
The Trouble with CloudFlare - tshtf
https://blog.torproject.org/blog/trouble-cloudflare
======
eastdakota
Tor has acknowledged their "botnet problem" since at least 2013:

[https://research.torproject.org/techreports/botnet-
tr-2013-1...](https://research.torproject.org/techreports/botnet-
tr-2013-11-20.pdf)

That same paper walks through the challenges of dealing with it and doesn't
find any satisfactory solutions.

As I wrote in our post on the topic, there's a trade off between security,
anonymity, and convenience. CloudFlare provides security to our customers. We
believe in the importance of anonymously accessing the Internet.
Unfortunately, that means we have to sacrifice some convenience. If you
haven't read it, I encourage you to see the post I wrote on the topic:

[https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

The two long-term solutions we proposed — blinded tokens or CloudFlare
supporting .onion addresses — we believe could reduce the inconvenience, but
they'll require help from the Tor developers. While public posts like this are
discouraging in terms of coming up with a better solution, I'm encouraged by
private conversations we've had with Tor developers who acknowledge this is a
hard problem and want to find solutions.

~~~
throwaway7767
The post from the Tor project does not state anywhere that Tor is not used by
botnets or that it's used for malicious purposes. They specifically question
your specific assertion that 94% of Tor traffic is malicious. I'm not
surprised, it's quite a statement and it calls for some supporting evidence.

Surely you can see how, given the amount of outreach they do to educate
regular people about the positive uses of Tor, putting forth unfounded
statements like that might be perceived negatively.

I am glad that CloudFlare has put effort into this problem and as a Tor user I
appreciate it (though obviously, this problem goes far beyond Tor, as
mentioned in the article - your systems will have the exact same problems with
large-scale IPv4 NAT, so really it's not optional for a CDN provider).

But please, stick to facts when presenting the case.

~~~
sievebrain
The calculation must be based on their internal data. How exactly are they
supposed to show the supporting evidence without compromising their users
privacy?

You seem to be engaged in goalpost shifting. CloudFlare have no incentive to
make this figure up. They aren't going to give random people on the internet
root access to their servers to recalculate the figure themselves. By claiming
they aren't "sticking to the facts" all you do is show a closed mind.

Tor proxies tons of bad stuff. Everyone who has run a big web site knows this.
Remember you only need one or two bad guys with fast enough tools to generate
a flood of malicious traffic that completely overwhelms thousands of legit web
browsing users. It's just so trivial for a minority of bad actors to end up
dominating traffic profiles. So, I believe Cloudflare.

Tor guys love to talk about journalists, whistleblowers etc. That must be a
really tiny amount of their overall traffic compared to people who just want
to torrent, be assholes on forums etc. Just because they love to "educate"
anyone who disagrees with them doesn't mean they're right.

~~~
throwaway7767
If the calculation is based on data, they should show it. Since they did not,
the Tor project made a best-effort guess as to how they could have come up
with this (obviously ridiculous) number of 94% of traffic being malicious.

I have run a Tor exit node, so I have some intuitive idea of the amount of
malicious traffic. CloudFlare are full of shit.

The rest of your comment is engaging in the exact same goalpost shifting you
accuse me of, suggesting that because there are one or two bad guys it's
really no big issue that they block thousands of legitimate users.

Also you completely ignored the most important point of my comment, which is
that this problem is _not_ _restricted_ _to_ _tor_!

If you wish to further the conversation, please actually respond to my points.
Thank you.

------
scurvy
Maybe I'm a cranky, old-school network operator, but this is a very cut and
dry problem. Tor runs a network that is rife with abuse and fraud. Tor needs
to clean up and police its network. If it doesn't, it will be put on
blacklists and customers will take active measures to block traffic from it.

This is no different than a network or AS that is spammer friendly, botnet
friendly, carder friendly, etc. All of those networks eventually end up on
blacklists or Spamhaus lists and their efficacy goes down. Eventually, the
network dies out and the criminals move somewhere else. Yes, it's a game of
whack-a-mole, but it's proven to work well.

I know Tor doesn't want to be in the network regulation business, but they
need to be if they want their product to thrive. Otherwise, good bye Tor.

~~~
AnthonyMouse
The main point of Tor is that nobody knows where the traffic comes from.
Realize you're asking them to break their own service.

Your premise seems to be that you can't be bothered to protect your networks
so you want to put that responsibility on someone else. It's called
intermediary liability and it's terrible because the intermediary has all the
wrong incentives.

You demand that the intermediary eliminate malicious traffic but they suffer
much less than individual users if they also eliminate non-malicious traffic,
so they set up a system with a high rate of false positives and harm many
honest people. YouTube does this with Content ID. Spam registries do this with
innocent small mail servers. CloudFlare does this with Tor.

