
Issues with corporate censorship and mass surveillance - jackgavigan
https://trac.torproject.org/projects/tor/ticket/18361
======
Jordrok
Sites routed through CloudFlare are practically unbearable to use over Tor and
ReCaptcha 2.0 has actually made things worse. The new challenges take more
time to solve and most times you're required to complete multiple challenges
before being accepted.

I'm glad to hear that this is being worked on, but I'm pretty pessimistic that
there will be a good resolution. There seems to be a fundamental conflict of
interest between preserving anonymity and being able to identify potential
abuse. As CloudFlare grows and absorbs more and more of the Internet, the
inconvenience and potential for tracking will only increase. The problem is
really more of a structural one than a technical one - this is what happens
when one entity controls vast portions of the infrastructure of the Internet.

~~~
jgrahamc
I'm hopeful. The more we do abuse detection by intelligent means the more we
are able to spot abuse without using CAPTCHAs or other tools like that. We are
about to allow our customers to whitelist Tor so that sites that want an
immediate solution for Tor users can disable the CAPTCHA check.

------
anexprogrammer
Forget Tor, what about VPNs and shared networks? CloudFlare has a great way to
make the web unusable. The number of small blogs that seem to use it has
become infuriating.

I typically browse via a VPN, and CF present their capture blocking on every
CF site visited. This wouldn't be too bad, but the captcha is often
infuriating and the CF page + capture is consistently one of the slowest
loading.

Lumping every user of a VPN or shared network in with the spammers is short
sited, and "allowing customers (of Cloudflare presumably?) to whitelist"
rather than presenting any possible solution _for the innocent browser_ is
typical of what the internet has become.

If someone is on a large shared network - VPN or university NAT, someone
_will_ have virus, spam or other crap on their machine. There needs to be a
solution that ensures the other hundreds of people on that net can be
minimally impacted. Perhaps a way to captcha ONCE per xx hours as a browser,
rather than 5x in 5 minutes as is often the case now.

It's got so annoying I find myself wishing someone made an Adblock filter list
for CF sites.

~~~
cyphar
Why forget Tor?

~~~
anexprogrammer
OK, that was careless writing. Better would be "Of equal importance". Net
result right now is Cloudflare is equally unfriendly to both classes of users.

I'd imagine the solutions similar, though someone on Tor would probably care
far more about using a CF cookie for captcha bypass solution than someone on a
large NAT.

------
hackercomplex
I'll just leave this here: [https://github.com/DonnchaC/cloudflare-tor-
whitelister](https://github.com/DonnchaC/cloudflare-tor-whitelister)

with a simpe cron job like this ^ you can benefit from cloudflare without
blocking TOR.

btw cloudflare if you see this. I suspect you could make all of this drama
disappear in an instant by adding a convenient firewall control panel option
called "whitelist TOR". Then all of the grumbling would be redirected towards
the individual websites who neglected to apply this option.

~~~
jgrahamc
_btw cloudflare if you see this. I suspect you could make all of this drama
disappear in an instant by adding a convenient firewall control panel option
called "whitelist TOR". Then all of the grumbling would be redirected towards
the individual websites who neglected to apply this option._

You mean the thing I said we are about to do both in this thread and in TFA?
:-) We are going to allow customers to do that. Very soon.

~~~
hackercomplex
sorry for not paying attention. _high five_

one other thing since you're here: you could have a second button: whitelist
the top 20 most popular private VPN services, and college dorm NAT
environments.

I know that sounds annoying because it's not a simple task to compile and
maintain such a list, but I suspect it's the kind of work that a single non-
technical intern could have as a partial responsbility. If you left this
control in the "allow" position by default then I bet these VPN providers
would start policing their own networks as a means to win your blessing to
stay onto the whitelist.

Then consumers would have a better idea about which VPN providers are
respectable at least in terms of whether or not they nix the most obvious
forms of breach attempts/scanning emanating from their nodes. That may sound
far-fetched, but I just wanted to throw it out there.

------
fweespeech
I'd like to see a better solution for CF/Tor interactions but, to be perfectly
honest, Tor is too small a portion of CF's user base for them to put serious
effort into this and the fact their solution is more of the same seems to
largely reinforce this point.

I honestly refuse to use them when I have a choice in the matter because I
don't have much faith in the dark mass of data that they have access will be
used correctly. The fact they need to be called out publicly by the TBB team
pretty much reinforces this belief.

~~~
jgrahamc
The problem is that there isn't an easy solution to this. We have made efforts
to make things better for Tor users (see my comments in the linked ticket
above) but at the same time there is abuse coming from Tor which we have to
deal with and we see the amount of abuse increasing.

As I said in the linked thread we are about to allow our customers to
whitelist Tor exit nodes so that Tor users do not get challenged when coming
from an exit node that's been used for a lot of abuse. That will allow any
customer to decide what's appropriate.

~~~
mike_hearn
There's no easy solution because Tor refuses to do anything that would allow
for anything that works within current technology. This is not a new problem.
If the Tor guys really want to stop being frozen out of large parts of the
internet they need to

1) Tackle abuse

2) Go work for one of the large networks for a while so they see things from
the other side, and then do a lot of research until they find a solution they
know can make everyone happy.

In fact Tor have repeatedly gone for solution 3:

3) Attempt to publicly shame employees of big networks and get them to lower
their abuse defences by implying they're idiots who hate privacy, whilst
simultaneously demonstrating little understanding of what abuse teams have to
deal with. This never works.

Tor is a trivial fraction of anonymised traffic to most major networks (VPNs
are far more popular). It can be banned entirely with ~zero impact on any
large business. Taking approach (3) just annoys the employees and makes them
less likely to want to donate free engineering time to the Tor project
(because that's effectively what they want/need). We can see this clearly
happening on the linked thread.

E.g. comments like this one:

 _It 's also unreasonable to maintain a "reputation" for a Tor exit node._

... just send a powerful message that Tor isn't serious. Sorry for the harsh
words, but I've been round the block on this one too. Tor want to run a
network that ignores abuse yet is openly welcomed by the worlds biggest
content providers. Not gonna happen.

~~~
middleclick
I grew up in a country where the Internet was censored and I have been a Tor
user since the days of the dangerous toggle button in Firefox. So it's been
like 7-8 years? I hope I can offer a counter argument.

This is not "business" as much as it is about CloudFlare centralizing the
Internet around them. We should speak up against it and rightly so.

When I started using Tor, it was the only way I could access the free
Internet. You mention VPN, VPNs may be popular but not everyone can pay for
them or afford them or even has a credit card in many countries. With
CloudFlare running on many websites, it has become impossible to read any
content on them because the CAPTCHAs are impossible to solve or are a nuisance
(who has figured out what a street sign is?). And while Tor gives users to
access the internet freely for zero cost, CloudFlare is helping doing the
opposite of that.

