
Dear customers of Cloudflare: an appeal regarding Tor - IngoBlechschmid
https://gitlab.com/iblech/tor-appeal/blob/master/README.md
======
ShakataGaNai
I fully get the pain of a "bothersome captcha" but as a website operator
(who's sites are behind cloudflare), there is a balancing operation. How much
of the traffic out of Tor is legitimate, and how much is spammers, attackers
and other script kiddies? For me, the answer is "very little legitimate".

A better request for Cloudflare websites would be to put the CAPTCHA's just on
actions that need protection. Reading a blog entry? Don't need to test.
Writing a comment? CAPTCHA them to the break of dawn.

~~~
Reedx
What I do is simply check if CF-IPCountry header == "T1" and block those from
being able to register accounts. T1 is Tor.

~~~
deftnerd
I run dedicated onion addresses for my sites and check the CF-IPCountry
headers and just redirect Tor users to the Onion site.

~~~
mirimir
That is indeed the most constructive approach. I mean, Facebook has an .onion
site :)

------
jgrahamc
This shouldn’t be necessary. We changed our handling of Tor so long ago that
I’ve forgotten how long go it was.

If you are using the Tor Browser Bundle you should not see a CAPTCHA. If you
do please report it to us.

~~~
deftnerd
I'm seeing the CAPTCHA a lot with the Brave Browser Tor Tab. You might want to
reach out to the developers to make their Tor Tab be treated the same as the
Tor Browser Bundle.

~~~
jgrahamc
OK. I don't like that. I messaged the team about this.

------
kiallmacinnes
I get the appeal, and I get it's a PITA. But, if the referenced CloudFlare
support document is to be believed, then you'll be putting yourself at
additional risk by whitelisting, or otherwise "turning down" the security
related settings for Tor users.

Let's pretend for the minute the support article is accurate, and let's
pretend CloudFlare's security checks are useful. (I don't have any
opinions/knowledge myself if there are true/false, so let's assume they are
true - as most CF customers will).

Why should I turn off the security CloudFlare is providing me? The appeal
doesn't give me anything I can use to justify turning this off. Given the
percentage of tor users vs not-tor users, I can't really call the "it bothers
Tor users" statement justification for turning this off.

I know it shouldn't be needed, I know anonymous browsing should be taken for
granted, however - reality is - it's not. For an appeal like this to succeed,
or even make a measurable dent, you'll need more.

I do hope you find more, anonymous browsing should be the norm, not the
exception - but I don't believe this appeal will make a dent.

------
mnm1
Those Google captchas are horrible. Often they do not let one of through
despite giving seemingly correct answers. One is prompted with captcha after
captcha after captcha. They not only require cookies, but JavaScript turned on
and are a real affront to the whole idea of a usable, open web. On tor, I just
give up. There is nothing I want to see on the internet badly enough that I'm
willing to spend ten to fifteen minutes (this is not an exaggeration) trying
to guess what I'm supposed to click on. I do blame cloud flare, ignorant
website creators, but most of all Google. Out of the many atrocious products
they have created, nothing is more infuriating and frustrating than these
stupid captchas. They are not logical and quite often simply unsolvable. I
support the creation of bots that can guess (because that's what the process
is, there's no solving these) these even if it comes with all the downsides of
having such bots roam freely on the internet. I hope the ai of the future is
able to deal with such nonsense to the point where Google gives up on this
atrocious technology. I'd rather have spam and ddos attacks than this.

~~~
makomk
At some point, Google started doing really aggressive increases in their
captcha difficulty based on IP trust or even outright refusing to let people
try and solve them at all. Since there's going to be a large overlap between
IPs that Cloudflare force through the captcha and IPs that Google distrust,
this means that anyone trying to access the internet through a network that
Cloudflare has put on their evil list will probably find the whole web
completely unusable. Of course, any employees testing the captcha feature will
go though the easy path and not see the problem...

------
tomschlick
Background on tor problems: [https://blog.cloudflare.com/the-trouble-with-
tor/](https://blog.cloudflare.com/the-trouble-with-tor/)

~~~
edm0nd
and The Tor Projects response to that: [https://blog.torproject.org/trouble-
cloudflare](https://blog.torproject.org/trouble-cloudflare)

They have been in this dispute with each other for a long time.