What you're doing is called externalizing costs. It's generally recognized as
antisocial behavior. So if you're going to claim benefits to yourself at the
expense of other people, at least recognize that you're doing it.

~~~
nucleardog
> What you're doing is called externalizing costs. It's generally recognized
> as antisocial behavior. So if you're going to claim benefits to yourself at
> the expense of other people, at least recognize that you're doing it.

Remember his preface - cranky old-school network operator.

Let's say you have a hundred networks all connected together into some sort of
"inter-net" system. If one AS starts sending out malicious traffic, what makes
more sense:

1\. That AS starts policing their users.

2\. The other 99 ASs have to deal with the malicious traffic.

You're expecting the other 99 groups that are being targeted by the one group
to bear the cost of dealing with that group's malicious users. Who exactly is
externalizing costs here?

In a system without any real rules or authority, I think "those adversely
effected choosing to block the bad actor" is a fairly democratic solution to
the problem. You either play nice or you get voted off of the island.

~~~
AnthonyMouse
> In a system without any real rules or authority, I think "those adversely
> effected choosing to block the bad actor" is a fairly democratic solution to
> the problem.

That's the part which is adverse to the rest of your argument. You're not
voting off the bad actor, you're voting off everyone in the bad actor's
country.

We know how to deal with this problem. You go to a website, you sign up for an
account, it can be pseudonymous but to get it you have to put up some
collateral. Money/Bitcoin, proof of work, vouching by an existing member,
whatever you like. Then if your account misbehaves you forfeit your
collateral.

But this isn't a CloudFlare-level problem. They're trying to solve it at the
wrong layer of abstraction. Identity isn't a global invariant, it's a
relationship between individuals. Endpoints identify each other with
persistent pseudonyms. The middle of the network should have nothing to do
with it.

~~~
nucleardog
> That's the part which is adverse to the rest of your argument. You're not
> voting off the bad actor, you're voting off everyone in the bad actor's
> country.

The bad actor is the organization or person responsible for administering the
network where the abuse is originating.

When I'm being attacked by someone's VPS, I report them to their host. After
the fourth time I report them only to have their host pass along my report but
take no further action, the host becomes, maybe not a bad actor but, a "bad
citizen".

My choices are to allow them to externalize the costs of their lack of
enforcement (or decision not to enforce) and attempt to find a way to block
the specific actor under their purview, or just to block that host and accept
whatever collateral damage that occurs. (And yes, sometimes that "bad citizen"
may end up being most of a country - it doesn't change the equation for me.)

It's the only method I have to exert any pressure on the host to act
responsibly. If enough people agree with me, then it quickly becomes "their
problem" rather than "my problem" as they get blackholed from everywhere on
the internet.

~~~
AnthonyMouse
> The bad actor is the organization or person responsible for administering
> the network where the abuse is originating.

The bad actor is the individual who acts bad. The Post Office is not a bad
actor for delivering letters.

> allow them to externalize the costs of their lack of enforcement

Tor is not an enforcement agency. Neither is CloudFlare. The costs of bad
actors are your costs. You have the technical ability to retaliate against
common carriers for not allowing you to push those costs onto them, but that
doesn't make you right to do it in any sense other than might makes right. And
you should realize that in doing it you're knowingly hurting innocent people.

~~~
nucleardog
Of course they're not an enforcement agency, that's kind of the point - there
is no enforcement agency. We all have to contribute by being good citizens.

I subscribe to the idea that it's an ISP's responsibility to police its own
network for abuse and my responsibility to police mine.

You apparently subscribe to the idea that it's my responsibility to just
accept whatever shit you fling at me and it's my problem to deal with and yet
somehow I have a responsibility or moral obligation to still provide services
to you and your customers.

I suspect I'm never going to agree with you.

~~~
AnthonyMouse
There are two ways to deal with badness. The first is to try to identify bad
people and then stop them from doing anything whatsoever. The second is to
identify bad acts and stop anyone from doing bad acts.

The second one is the only one that works without massive collateral damage.

Identifying bad people is only an abstraction over identifying bad acts and it
leaks like a sieve. A reformed thief is entirely capable of buying an apple
without incident, because not all acts by bad people are bad acts. But a thief
has no reputation as a thief until after they steal for the first time. The
only way to stop bad things is to detect bad things.

But the true failure of reputation systems is that as soon as multiple people
share an identity they disintegrate entirely. Innocent people get blamed for
malicious acts of other people through no fault of their own and with no
ability to prevent it. The only way reputation systems can work at all is if
people can prevent other people from using their identities.

Which means that IPv4 addresses can't be identities, because we don't have
enough of them for them not to be shared.

And forcing common carriers to stop doing business with anyone who has ever
done anything bad has another problem. It imposes the death penalty for
jaywalking. You send spam once -- or get falsely accused of sending spam --
and you're blacklisted. It puts too many innocent people into the same bucket
as guilty people and then the innocent people fight you alongside the guilty.
It creates the market for these VPN services because too many servers are
wrongly using IP addresses as identities. Then the bad people also use the VPN
services and bypass your "security" because it was never security to begin
with, so you block the VPN services which destroys those and they're replaced
with others you haven't blocked. Meanwhile the real bad people also use
botnets which are unaffected, so you aren't actually blocking the bad people,
you're only blocking the one IP address that they share with the good guys.

You don't want this fight. Most of the people you're fighting are innocent.
People need to learn to detect bad acts, not "bad IP addresses."

