Hacker News new | past | comments | ask | show | jobs | submit login

> The things that makes TOR useful for people avoiding prosecution also makes it useful for people involved in malicious and criminal activities ... Everything from spam and network attacks to trafficking people and contraband.

It is ok if someone that doesn't understand it says those sorts of things, but when an organization like cloudflare[1] jumps on the goof-troop bandwagon, it really does make a difference.

[1] https://blog.torproject.org/blog/trouble-cloudflare




I hope I can make you more skeptical of the "Cloudflare is the bad guy" trope. Cloudflare is lightyears ahead of any CDN when it comes to supporting Tor.

They specifically built controls so that web sites can remove CAPTCHAs for Tor users completely.[0]

They also do not block/CAPTCHA Tor users automatically. They treat Tor IPs like any IPs: if they detect abuse from the IP, they start giving the CAPTCHA.

Finally, Cloudflare has stated publicly[1] that they have a desire to setup .onion sites for their customers automatically. But they cannot do so until the Tor project is able to upgrade the hashing algorithm used for .onion addresses. If the two organizations could work together, this could be game-changing for online anonymity. Imagine millions of web sites automatically supporting Tor!

I can't understand why the HN crowd is so anti-Cloudflare. This Tor thing seems to be one of the major misconceptions.

Disclaimer: I'm not affiliated with with either Tor or Cloudflare in any way.

[0] https://support.cloudflare.com/hc/en-us/articles/203306930-D...

[1] https://blog.cloudflare.com/the-trouble-with-tor/


I think a lot of people on HN are anti-Cloudflare because of the way they portray themselves in blog posts. Every blog post makes it sound like they are saving the internet.

In addition, their response to the memory leak issue a few months back left a bad taste in a lot of people's mouths. They attacked Google unfairly for not purging their leaked content fast enough, while trying to downplay the severity of the mistake they made.


My link was a direct response to your second link.

I do not believe cloudflare on your first link (that they treat tor ips like any ips).

I can tell you from experience that I have never connected to a cloudflare backed site with tor that didn't require multiple captchas. So every tor ip is hostile to cloudflare sites? If so, how is that practically different than just blocking tor?

I think that if you read the response at your first link again, you can see that they are implying what you are saying, but that are not saying what you are saying. I think they are blocking tor, but explaining it in a diplomatic way.


Thanks for the thoughtful reply!

> My link was a direct response to your second link.

Yes, and they only take issue with the the claim that 94% of Tor requests to Cloudflare are malicious. It's a shame that Cloudflare hasn't responded with the data they requested, and it's fair to hold that against them. But I'm also not aware of a response from Tor regarding Cloudflare's desire to make automatic SSL certificate generation possible for .onion addresses.

As a huge fan of both organizations, I wish they would act like adults and work together, rather than spend so much time pointing fingers.

> If so, how is that practically different than just blocking tor?

Because Cloudflare allows their web sites to disable CAPTCHAs for Tor if they choose to.

> I think they are blocking tor, but explaining it in a diplomatic way.

We'll have to disagree on that. The Cloudflare post outlines not one, but two ways that the two organizations could work together to solve the problem.

But again, I agree it would be great if Cloudflare would release more detailed data about the attacks they see from Tor.


>So every tor ip is hostile to cloudflare sites?

OP blog post claims 96% of the traffic going to their tor hidden service is hostile. It doesn't seem unreasonable to me at all that every tor ip is hostile.


It is their definition of "hostile" that is the problem. They do not explain. I suspect it means "I can't track you, so you are hostile." Otherwise, where is the data for this?


> I can tell you from experience that I have never connected to a cloudflare backed site with tor that didn't require multiple captchas. So every tor ip is hostile to cloudflare sites? If so, how is that practically different than just blocking tor?

so you manually looked up the provider of every site you visited?

sounds like 100% of cloudflare sites that are configured to require captchas require captchas.


TOR is a source of lots of DDOSing and things like that, which happen to be the exact thing Cloudflare takes money from people to protect against. From the blog posts I have read in the past, it seems they appreciate TOR's existence but recognize that in its current state, it is a thorn in their side.

Mitigating abuse while supporting the TOR ecosystem is an open problem and they have certainly done more than any other CDN afaik to explore ways to allow legitimate TOR users past their firewall. Unfortunately, if I remember correctly the solution involves tracking IDs which can deanonymize users.

I had an idea a while back of a distributed, anonymous reputation system with rotating tokens. I still believe this is a better solution than the permanent tracking IDs currently used and maintained by other companies. It would return control to the user.


I'm not too sure what "jumping on the goof-troop bandwagon" means to you, or what difference you are referring to.

Cloudfare /did/ invest a lot of time communicating and trying to remedy the situations with the DDoS. The is evident in the amount of communication that can be found in the bugtracker.


DDoS over Tor is absurd.


Right..? Does the number of exit nodes even compare with whats possible with simple amplification attacks?




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: