A better request for Cloudflare websites would be to put the CAPTCHA's just on actions that need protection. Reading a blog entry? Don't need to test. Writing a comment? CAPTCHA them to the break of dawn.
Cloudflare proved that it's both unwilling and unable to solve the problem.
I wonder if Tor has finally reached critical mass and is ready for more widespread use?
That shouldn't be an issue if the passwords have enough entropy.
Allow me to optimize your statement.
>>> if False
Legitimate Tor users will click it for the same reason a large fraction of users in general will click it--it's stopping them from getting where they want to be, and they believe clicking it enable them to move on, and they believe that reading it won't speed up that process.
It's just to them more "stupid stuff the site wants me to agree to that I don't need to bother with because (1) if it is asking me to agree to some rules I don't care because I'm really nice and would never do anything they could object to anyway, and (2) if it is making me give permission to use my data or track me it doesn't matter because (I'm already tracked everywhere else | I've got ad blocking and privacy add-ons installed)".
Why we are blocking Tor users
You appear not to support dictatorship and or want to live under a dictatorship. As the operator of this site, I don't believe in freedom of speech or expression on any subject, even banal everyday subjects. For all subjects, I oppose freedom of the press, freedom of speech, and the right to read anonymously or express anonymous opinions, regardless of content. If I could, I would repeal the fourth amendment ('[t]he right of the people to be secure in their persons, houses, papers, and effects'). Come back when you are ready to be tracked by your government."
Fair compromise? It sends the message across while blocking all Tor users.
so in my sibling comment I suggested that all Tor users could be blocked, while making it clear that the operator does not support their rights.
If they observe that a high fraction of visitors from AWS / VPN / Tor exit IPs are attackers, they will add countermeasures.
Well-intentioned or not, the UX sucks, and I generally bail and don't come back if I experience a second Captcha in a session. Find a better solution, or accept that you're driving away eyeballs/revenue.
Let's approach this from another angle for a moment - a hypothetical provider with no numbers/revenue; zero, zip.
Where should they start? Do they start by chasing every possible user out there and risk a wave of spam, etc? No, right now - the Cloudflare approach is looking rather attractive despite Cloudflare not needing to advertise these security features far and wide (unlike some VPN providers) because we're talking so much about it.
In the time that this debate will end, the buttons will be clicked, site(s) will be launched and working without problem for the majority of users it will be targeted at. For nearly everyone, this appears to be a much better solution than those that have plagued various online forums and services for years.
So who is going to find a "better" solution? Probably almost nobody. As the other commenter says, it's a numbers game. And that's just business.
That is interesting.
Are you using Cloudflare purely as a CDN?
Can you choose to filter access to your content from geographic regions (i.e. block all IPs from [country])
What key services/offerings are you benefiting most from using Cloudflare?
2. Only on the enterprise plan. On Pro/Business you can only "challenge" (captcha) or JS/browser Challenge countries, not outright block them.
3. Even with all the other cool and useful features, DDOS mitigation is still one of the most valuable offerings possible.
Some time around ~2 years ago, though, the particular use-case of using Tor to (anonymously) access public-Internet websites got a lot better—both in bandwidth and TTFB.
Access to Tor hidden services is still slow, though.
Which makes me wonder: is the Tor network itself unilaterally faster now, and it's actually just the particular Tor hidden services which are all coincidentally bandwidth-starved?
Comparing apples to apples, DuckDuckGo's hidden-service gateway (https://3g2upl4pq6kufc4m.onion/) still seems a lot worse-off than their clear-net website (https://duckduckgo.com/). And I would bet that they would scale their Tor gateway if they could. So maybe this is a limitation in how Tor handles routing to hidden services? Does a .onion have to route to one physical Tor node, rather than being capable of load-balancing among many?
obviously it would vary greatly depending on where the connection is going... but wondering if there is some overarching idea of what it has..
Currently the network is processing ~125Gbit/s of traffic.
seems like a good amount?
For exit traffic I don't believe there is a metric for average user speed. But, I just ran a 3 speed tests using different circuits and was getting 500-800KB/s download speeds on average.
I have octoprint set up with a IP behind a NAT, and a hidden service. When I'm not at the 'space, I use Orbot on my android and OctoRemote.
I get reasonably good speeds and latency. I can also view my webcam on the printer. It's not 4HD by any means, but is definitely usable.
I've also had quite a few projects in which I'm trying to normalize Tor usage. My biggest one thus to date is a Tor-ified IoT network that uses your own resources instead of nebulous "cloud" providers.
Long story short, there's a lot of promise to a .onion address, given it acts like a telephone number. Change IPs? Who cares. You retain your "number" no matter where you move :) It's also a lot less scary when talking to people about this, and how Tor is awesome in many areas.
You can see that for a 5MiB file, hidden services perform 2-3 times slower, I would put most of the blame on data having to travel through more hops when using hidden services.