------
breakingcups
I think Cloudflare's blog post was incredibly nuanced, well thoughtout and
(dare I say) pro-Tor. They implemented a way for their users to whitelist Tor
traffic (bypassing all Captcha's), without allowing their users to blacklist
Tor traffic.

This response seems a bit of a childish knee-jerk reaction from the Tor
project, which could've been worded more maturely.

~~~
aeorgnoieang
I didn't spot anything worded immaturely. What specifically do you think could
be more maturely worded?

~~~
grey-area
Instead of addressing the very real problems with usage of Tor, they try to
pick holes in the 94% figure from cloudflare (which isn't actually very
important), and go on to cite a study by cherry picking stats:
[https://news.ycombinator.com/item?id=11405101](https://news.ycombinator.com/item?id=11405101).
They don't mention that it explicitly states something which backs up
cloudflare's position:

 _Tor exit nodes were far more likely to contain malicious requests_

and even:

 _Risk averse companies may wish to block all Tor traffic_

The article then goes on to suggest that it is perfectly reasonable to use the
word 'block' to mean showing a captcha - in common usage block means _block_
\- deny requests, not attempt to determine if a user is human with a captcha
or some other method - that's not blocking, it's annoying and potentially
pointless, but it's certainly not simply blocking users and it's disingenuous
to describe it as such.

All of that adds up to a response which seems to be more interested in scoring
points than finding a solution for legitimate Tor users. I'm not sure I'd
describe it as immature, but it's not a very constructive response, to an
article which went out of its way to be Tor friendly and propose solutions. It
would be much easier for cloudflare to really block Tor traffic, they would
probably suffer very little from doing so.

~~~
zzzcpan
They are being defensive.

> Tor exit nodes were far more likely to contain malicious requests

They also were far more likely to issue requests in general. This data point
has no meaning. But that's statistics for you :)

------
jgrahamc
I [I'm CloudFlare's CTO] have been engaging with the Tor folks through their
Trac interface here for about 6 weeks:
[https://trac.torproject.org/projects/tor/ticket/18361](https://trac.torproject.org/projects/tor/ticket/18361)
and been very open about CloudFlare is addressing this.

My plan is to continue to do so through that ticket as I've made various
commitments there (some of which, like whitelisting, we've already rolled
out). It's worth reading the entire ticket to get a sense of the conversation.
We are in no way finished improving the situation.

~~~
byuu
Hello, please also consider VPN usage. Unlike Tor, we even pay for this
service, because we take it so seriously.

Despite using the most reputable VPN provider I could find with a serious
privacy policy; I've seen a steady increase in Captcha requests from
CloudFlare to simply view read-only pages. And all I can think is that the
Captcha page often requires the same amount of bandwidth as the page I was
requesting in the first place.

The net effect is that it's not saving you any CPU usage or bandwidth (if
anything, it's costing you more as we still request the actual page after the
Captcha system runs), it's making customers like me abandon your customer's
sites out of frustration, and it's eroding the last line of defense we have
against invasive tracking.

I'm sympathetic to the problem you're trying to solve, but surely there must
be a better way for simple GET requests.

This doesn't just affect people like me as a user. Having experienced this, I
would be averse to deploying or recommending CloudFlare in its current state.

~~~
jgrahamc
Which VPN are you talking about?

~~~
byuu
It's happened to me with Astrill, ExpressVPN, and vpn.ac so far. Usually I can
reconnect to get a new IP to avoid catpchas again, so it seems only certain
IPs are being poisoned. And no doubt because they are doing things they
shouldn't. Hence the sympathy part.

If anything, it's been surprising to me to learn just how many sites are using
CloudFlare ;)

I don't have a site handy that's triggering it right this moment, but here's a
somewhat recent screenshot I grabbed of the captcha wall hitting my VPN:
[http://i.imgur.com/OnvK05l.png](http://i.imgur.com/OnvK05l.png) ; I received
this for simply trying to view a product page with an ordinary GET request.
Ironically, I couldn't solve the captcha, despite being human >_<

~~~
jgrahamc
Thanks. I am hopeful that the solution we come up with for Tor will be
applicable to situations like this.

~~~
byuu
Awesome news!! Thank you very much for taking the time to respond, and for
looking into a solution for Tor/VPNs. It's very much appreciated :D

------
Artemis2
That's just flawed reasoning all around. I can't even find any e-commerce-
specific data in their sources.

> A report by CloudFlare competitor Akamai found that the percentage of
> legitimate e-commerce traffic originating from Tor IP addresses is nearly
> identical to that originating from the Internet at large. (Specifically,
> Akamai found that the "conversion rate" of Tor IP addresses clicking on ads
> and performing commercial activity was "virtually equal" to that of non-Tor
> IP addresses).