~~~
nerdponx
_blog.torproject.org uses an invalid security certificate._

 _This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox
may only connect to it securely. As a result, it is not possible to add an
exception for this certificate._

~~~
jcranmer
You may be behind a corporate firewall that is blocking access to the site.

~~~
mirimir
More like a corporate MitM exploit, which HSTS is detecting.

~~~
zaarn
Even a corporate proxy will work with HSTS.

------
a012
I'm not a Tor user but from IP blocks of ISP with low reputation, the
Cloudflare Captcha irritated me too much. Now I'll close the website if I see
one and looking for Google cache or archive.

------
ainar-g
The Tor Project is invaluable in countries like Russia, where the gov. can
block literally millions of IPs just to get rid of one pesky messaging app.

Now that I think about it, people using it should probably donate more to the
project. Although this very same gov. can always see it as "supporting the
terrorists".

~~~
drharby
This seems less like a dialogue revolving around the post and more like a
promotion of TOR

~~~
phyzome
It's an argument for "why you should care", which is relevant to the post.

~~~
csydas
Furthermore, as an expat living in Russia at the moment, it is quite
surprising to one day be in an EU country and able to access any wide variety
of sites, and the next day get a friendly message from Роскомнадзор telling me
this website has been blocked for my protection or some other non-sense.

I'm not involved in politics enough for it to be something very dangerous for
me -- it's just non-sense things I want to see that I cannot because of silly
regulators wanting to look important. But at the same time, trying to browse
around via Tor to bypass these restrictions make it impossible at times to
access information that Роскомнадзор has decided Russians shouldn't be allowed
to access.

~~~
ainar-g
For those wondering, "Роскомнадзор" is Russia's "Censorship Agency",
Roskomnadzor[1]. If you are wondering, why is there a Censorship Agency in a
country whose Constitution explicitly bans censorship[2], well... Let's just
say it's not the first time in our history. Probably not the last.

[1]
[https://en.wikipedia.org/wiki/Federal_Service_for_Supervisio...](https://en.wikipedia.org/wiki/Federal_Service_for_Supervision_of_Communications,_Information_Technology_and_Mass_Media).

[2]
[https://en.wikisource.org/wiki/Constitution_of_Russia#Articl...](https://en.wikisource.org/wiki/Constitution_of_Russia#Article_29).

~~~
csydas
To be fair, a lot of times I feel that it's more Hanlon's Razor than active
censorship. There still is a lot of Old World Russia running the show in
Russia, and stuff you could pull off when the entire populous was farmers just
doesn't really work now, and Russians are not afraid to call their leaders out
on it. The problem is that there still is an overwhelming sense of apathy in
the population, though this is steadily changing as more and more people
become active politically, even if for now there isn't an immediate effect.

But a lot of things that agencies like Роскомнадзор do are simply because it
made someone a quick buck somewhere down the line. Many of my
friends/colleagues work for businesses run by old men who are more interested
in 10,000 rubles now than 100,000 rubles in a week. The decisions that
Роскомнадзор and other government entities makes rarely have much more of a
thought process beyond a simple "well, we wanted X". When the Telegram ban
came into effect and folks outside of Russia were flabbergasted by Russia's
choice to just block major parts of AWS, people came up with the most
outrageous of theories as to what was happening. The simple and more accurate
truth was probably that whoever made the decision at Роскомнадзор to do the
blocks neither thought about the implications of such a decision nor had the
technical knowledge to really understand it, and those underneath this person
likely didn't have the will or inspiration to care, hence why the block is so
trivial to bypass (like all the other blocks)

Like with many countries, a lot of old political methodology has to die off
before Russia can really step forward, and while that is happening, it's why
projects like Tor are essential for providing unmitigated access, whether it
is a malicious block (Telegram) or a senseless one. That so many US companies
just have a straight up IP block on all things Russia doesn't help to advance
the situation past this stage at all.

------
slig
I've got enough problems on my sites from Tor that I simply block T1
(Cloudflare's "country" code for Tor users) on their settings. Blocking whole
countries used to be a Enterprise only feature, but now it's available to Pro
users.

~~~
ofrzeta
What problems do you have?

~~~
amyjess
Not GP, but my guess is ban evasion.

