They specifically built controls so that web sites can remove CAPTCHAs for Tor users completely.
They also do not block/CAPTCHA Tor users automatically. They treat Tor IPs like any IPs: if they detect abuse from the IP, they start giving the CAPTCHA.
Finally, Cloudflare has stated publicly that they have a desire to setup .onion sites for their customers automatically. But they cannot do so until the Tor project is able to upgrade the hashing algorithm used for .onion addresses. If the two organizations could work together, this could be game-changing for online anonymity. Imagine millions of web sites automatically supporting Tor!
I can't understand why the HN crowd is so anti-Cloudflare. This Tor thing seems to be one of the major misconceptions.
Disclaimer: I'm not affiliated with with either Tor or Cloudflare in any way.
In addition, their response to the memory leak issue a few months back left a bad taste in a lot of people's mouths. They attacked Google unfairly for not purging their leaked content fast enough, while trying to downplay the severity of the mistake they made.
I do not believe cloudflare on your first link (that they treat tor ips like any ips).
I can tell you from experience that I have never connected to a cloudflare backed site with tor that didn't require multiple captchas. So every tor ip is hostile to cloudflare sites? If so, how is that practically different than just blocking tor?
I think that if you read the response at your first link again, you can see that they are implying what you are saying, but that are not saying what you are saying. I think they are blocking tor, but explaining it in a diplomatic way.
> My link was a direct response to your second link.
Yes, and they only take issue with the the claim that 94% of Tor requests to Cloudflare are malicious. It's a shame that Cloudflare hasn't responded with the data they requested, and it's fair to hold that against them. But I'm also not aware of a response from Tor regarding Cloudflare's desire to make automatic SSL certificate generation possible for .onion addresses.
As a huge fan of both organizations, I wish they would act like adults and work together, rather than spend so much time pointing fingers.
> If so, how is that practically different than just blocking tor?
Because Cloudflare allows their web sites to disable CAPTCHAs for Tor if they choose to.
> I think they are blocking tor, but explaining it in a diplomatic way.
We'll have to disagree on that. The Cloudflare post outlines not one, but two ways that the two organizations could work together to solve the problem.
But again, I agree it would be great if Cloudflare would release more detailed data about the attacks they see from Tor.
OP blog post claims 96% of the traffic going to their tor hidden service is hostile. It doesn't seem unreasonable to me at all that every tor ip is hostile.
so you manually looked up the provider of every site you visited?
sounds like 100% of cloudflare sites that are configured to require captchas require captchas.
Mitigating abuse while supporting the TOR ecosystem is an open problem and they have certainly done more than any other CDN afaik to explore ways to allow legitimate TOR users past their firewall. Unfortunately, if I remember correctly the solution involves tracking IDs which can deanonymize users.
I had an idea a while back of a distributed, anonymous reputation system with rotating tokens. I still believe this is a better solution than the permanent tracking IDs currently used and maintained by other companies. It would return control to the user.