Actual data from the report:

    
    
      • Comparison of Tor and non-Tor Traffic:
    
      	Of legitimate requests, non-Tor IPs accounted for 99.96 percent of requests, while Tor exit nodes accounted for 0.04 percent
    
      	Of malicious requests, non-Tor IPs accounted for 98.74 percent of requests, while Tor exit nodes accounted for 1.26 percent
    
      • Tor exit nodes were far more likely to contain malicious requests:
    
      	1:11,500 non-Tor IPs contained malicious requests
    
      	1:380 Tor exit nodes contained malicious requests
    
      • However, traffic from Tor exit nodes yielded a conversion rate virtually equal to non-Tor IPs:
    
      	Conversion rate for non-Tor IPs was 1:834
    
      	Conversion rate for Tor exit nodes was 1:895
    

Source: slide 7 of the report they link in the article –
[https://i.imgur.com/TcstnWD.jpg](https://i.imgur.com/TcstnWD.jpg)

~~~
ynniv
_[IP addresses of] Tor exit nodes were far more likely to contain malicious
requests_

 _However, traffic from Tor exit nodes yielded a conversion rate virtually
equal to non-Tor IPs_

You just described every busy IP address: if you handle more requests, you are
more likely to handle a malicious one. This is the problem with IP based
reputation.

~~~
legutierr
Yes, I think that the more revealing ratio would have been total malicious
requests to all requests for each class of IP. If each Tor exit node is
sending out 30x as much traffic, with an average of 30 unique users per IP,
then the cited ratios are meaningless.

The only thing that can be drawn from that data is that Tor makes IP-based
reputation tools ineffective. The thing is, for many people that may be enough
to justify what Cloudflare is doing.

~~~
pfg
That's what CloudFlare did in their blog post:

> Based on data across the CloudFlare network, 94% of requests that we see
> across the Tor network are per se malicious.

~~~
legutierr
That number does not fit with the 1:380 ratio of Tor IPs that emitted
malicious requests, though. That is, unless the vast majority of all Tor
traffic is routed out of only a couple of exit nodes, which does not seem
consistent with the way that Tor works.

How can Cloudflare assert that 94% of all requests over Tor are malicious,
when Akamai seems to be saying that less than 1% of Tor IPs contain malicious
requests?

------
mootothemax
I don't know what the solution is here.

One of my sites enjoys a ridiculous number of fraudsters trying to make
purchases, many - but very much not all - from the tor network.

The easy solution is to punish everyone and ban tor exit nodes from access,
and woo, a significant reduction in my fraud rate.

The way I justify this to myself is that the site only accepts payment via
PayPal and/or credit cards, and paying with those in itself gives up a good
amount of privacy.

For sites that don't make a profit and have to use unpaid time to clean up the
mess from some tor nodes, I really don't know what the solution is.

It definitely sucks for legitimate users.

Edit: one more difficulty is that I don't know if I was targeted by one or two
lazy-yet-determined fraudsters who only use tor, and so make tor look worse
than it is with their repeated attempts. No idea even where to begin with that
one.

~~~
nothrabannosir
This is where 3D Secure truly shines; instead of completely refusing a
transaction, you can request the issuing bank (= bank of the card used to pay
with) to accept the liability in case of fraud (normally, it's the merchant
who has to give the money back). Usually the issuing bank will then request
the customer for additional challenge, e.g. a 2FA token, a code in SMS, or
just their birthday. Some don't even require anything. To you as a merchant,
though, that doesn't matter: if the person who bought your product was a
fraudster, the money is still yours. Now it's the issuing bank on the hook for
fraud, instead of the merchant.

The argument against 3DS is it kills conversion rates (meaning: lots of
legitimate customers don't complete that extra challenge, who would otherwise
have made the purchase). But for legitimate customers using TOR, I wouldn't be
surprised if that number were very different :) I know I wouldn't mind
whipping out a 2fa device every time I purchased something over TOR. I mean,
fair play, right?

3DS is available today in Europe, Asia and Africa! :'( but not ubiquitously in
the USA. Yet. It's getting there.

More info:
[https://en.wikipedia.org/wiki/3-D_Secure](https://en.wikipedia.org/wiki/3-D_Secure)

~~~
Titanous
3D Secure is a complete disaster. It encourages users to put ridiculously
sensitive information like social security numbers and bank credentials into
an iframe in the merchant site. This trains users to be phished.

~~~
floatboth
Social security numbers?! Who the hell implemented it like THAT?

3D Secure redirects to the bank's site (not in an iframe! a real window with a
visible address bar) where you enter a one-time code from SMS!

~~~
Titanous
I have worked with systems implementing 3D Secure and have multiple credit
cards that trigger it. I can assure you that the standard deployment for US-
based banks and merchants uses iframes and in the majority of cases will ask
for enough personal information to steal your identity or drain your bank
account.

~~~
the_mitsuhiko
I assume this is a US problem because in the US card fees are high enough that
banks don't need to worry too much about fraud yet. Look at European banks if
you want to see reasonable 3D Secure.

------
tlrobinson
I feel like Tor is burying their head in the sand here.

I think Tor is great, but I don't find it at all surprising or unlikely that
94% of _traffic_ (not users) is malicious (spam, vulnerability scanning,
scraping, etc) because it's likely that malicious traffic is automated while
legitimate traffic is not.

That said, I'd also like to hear more about CloudFlare's methodology.

------
nxzero
Exchanged comments with Cloudflare's CEO on the topic and in my opinion it
appears that they simply don't understand that their view of the situation is
skewed.

Here's hoping that given they truly do appear to care about TOR users that
they'll revisit the situation and find a better solution.

Here's a link to Cloudflare's blog post an the related comments on HN:

[https://news.ycombinator.com/item?id=11388560](https://news.ycombinator.com/item?id=11388560)

~~~
d_theorist
It's Cloudflare, not Cloudflair.

~~~
nxzero
Thanks, fixed the typo!