Someone gets banned from bad behavior, they create a new account. So you IP
ban them. Then they switch over to Tor and keep making new accounts from
anonymized IPs and start disrupting the forum by spamming it with slurs. The
only solution is to ban Tor.

~~~
falcolas
Or, you know, limit the ability of newly created user to spam forums. Or put
them on "must be reviewed" lists. Or...

The easiest solution is to ban Tor, but it's far from the _only_ solution.

~~~
wild_preference
All of those may entail much, much more work than banning Tor.

I can think of plenty of cool, robust systems I can build as well, but I do
not have unlimited resources.

------
lucb1e
Criminals will just hire a botnet, as we can see from all incoming spam email
and forum bots, etc. For the rest of us who desire to be anonymous online,
there is Tor. Whatever people can do over Tor, they can also do without Tor.
You're probably never going to find them anyway, even if you would sue in the
first place.

This whole tor vs clearnet distinction is way overblown. Sure people will do
more crap if they're anonymous, but if you block Tor criminals will just use
something else.

~~~
omginternets
>Criminals will just hire a botnet

... if Tor proves ineffective. If not, then they'll definitely use Tor.

~~~
jstarfish
Botnets are too unreliable. They're only any good for coordinating DoS attacks
and spamming, the sorts of attacks that don't require persistence of
infrastructure.

Tor is a common CnC and exfiltration vector. Nothing good will ever originate
from a pseudoanonymous network developed for spycraft. We have enough problems
with it that we shoot it on sight.

The bigger problem is becoming abuse of cheap VPS and seedbox services (and
anon VPNs) to launch attacks. $5 gets you a non-attributable box managed by an
overseas entity with a gigabit link and an IP strategically located near your
target to thwart geoip-based blocking. With that price point and features, why
fuck around with botnets or Tor?

~~~
user5994461
>>> The bigger problem is becoming abuse of cheap VPS and seedbox services
(and anon VPNs)

Cloudflare have the solution for that. You can ban by AS number and by country
code.

------
superkuh
All the author had to do with this "appeal" was present the text to be read.
Instead they put it on gitlab behind javascript. Literally nothing renders
without JS enabled, and even with it enabled in browsers more than a year or
two old it's just spins forever: no text.

Text is easy guys. Here's my appeal: stop hiding all content behind
javascript. It's not required and because if it I am unable to read the
author's appeal.

~~~
danShumway
For any markdown file on Gitlab, you can look at the raw version:
[https://gitlab.com/iblech/tor-
appeal/raw/master/README.md](https://gitlab.com/iblech/tor-
appeal/raw/master/README.md)

That's also not a trick you need to memorize or something - if you load a
markdown page on Gitlab without Javascript, it won't render, but you can still
click on the button to view it raw, and that button is clearly labeled with
semantic HTML that will be accessible to any web browser that can handle a
link tag. You do need to be able to handle HTTPS encryption, but that's
another debate - most raw text documents are also going to be served over
HTTPS anyway.

And of course, from the Javascript side of things, the vast majority of
Gitlab's front-end is open source and all of their Javascript is served from
their own servers without any third-party trackers or ads. So no worries on
that front.

I get that people get annoyed about aggressive and unnecessary useage of
Javascript and some choose for ethical reasons not to run proprietary code. I
am all for accommodating you. But Gitlab _does_ accommodate you. There has to
be at least a little bit of effort put in on both sides here. Otherwise sites
are just going to throw up their hands and say, "well nothing pleases these
people, why should we bother?"

Gitlab does a great job of accommodating people who want access to raw text
while also accommodating people who want to be able to do basic layout. And
the approach of sites like this have significantly encouraged devs to use
markdown more - if this was a static site, or something exported out from Org-
mode, or even just a rendered Markdown file, you wouldn't have access to the
original raw text version.

The only reason you have access to the raw text is because the uploader chose
to serve the raw text and then handle rendering clientside instead of
serverside. If you want to be able to read more content in Markdown form,
Gitlab is your friend, not your enemy.

------
jpsilvashy1
Have you operated a website that gets lots of scammers? I've been responsible
for the security on several major e-commerce web applications. Often, you have
to make compromising choices, we found that the vast majority of requests over
Tor were not converting, in fact I don't think a single visitor via Tor had
bought a product (iirc, but I'd have to check to be certain). That combined
with the number of fuzzing/strange requests from users via Tor was just too
high to consider them to be meaningful traffic. We blocked Tor users outright
and it resulted in no change in revenue and a more straight forward security
landscape.

