9

CloudFlare's captcha screen appears more and more often during Tor browsing. First they ask for a CAPTCHA and that's ok. Then there's the copy/paste confirmation string. That should be the last obstacle, but instead I'm back again to the same screen, re-doing it in an endless loop, that is quite frustrating. I'm not alone with it; there are others with the same problem.

Not only are they invading our privacy in a much worse way than normal trackers do (certainly much more difficult to block), they also make it impossible for us to freely and flawlessly surf the web!

CloudFlare and all the similar services are the new-generation of trackers: with the excuse of being protective against all kinds of DoS attacks, they are quickly conquering a very big slice of the internet! And whenever you try to visit a site that they serve, your request will go straight to them first, and therefore logged and shared too. There is no way to block this unless you avoid visiting all the websites it serves, of which there are quite a lot actually....

I feel like the usability and user-experience of Tor browsing is exponentially decreasing due to these kinds of issues. Has anyone else noticed this problem with CloudFlare? What do you think about it, and what the solution could be?

Andrew Lott
  • 2,754
  • 5
  • 29
  • 46
MrX
  • 117
  • 1
  • 1
  • 6

3 Answers3

9

CloudFlare challenges are based on the Security Level chosen by the site owner. Higher protection levels mean more users are likely to be challenged (usually by filling in a CAPTCHA to proceed).

Site owners also get to set a Challenge Passage TTL to "specify how long a visitor is allowed access to your site after successfully completing a challenge". The shorter this TTL, the more often risky visitors will have to complete a new challenge. Unfortunately, due to Tor's automatic rotation of exit nodes it could be the case that it's less an issue of CloudFlare's TTL as of your jumping to a new risky IP every ten minutes.

CloudFlare themselves appear to have a more hands-in-the-air-not-our-problem attitude and point users to contact the site owners if they've been blocked entirely.

You're completely right saying "whenever you try to visit a site that they serve, your request will go straight to them first". CloudFlare in particular have full control over who gets to land on one of their sites due to their setup process which requires them to control the site's DNS as well as proxying all site traffic. They're not just a CDN for static content, and in fact their T&Cs specifically forbid usage as such.

If you continue to have problems then it's probably worth contacting the site owner and letting them know that they're putting off users because of the security setting they have in place with CloudFlare. If enough users raise the visibility of Tor browsing as a legitimate avenue to their site then hopefully they'll either adjust their settings or move to a platform that will be more anonymity-friendly.

Andrew Lott
  • 2,754
  • 5
  • 29
  • 46
2

This is another assault on privacy and anonymity, from my perspective. It's analogous to the NSA indiscriminately collecting (everyone's) communications because there are a few bad guys they want to catch. CloudFlare is a middleman that answers only to their corporate profits at the end of the day. It's a central storage for every surfer's IP address and the sites they access. It doesn't take much imagination to see why so many consider this a far from innocuous development. Personally, as someone who regularly comments via Tor on blogs known for alternative perspectives, I feel threatened by CloudFlare and its browser fingerprinting algo-methodology. The only way site owners might be persuaded to care about the privacy of its contributors more than their own (disproportionate) desires for elusive bullet-proof security (wholesale trust in CloudFlare?) is for their loyal base to revolt by declining to enter the captcha and avoiding the site property altogether. That's my answer to the ever increasingly gated internet. In the near future, it won't be worth paying for any sort of fenced internet connection. Until then, it's resistance, not sheepish obedience.

Roya
  • 3,240
  • 3
  • 19
  • 40
Ryan Williams
  • 21
  • 1
2

To minimize influence of such trackers:

  • write captcha in search box (or elsewhere) then paste it into CAPTCHA input. I guess in case the operator CAN record speed of typing text to identify the user.

  • to protect against browser fingerprinting (check out Panopticlick by EFF) try this firefox addon: Random Agent Spoofer

    • randomizes reported screen size and depth (manual install of addon needed for this option)
    • randomizes browser profile, timezone etc
Roya
  • 3,240
  • 3
  • 19
  • 40
devein
  • 21
  • 1