~~~
d_theorist
:)

Actually, I got it wrong as well, because it's really CloudFlare.

------
pfg
> 5) A report by CloudFlare competitor Akamai found that the percentage of
> legitimate e-commerce traffic originating from Tor IP addresses is nearly
> identical to that originating from the Internet at large. (Specifically,
> Akamai found that the "conversion rate" of Tor IP addresses clicking on ads
> and performing commercial activity was "virtually equal" to that of non-Tor
> IP addresses).

This point seems rather odd. I'm not following the connection between a large
percentage of Tor requests being malicious and the fact that Tor users have
almost the same conversion rate. Malicious requests are coming from botnets
and/or fraudsters. They're, for the most part, not in the subset of Tor users
which click ads or do anything else that would be tracked as part of a site's
conversion rate. What's funny about this is that the linked report even
confirms that requests from exit nodes are far more likely to be malicious:

    
    
        Tor exit nodes were far more likely to contain malicious requests:
          • 1:11,500 non-Tor IPs contained malicious requests
          • 1:380 Tor exit nodes contained malicious requests
    

I'm a huge supporter of Tor and have been running a relay node for years, but
it seems their stance on this topic is quite fundamentalist and they chose to
ignore any arguments or facts that they don't like while basically grasping at
straws in their counterarguments.

It's okay to be concerned about CloudFlare having such a huge market share.
They're a _huge_ target for nation states and others alike. Global passive¹
adversaries are a problem for things like Tor, and they might very well be
forced to become one at some point. It's essential to have more competition in
this area, and that's a fair argument to make. However, with regards to how
they're handling Tor, I don't think there's anything wrong with what they're
doing, and the explanations presented in their blog post seemed sound to me.

¹ Or, rather, possibly an active adversary too?

~~~
MBCook
Is this a wording issue?

> Akamai found that the "conversion rate" of Tor IP addresses clicking on ads
> and performing commercial activity was "virtually equal" to that of non-Tor
> IP addresses

So when seeing actual web traffic things are identical. That only measures
real web traffic. It doesn't measure all the SSH attacks, SPAM being sent,
possibly checking for vulnerabilities and unpatched software/etc.

~~~
pfg
CloudFlare doesn't do anything other than web traffic. It's basically an nginx
reverse proxy on steroids.

~~~
MBCook
Oh, right. Well you still have automated scans for vulnerable servers on HTTP
that don't try to really 'access' the website.

------
travjones
Original Cloudflare blog post that this is a response to:
[https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

~~~
mjs
That post also suggests two things that Tor could do to improve the situation
for their users:

* Support a stronger hashing algorithm to make it possible for CloudFlare to make .onion versions of all of their customers' sites. * Implement "client-side" CAPTCHAs.

I don't how feasible either of these are, but it seems strange (evasive?) that
Tor Project's blog post does not discuss either.

~~~
pfg
I believe Tor is working on a new version of hidden services which would
address the first concern.

------
kjsthree
This is a tough situation. I don't know about 94% of TOR traffic being
fraudulent but I'm sure it's high. But I'm one of the legit users that gets
taken out by blacklisting. I use a VPN service pretty regularly and it makes
accessing my Cloudflare account and sites using it incredibly annoying.

~~~
blakesterz
> I don't know about 94% of TOR traffic being fraudulent but I'm sure it's
> high.

I was curious and ran a quick check on my servers. 5 servers, about 300
domains, checked my logs going back 1 week. I could find just ONE legitimate
session. Everything else was something trying to break WordPress or PHPMyAdmin
or something else. I'd love to support Tor but I feel like I can't fight this
fight.

~~~
byuu
While still higher than regular ISP addresses, VPN abuse should be
significantly lower than Tor abuse on account of these services costing real
money. And nearly all of them not accepting anonymous forms of payment.

I expect my VPN use to keep me hidden amongst a crowd from various internet
companies trying to track and profile me; but I don't expect for a minute that
it offers protection against criminal activities (and I have no intention of
engaging in such things.) Any intelligent criminal would likely feel the same
way and not use a service with their real billing information to commit
crimes. Especially with Tor available.

Yet despite this, I am constantly hit by CloudFlare captchas on sites that are
very clearly not being hit by DoS traffic. Further, it seems site operators
don't even realize this is happening. When I reported the captcha issue to
Zotac's Twitter account, they had no idea CloudFlare was doing this.

Google is also a huge offender with the captchas. I'm _this close_ to
switching to Duck Duck Go. Facebook is too, but I'm fine with not ever going
there.

------
devit
The really questionable thing CloudFlare seems to be doing is that they
captcha traffic depending on the overall reputation of only the source IP
rather than whether the source IP is attacking that specific site or even
whether the site is under attack.

What they should do instead is this:

1\. If the server is not overloaded, do not captcha any traffic at all

2\. If the server starts being overloaded, only captcha traffic from IPs that
have been detected as attacking THAT specific site

3\. If the server is still overwhelmed, only then switch to captchaing all IPs
with "bad reputation"

Most websites are probably almost never under attack, so this would make
encountering CloudFlare captcha extremely rare in the wild while still
providing DDOS protection.

They could even only do this for Tor exit nodes and other IPs that are known
to be used by lots of people.

If a site is being DDOSsed a lot and the slower start up of this technique is
a problem, then they can revert for those sites to the current behavior of
using reputation.

------
rbcgerard
I find Cloudflare's argument analogous to that of cash - i'm sure some huge
percentage of all illegal transactions are with cash, but that does not mean
the solution is to ban cash...though some would probably disagree