And please suggest what should an open network do about abuse and rather, why
should they be the ones doing anything about it? Not to mention, what kind of
abuse would reading an article constitute? I am not even logging in, just
reading stuff has been made impossible due to CloudFlare.

~~~
mike_hearn
I have the utmost respect for people fighting censorship, whether they're on
the inside breaking out or on the outside breaking in.

But the idea that only Tor can be used to fight censorship is a false
equivalence. If you look at the usage data for e.g. Turkey when they stepped
up censorship a few years ago, Tor usage increased a bit, but it was a tiny
amount compared to HotSpot Shield (a VPN product). Most users evading
censorship in places like China or Turkey are happy to trust the VPN provider
in return for superior performance or app compatibility, because they know
little VPN providers aren't going to snitch them out.

Yes, normally people have to pay for VPNs whereas Tor is free. I think it'd be
great if there was a collaborative network of people who donate their
bandwidth to a kind of decentralised VPN (single hop, authenticated, with
abuse checks, unlike Tor). But ultimately running these sorts of networks
takes effort and time, and most organisations don't have access to the various
grants and such that Tor has.

 _> please suggest what should an open network do about abuse and rather, why
should they be the ones doing anything about it_

Keep it under control, same as all other networks are expected to do. There
are all sorts of networks that range from very closed (e.g. university
networks) to very open (e.g. open signup clouds, Google, Microsoft email
networks etc). But none of them have a get-out-of-jail-free card, not even the
biggest.

Why should they be the ones to do anything about it - because that's how the
internet works. If your network spews abuse onto the platform then it's gonna
get blocked and blacklisted. If you don't want your users to all be lumped in
the same bucket, then you have to do the differentiation yourself.

The linked thread already explains why simple GET requests can be problematic
all by themselves.

------
hartator
Just tried to browse with the TOR browser my websites (funlabo.com,
defouland.com, stratozor.com) which have "Essentially Off" firewall settings
on CloudFlare: I was indeed greeted by a bit annoying Google Captcha for each
domain.

That said, I am thankful for the services provided by CloudFlare, notably on
the performance side and you do have an option "Off" for this if you pay for
an Enterprise plan. I still recommend them.

~~~
makomk
So if I'm understanding this correctly, CloudFlare offer free CDN and DDoS
protection services to websites on the (unmentioned) condition that they make
those sites essentially unusable over Tor? Wow. No wonder the Tor developers
consider this an attempt to enable mass surveillance.

~~~
pfg
They're not unusable, it just becomes a bit more inconvenient to use them. In
my experience, you need to solve 2-3 captchas per site per new circuit (i.e.
every 10 minutes, IIRC, although TFA mentions this might have changed
recently).

Exit node IPs end up on a _lot_ of block lists. This is not specific to
CloudFlare. It's in the nature of a project like Tor that some of its users
use it for things like comment spam, which is one of the things CloudFlare
tries to block. This might very well be what most of their customers want - a
_lot_ of non-CloudFlare sites block exit nodes completely. They're also adding
a whitelisting feature for those who want to disable those features for Tor
users.

------
secfirstmd
Great to see this issue finally being tackled head on.

~~~
jeff_carr
Why would someone put a tor server behind cloudflare in the first place? If
you are using cloud flare, you are using it to protect yourself from abuse
(DDOS, etc). Doesn't allow GET requests mean you can DDOS things behind
cloudflare then?

I'm skeptical that cloud flare can somehow be roped into 'corporate
censorship' \-- they IMHO clearly were not founded or intended to enable some
sort of nefarious intent. Quite the opposite in fact.

TLDR: The title of this article is dubious or even trolling

~~~
cyphar
Running an onion service behind CF (apart from being basically impossible)
would lose many of the useful features of onion services. The topic being
discussed is accessing clearnet websites hosted behind CF using Tor. Speaking
personally, I've had to solve endless amounts of Captcha _every fucking day_.
It actually makes me reconsider how important the site I'm trying to view is,
because CF is trying to make it hard for me to read information anonymously.

~~~
secfirstmd
Ditto

------
ternbot
FYI - I am behind a corporate firewall and this article got blocked

~~~
cyphar
It's on the Tor project bug tracker. It's unlikely that your company would
support you downloading Tor inside your network.

------
chei0aiV
I would encourage Tor users blocked by CF to use archive.org or archive.is
save functions instead of solving captchas and teaching Google how to be more
human.

------
force_reboot
This selectively applied XKCD is relevant
[https://xkcd.com/1357/](https://xkcd.com/1357/)

------
madez
What about a proof of work when coming from tor as a method to fight DDoS?

~~~
cyphar
Tor circuits are not cheap.

------
nyan4
__It 's spelled Tor, non TOR __