------
modzu
i've often had more luck passing these captchas randomly selecting 4 boxes
from the grid than trying to answer it intelligently. for example it often
asks to select a sign -- does the signpost count? only 50% of the time...
similarly, it might ask to select cars. does a bus count? there is no
consistency, presumably because the training data is ambiguous. does it deter
spam? yes, of course. so would a 404.

~~~
modzu
of course the real consequence of the above is that tor/incognito users are
essentially being excluded from increasing parts of the web. it's hard to
think it isn't intentional either (ie privacy is becoming illegal)

------
ryanwaggoner
The reality of systems like Tor is that they're going to be heavily abused by
bad actors. Part of the whole point of using Cloudflare is to reduce your
vulnerability to attacks from those bad actors, so I don't see how it's a good
idea to whitelist that traffic indiscriminately.

I feel for the legitimate users of Tor who are annoyed by captchas all day,
but unless someone has a foolproof way to filter out good Tor users from
malicious Tor users, I think that's just the price you pay.

Also found this interesting for more context:
[https://support.cloudflare.com/hc/en-
us/articles/203306930-D...](https://support.cloudflare.com/hc/en-
us/articles/203306930-Does-Cloudflare-block-Tor-)

------
gthtjtkt
I've been trying to use the Tor browser lately and so far it's been a mostly
futile endeavor. Between these captchas (which take 1-2 minutes to solve) and
other automated "bot" detection, most of the web is unusable. You _might_ be
able view it, but good luck interacting with it in any way. That's when you
run into the "Sorry, something about your activity seems fishy" messages.

------
xtat
This also blocks me from scraping which in my case means you're not going to
get traffic from my aggregator. I could work around it but honestly there is
enough great stuff out there _not_ behind cloudflare so it's not a priority.

------
portobelln
If I had a dollar for every time someone behind Tor tried to screw with my
saas app...

------
lousken
Please turn JavaScript on and reload the page. DDoS protection by Cloudflare

this pisses me off even more than writing captcha

------
walrus01
From a network abuse perspective, any individual ipv4 /32 that is a TOR exit
point is an immense source of abuse, spam, shit, automated password attempts,
etc.

------
danielrhodes
Walk into a bank with a face mask on, and see how they react. Same principle
here.

~~~
rsync
You should be able to walk up to a vending machine with a face mask on. That's
a more apt analogy.

~~~
danielrhodes
The analogy still works: Let's say the vending machine companies became fed up
with being robbed all the time by people using face masks and as soon as
somebody walked up wearing a face mask the vending machine would recognize
this and turn into a locked down candy safe.

Maybe to get around this the vending machine could ask for an identity card to
confirm this person was safe.

In the same way, could Cloudflare (or anybody else) cookie people who were
deemed safe? Sure. But then that sort of defeats the purpose of Tor.

From the perspective of somebody operating these systems: they are either
damned if they do, damned if they don't. Given the relatively small number of
people using Tor, I think what has been done here is perfectly reasonable.

------
zackbloom
For people who are unaware, there is a cryptographic solution to this.
Cloudflare worked with crypto researchers to create a way for Tor users to
anonymously verify that they're not a bot. It's called Privacy Pass and it
solves this problem: [https://blog.cloudflare.com/cloudflare-supports-privacy-
pass...](https://blog.cloudflare.com/cloudflare-supports-privacy-pass/)

------
grittygrease
The main problem with whitelisting Tor is that you open the door to abuse.

Cloudflare is working on a new solution to this problem that allows us to
differentiate between abusive visitors and legitimate users without de-
anonymizing them.

If you’re a Cloudflare user and want to sign up for this feature, email onion-
beta@cloudflare.com for details.

------
joelesler
Or.... you could stop using Tor?

------
staunch
Why would a company that values their users' privacy have Cloudflare man-in-
the-middle their traffic in the first place?

Cloudflare decrypts the traffic, which in many cases includes personally
identifiable information like names, email addresses, transactions, etc. It's
hard to imagine something more anti-privacy than allowing a third-party access
to all of your users' data.

Tor users should take those CAPTCHAs as a sign that they're visiting a web
site that they can't use while maintaining their privacy.

~~~
detaro
What hosting is acceptable for your privacy wishes? Given that "a contracted
party sees plaintext" is apparently the issue, the following clearly are not
ok:

a) any SaaS

b) any of the cloud providers when their load-balancing offerings are used in
HTTP mode (e.g. Amazon ELB)

c) any traditional "shared" hosting company

Are VPSes trustworthy enough, or does it have to be dedicated hardware?
Dedicated hardware under direct control of the company only? And how many
companies run those, vs setups falling under a-c) above?

I see people make comments like this all the time when it is about Cloudflare,
but somehow very seldom if it's about Amazon AWS, Shopify, ..., despite the
same caveats applying to those, and it being widely accepted that third-party
processing is fine if for a clear purpose and under proper contracts.

~~~
staunch
Yes, options A, B, and C are technologies that shouldn't be used where user
privacy is highly valued. They violate the fundamental concept of end-to-end
encryption.

In practice, a rented VPS or dedicated server that terminates its own TLS
connections can be considered very private. It's not impossible for the
hosting company to acquire the private key but it would require real effort,
business risk, and potential liability.

Even if you're not worried about rogue employees, you have to worry about
mistakes like the infamous "Cloudbleed" bug that leaked private user traffic.

~~~
cmorgan31
So avoid using more than 75% of the web? You may be right in that these
websites value your privacy less than other things but it certainly doesn't
seem like a viable solution for most users. What's the day to day usage look
like when you take your privacy this seriously? I'm not well versed with what
tools you would use currently to achieve privacy.

------
crunchlibrarian
There is a disconnect here: I've read so many technical articles from
cloudflare about neat problems they solve while at the same time they just
boldly say fuck you to net neutrality and aggressively try to get people on
board with the tracking internet that their corporate partners desire so
strongly. I get the sense these aren't the same groups of people at the
company itself.

I've been browsing anonymously with tor and other services for about five
years now and the web just gets more and more hostile every day. So many
pages, apps, services, etc just flat out don't work anymore even if you solely
have a VPN running.

Not to throw cloudflare under the bus, Google and Apple have have created way
more issues for me with their hostility to anyone who evades tracking.

~~~
ryanwaggoner
Eh, I really doubt that it's designed to punish people who aren't tracking.
Tracking makes users much more valuable, but the average legitimate user who
isn't being tracked is still probably net positive value, so it wouldn't make
sense to just block them outright.

I think the problem is that a very high percentage of malicious behavior
online comes from Tor, certain IP ranges, VPNs, scrapers that don't run
Javascript, etc, etc. You can't get rid of all of those malicious actors, but
you can probably block the vast majority of them by taking the actions you're
complaining about here, and I suspect that it doesn't actually cost you that
much. You get some cranky nerds and some legit users who are using Tor and
VPNs who won't be able to use your site, but they're a tiny minority.

~~~
phyzome
Cranky nerd here. I've tried to use Tor to access websites for legitimate
purposes and found much of the web has become unusable recently.

But perhaps you need a motivating example, since you don't think there's any
value in supporting Tor! I'll give you some.

\- Security researcher wishes to contact an organization about a security hole
in their site or product, but doesn't know if they'll be sued, so they want to
protect their identity. (source: this is me; have met other people doing this)

\- Pedophile (who doesn't _want_ to be one) seeking therapy options that don't
involve a high risk of being incarcerated or killed. (source: read an article
about this)

\- Teenager in a repressive environment trying to access LGBTQ resources;
parents have a netfilter on, or maybe have snoopware on the router. (source:
several acquaintances)

\- Chinese citizen trying to find a different view of history (source: pretty
freaking common, although Great Firewall makes it tricky)

These are people who don't have other, good options. And you'll need to be
able to withstand the sizeable quantities of malicious traffic that _don 't_
come through Tor, so it's not like you really win anything. It's worth not
blocking Tor.

~~~
cmorgan31
You need to provide fiscal value or convince the operations team of legitimate
companies to not treat Tor as a bad apple. It may not be right but money is
the only motivating example that matters to companies.

~~~
phyzome
The plea also goes out to people who have their blogs running through
Cloudflare. (For some reason.)

~~~
theoctopus
A zero-configuration free CDN is a pretty good reason in my opinion.

~~~
phyzome
I guess I don't get the need for a CDN for a blog. I can run a blog off a
raspberry pi. It's text, a bit of markup, a couple images.