~~~
Klathmon
But to be fair, in Cloudflare's case they aren't "banning" access, they are
putting it behind a captcha.

Still far from ideal, but it's not banning.

~~~
CodeWriter23
When every .html resource requested is met with a captcha, access is
effectively banned.

~~~
Klathmon
Well that's another problem. When you fill out the captcha you are given a
cookie that can allow cloudflare to let you through next time.

If you are blocking that cookie for privacy reasons (which is not a bad
thing!), then cloudflare has no way to verify you again (short of doing
nefarious things). It's a bit of a self inflicted problem at that point.

That's not to say that the answer is "deal with it", but that we need to find
a better way. A a way to verify that someone isn't a bad actor without having
them take a pretty significant chunk of their time to answer captchas, or give
up some of their privacy.

It's a tough problem, and i think the "proof of work" solution proposed in the
original could work, but it would need participation and collaboration from
"both sides" of the problem. And of course it won't happen overnight.

~~~
kuschku
Any proof of work concept again is just a cookie – because the proof I present
will be the same.

~~~
Klathmon
But you could possibly re-do the proof of work every page load without the
cognitive load of multiple captchas.

It still isn't ideal for mobile or low-end clients, but its something.

------
lazyjones
I find the 94% figure believable (for requests, not source IP addresses), Tor
is after all the obvious choice for low bandwidth DoS attacks and unwanted
scraping (i.e. a few individuals will generate a large percentage of Tor-
routed requests at any time).

The real issue with CF for me isn't the hassle with captchas, but the fact
that CloudFlare can track users across all its sites, generate profiles and
even read unencrypted traffic. It's a privacy hazard by design that makes Tor
particularly attractive. But as long as Tor is used only by a small minority,
it will be treated this way.

------
ryan-c
I would expect most of the malicious traffic coming out of Tor isn't using Tor
browser. I wonder what the attack numbers look like for Tor browser vs not Tor
browser. Cloudflare has client side checks already, which could be extended to
check whether the browser is Tor browser, and if so, don't block it.

------
ronaldo1
I understand what CloudFlare is saying but I still think that the benefits of
allowing legitimate TOR users access websites freely (without cumbersome
captchas) outweighs the troubles malicious users might cause. Public computers
such as in Libraries are also often used to do reprehensible things, but
still, we understand the benefits of having them.

It is also worrying that CloudFlare has this much power. One of the greatest
things about the internet is the openness of the platform and the non
existence of gate keepers.

Also, here is an annotated version of the TOR paper for those who want to read
more about it [http://fermatslibrary.com/s/tor-the-second-generation-
onion-...](http://fermatslibrary.com/s/tor-the-second-generation-onion-router)

------
r2pleasent
Payments originating from TOR IP addresses absolutely are more likely to be
fraudulent. Anyone running an online business could tell you that.

~~~
fabulist
Hassling Tor users shouldn't become the Internet's default. If you're having
trouble, consider informing Tor users checking out that you won't process the
payment without their providing additional information. This raises the cost
to carders a lot more than needing to rent a SOCKS proxy in a residential
area.

~~~
agrajag
It's not worth the development costs and extra verification costs to try to
weed a small number of legitimate purchases from a sea of illegitimate ones
though.

~~~
fabulist
It isn't that there is a sea of illegitimate traffic so much that their
methodology is incredibly flawed, and they have little financial incentive to
fix it. As a society, we have to give them that incentive, or we will lose
access to a shared resource.

We can have our Internet heavily censored or heavily censored with a ray of
sunshine. Is that worth the engineering costs?

------
hackuser
> Users are either blocked outright with CAPTCHA server failure messages, or
> prevented from reaching websites with a long (and sometimes endless) loop of
> CAPTCHAs

Is it really a loop or are users just failing to solve the CAPTCHAs? A loop
would be obnoxious: Just tell the user they are blocked; giving them more than
2 or infinite CAPTCHAs is a passive aggressive way to communicate.

~~~
pfg
My best guess is that reCAPTCHA doesn't just have two states (pass/fail), but
rather something like a confidence factor and a threshold you have to reach to
continue to the site (which might depend on your reputation).

------
BEEdwards
This is a terrible reply, it's basically say's "It's all your fault, we're all
good over here."

They then either because they legitimately can't understand the problem, which
would be scary, or because they're being stubborn fail to address the
suggestions by cloudflare to address the issues.

