would be better. So far, management has taken the other side (doing nothing as best I can tell), so I've largely moved on. Rule #0 of any service should be "no unenforceable rules". If they can't or won't enforce the "one account per person" rule on Amalek and the Men's Rights Activists, then they shouldn't enforce them on anyone.

    4chan, vile as it was, did not allow posting from proxies the last I checked (which would be over a year ago, now) because of the inability to stop the crapfloods. 8chan makes Tor users solve CAPTCHAs every three to five posts instead of once a day. There may actually be a good balance between preserving functionality for good Tor users while preventing abuse by the bad ones, but if a site as dedicated to free speech as Voat can't find it, then sites that aren't so gung ho about free speech are just going to say "screw it, block them". Can they really be blamed?

  • I whitelist cookies and javascript as needed (my whitelist is very very short really).

    And I just now was asked to "Please complete the security check to access alpha.wallhaven.cc" when trying to go to http://alpha.wallhaven.cc/wall... [wallhaven.cc].

    Fuck em. You don't want me to look at your site. Then I simply don't. I don't give a shit.

    A fucking "security check" to look at some desktop wallpapers??!!?? For crying out loud!!

    The Open Internet is indeed getting smaller and smaller by the day.

  • Im stuck using Propel (a relic of dial-up) on my internet connection and I regularly get intercepted by Cloudfire, shopping cart subsystems, and other third-party apps thinking im trying to do something nefarious.

    Heaven help you if your browsing in a non-linear fashion (control-click) with multiple tabs set to load in the background while your browsing.

    I usually just give up and look somewhere else.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...