------
bogomipz
The trouble with Clouflare is that they receive disproportionate amount of
attention on Hackernews. Sometimes HN feels like an extension of their
marketing machine. I'm not so sure they every single blog post of their needs
to be an item on HN. Anyway that's my .02 cents.

~~~
nxzero
Do you use Tor?

------
AndyMcConachie
I have a question that I'm hoping will spur some discussion and maybe I can
learn some stuff.

"Is anonymity in Tor incompatible with low-latency?"

I ask this having read this: [http://freehaven.net/anonbib/cache/pets13-flow-
fingerprints....](http://freehaven.net/anonbib/cache/pets13-flow-
fingerprints.pdf)

I suspect that countermeasures to defeat deanonimization all have a negative
impact on latency(e.g. inserting extra packets, pausing between sends).

If the answer to my question is yes, then maybe the best thing the Tor project
can do is abandon its push for low latency, and instead focus on anonymity. If
Tor we're a much higher latency network attackers would probably find it less
interesting.

------
stegosaurus
To me personally all of this just seems like fluff. I can't be the only one
that feels this way.

I don't want to 'prove I'm a human' to view your crappy site. I'll go and look
at the other bits of the Internet instead.

As an individual browsing, the only contact I have with CloudFlare is a
bouncer telling me 'no shoes no entry'.

Your entire company to me feels like a pointless gatekeeper because of these
shenanigans (on and off of Tor).

To be perfectly clear - CloudFlare, as a brand, is tainted to me, and I expect
to many others.

Fundamentally I don't think CloudFlare cares because their customers are not
the viewers of websites - and if the viewers of websites come to think of
CloudFlare as toxic - it still doesn't matter to them directly.

------
jamespo
That post doesn't really offer any solutions.

It would be interesting to find out how CF came to the 94% figure but a lot of
the other claims made are not countered and presumably valid.

I doubt CF's (paying) customers are particularly saddened by Tor users being
inconvenienced.

------
fapjacks
CloudFlare looks for ways to justify doing less. First ANY queries, then
"free" HTTPS stopping at the first CloudFlare hop, and now the stuff with Tor.
I don't trust CloudFlare _at all_ , because they say they're holding a torch
for the good of humanity, when actually, they're just making "cut costs"
business decisions. If you want to do something becuase it costs less, I
understand, then do that. But don't sit there and try to tell me that you're
somehow doing it to make the world a better place. That, to me, is super
scummy.

------
kristofferR
The main problem with CloudFlare is how dumb their "protection" is.

It doesn't make sense at all to block Tor users from just accessing read-only
content, like CloudFlare does today. Forms/login pages/comment boxes etc
should be protected of course, and most people wouldn't have anything against
solving a captcha for logging in, but preventing people from just reading
stuff anonymously/securely is borderline evil from a user experience point of
view.

However it's obviously much easier from an engineering standpoint though to
just block people outright.

~~~
pfg
This was addressed in CloudFlare's blog post:

> One suggestion has been that we treat GET requests for static content
> differently than we do more risky requests like POSTs. We actually already
> do treat more dangerous requests differently than less risky requests. The
> problem is Tor exit nodes often have very bad reputations due to all the
> malicious requests they send, and you can do a lot of harm just with GETs.
> Content scraping, ad click fraud, and vulnerability scanning are all threats
> our customers ask us to protect them from and all only take GET requests.

~~~
kuschku
That argument only holds true if the person operating the site has no idea at
all about the HTTP standards.

* GET requests _have_ to be idempotent.

* Security by Obscurity is not Security.

* Content Scraping is nothing you have to protect against, or should protect against – DRM just does not work _._

~~~
pfg
Right, but this is about abuse and solutions for that. Obviously, blocking Tor
is not going to prevent a determined attacker from scraping your site or
trying some SQLi vectors. It might, however, prevent a large number of bots
from scraping your site for emails, scanning for vulnerabilities, or doing
click fraud. It's not a perfect solution, but those rarely exist. CloudFlare
sees a lot of malicious traffic, so they probably have a better view of what
works and what doesn't compared to everyone else.

~~~
kuschku
I see a lot of fraud on my site as well, and I can say that there are some
ISPs in Eastern Europe and Asia that are just as likely as Tor as being the
origin for a malicious attack.

I don’t block them either.

Instead, I use fail2ban with a 30min ban for the IP for all my servers, and
have the rest of the system hardened. Also, I add an additional delay that’s
just below the timeout that browsers have for each request from an IP of that
block for the next 30min.

Reduced my logs of "123.456.789.012 tried to authenticate as "root" with
invalid password" from several gigabytes a day to a few kilobytes.

________________________

Sure, I don’t host a large site, or get much traffic, but saying "Tor is the
only issue" or even "Tor is the largest issue" isn’t true.

And there are solutions for these cases. Solutions which allow legitimate
users to continue using the services.

~~~
jamespo
But Tor is not specifically treated differently... their exit IPs cross a
threshold and CAPTCHA's are applied, just like with your fail2ban solution.

~~~
kuschku
There is a difference: They ban each IP from _all_ their services. And
eternally, not just for 30min.

------
JDDunn9
I think CloudFlare's security measures are insane. I use a VPN and I can tell
which sites use CloudFlare because I consistently get a Error 520, where it
claims the browser and CloudFlare are working, but the website is not
responding. Yet I turn of the VPN and magically it works fine. That's
dishonest. At least own that you are the one blocking my visit.

I'm also developing with Dwolla's API, and CloudFlare blocks all HTTP requests
from my local IP, so I can't develop locally. Thanks CloudFlare.

~~~
throwaway-10439
Yeah, this is beyond just Tor - they're breaking VPN and carrier-grade NAT
traffic too. Even if Tor bowed to their demands those would stay broken, and
scammers would still fill out the captchas manually. But they seem very set on
their chosen solution!

------
yazaddaruvala
Someone with more knowledge of these thing, let me know:

Why does Tor not "charge" per request? i.e. Using some decentralized currency,
to pay for requests.

1\. Make it cheep enough such that users don't care, however, financially
disincentives spammers/malicious users.

2\. It would continue to be anonymous. - cycle through wallets - all
transactions would also be proxied.

3\. It would incentivize proxying and exit nodes (exit nodes would effectively
collect a bunch of virtual money to be resold to clients for USD).

~~~
nulbyte
If users don't care, spammers don't care; spammers will get a financial
return.

------
fabulist
Services like CloudFlare are responsible for more and more of the DNS. When
they are poor net citizens, they are poor net citizens at a massive scale.
Heuristics that end up being equivalent to "Tor users are guilty until proven
innocent" can't become the default mode of the Internet. As customers, Tor
users, and just people who have a stake in the Internet as a shared resource,
we need to demand that they try harder than that.

------
avip
Anonymity ("privacy") and security are conflicting requirements. Tor users
take a legit stance, and would be served an equally legit CAPTCHA (if lucky).

~~~
nulbyte
You're assuming anonymity and security belong on opposite sides. They don't.

------
greggman
How about this solution: (yes, it's only 5% serious)

From every publically available internet do something that appears malicious
until cloudflare's servers annoy everyone. At that point they'll be forced to
find a new solution.

This only occurred to be because I get their captchas on public wifi in
Starbucks and other public wifi in Japan

------
Laaw
I'm getting

"Attackers might be trying to steal your information from blog.torproject.org
(for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID"

When trying to visit this blog post.

~~~
nxzero
>> Laaw: "But I don't want end to end encryption"

Sorry, but I thought you didn't want encryption. Bit puzzled, just click
ignore error to fix the issue.

Clearly this advice is based on you not wanting end-to-end encryption; heads
up, NSA flags users that visit Tor's website, though clearly, you've done
nothing wrong.

(Yes, I'm making a point, hope it's clear.)

~~~
Laaw
Since they use HSTS, I literally can't click "ignore" or I would have. I, and
(I assume) anyone else who uses the latest version of Chrome cannot access
this content right now. Or it might just be me, but I don't know what the
solution is.

You also missed the point if you think what I said included the words "all the
time" in the other thread we were talking in.

~~~
nxzero
I'm on Tor and able to see the file, no idea why you're getting that error, or
I'd try to help.

Assume you know this, but Google has a cached version as text if you Google...

[cache:http...]

^^ where you remove the open/close brackets and insert the full URL after
"cache:"

~~~
Laaw
I'll try that, thanks.

------
ailanthus
CloudFlare uses a flawed algorithm that penalizes developing countries and
anyone who uses 1 IP address for many users. And that means that it censors
Tor users and impedes human rights.

------
merb
I dislike CloudFare adoption. More and more I come to sites and need to wait 5
seconds, caused by their DDoS protection. Such things make the less more and
more aweful.

------
throwaway-10439
The GET solution seems too lightly waved off considering that 90% of Tor
requests will be nearly identical to those from trusted IP addresses.

------
thinkMOAR
The trouble with cloudflare, the lawyers of the internet. Making money on
other peoples problems but not really solving anything.

------
pharrington
Maybe I either missed this or forgot, but what percentage of overall internet
traffic handled by Cloudflare is deemed malicious?

~~~
nulbyte
In fact, I'd like to see CloudFare segment out other populations and provide
similar statistics. With carrier-grade NAT, corporate proxies, VPNs, ...
Surely Tor is not the only segment that behaves similar. As I see it,
CloudFare is taking one group and applying stereotypes to justify a draconian
technique. I suspect they may be doing the same with other undeserving groups.
Seems to be the way the world goes, when money gets involved.

------
cft
We are free speech advocates, and yet we had to make a cron that downloads and
adds Tor IPs to an ipset, due to botnets.

------
das-boot
>the site only accepts payment via PayPal >and/or credit cards, and paying
with those in >itself gives up a good amount of privacy.

I think both methods areactually not private and have proven not te be private
at all

------
morsmodr
lol, CloudFlare vs Tor (hope its not disappointing like BvS)

------
fleitz
Cleary cloudflare's customers prefer this behavior, it's their website, they
are free to block tor traffic if they like.

------
das-boot
>the site only accepts payment via PayPal >and/or credit cards, and paying
with those in >itself gives up a good amount of privacy.

i think both methods have proven not to be private at all.