The old question: is a simple ping considered an attack? I still here people talking of how their websites are attacked thousands of times every day. Pings and other simple scans are not what I would call actual attacks.
Do we have any sources regarding how that 94% number was calculated or are you guessing?
What I wanted to know was some background on the 94% figure, do we now this is how they arrived at that number?
If you are using the Tor Browser Bundle you should not see a CAPTCHA. If you do please report it to us.
In future, I'll report CAPTCHAs with Tor browser to Cloudflare. But I can imagine that other CDNs use Google CAPTCHAs, so I'll check for that first.
Tails doesn't work for this.
Tor Browser Bundle does.
Let's pretend for the minute the support article is accurate, and let's pretend CloudFlare's security checks are useful. (I don't have any opinions/knowledge myself if there are true/false, so let's assume they are true - as most CF customers will).
Why should I turn off the security CloudFlare is providing me? The appeal doesn't give me anything I can use to justify turning this off. Given the percentage of tor users vs not-tor users, I can't really call the "it bothers Tor users" statement justification for turning this off.
I know it shouldn't be needed, I know anonymous browsing should be taken for granted, however - reality is - it's not. For an appeal like this to succeed, or even make a measurable dent, you'll need more.
I do hope you find more, anonymous browsing should be the norm, not the exception - but I don't believe this appeal will make a dent.
seems like google could alleviate this if they checked value of certain cookies before making people repeatedly solve captchas.
They have been in this dispute with each other for a long time.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.
Now that I think about it, people using it should probably donate more to the project. Although this very same gov. can always see it as "supporting the terrorists".
I'm not involved in politics enough for it to be something very dangerous for me -- it's just non-sense things I want to see that I cannot because of silly regulators wanting to look important. But at the same time, trying to browse around via Tor to bypass these restrictions make it impossible at times to access information that Роскомнадзор has decided Russians shouldn't be allowed to access.
But a lot of things that agencies like Роскомнадзор do are simply because it made someone a quick buck somewhere down the line. Many of my friends/colleagues work for businesses run by old men who are more interested in 10,000 rubles now than 100,000 rubles in a week. The decisions that Роскомнадзор and other government entities makes rarely have much more of a thought process beyond a simple "well, we wanted X". When the Telegram ban came into effect and folks outside of Russia were flabbergasted by Russia's choice to just block major parts of AWS, people came up with the most outrageous of theories as to what was happening. The simple and more accurate truth was probably that whoever made the decision at Роскомнадзор to do the blocks neither thought about the implications of such a decision nor had the technical knowledge to really understand it, and those underneath this person likely didn't have the will or inspiration to care, hence why the block is so trivial to bypass (like all the other blocks)
Like with many countries, a lot of old political methodology has to die off before Russia can really step forward, and while that is happening, it's why projects like Tor are essential for providing unmitigated access, whether it is a malicious block (Telegram) or a senseless one. That so many US companies just have a straight up IP block on all things Russia doesn't help to advance the situation past this stage at all.
Someone gets banned from bad behavior, they create a new account. So you IP ban them. Then they switch over to Tor and keep making new accounts from anonymized IPs and start disrupting the forum by spamming it with slurs. The only solution is to ban Tor.
The easiest solution is to ban Tor, but it's far from the only solution.
I can think of plenty of cool, robust systems I can build as well, but I do not have unlimited
This whole tor vs clearnet distinction is way overblown. Sure people will do more crap if they're anonymous, but if you block Tor criminals will just use something else.
... if Tor proves ineffective. If not, then they'll definitely use Tor.
Tor is a common CnC and exfiltration vector. Nothing good will ever originate from a pseudoanonymous network developed for spycraft. We have enough problems with it that we shoot it on sight.
The bigger problem is becoming abuse of cheap VPS and seedbox services (and anon VPNs) to launch attacks. $5 gets you a non-attributable box managed by an overseas entity with a gigabit link and an IP strategically located near your target to thwart geoip-based blocking. With that price point and features, why fuck around with botnets or Tor?
Cloudflare have the solution for that. You can ban by AS number and by country code.
Sure, attackers can find an alternative. It just won’t be Tor. :)
Gitlab does a great job of accommodating people who want access to raw text while also accommodating people who want to be able to do basic layout. And the approach of sites like this have significantly encouraged devs to use markdown more - if this was a static site, or something exported out from Org-mode, or even just a rendered Markdown file, you wouldn't have access to the original raw text version.
The only reason you have access to the raw text is because the uploader chose to serve the raw text and then handle rendering clientside instead of serverside. If you want to be able to read more content in Markdown form, Gitlab is your friend, not your enemy.
I feel for the legitimate users of Tor who are annoyed by captchas all day, but unless someone has a foolproof way to filter out good Tor users from malicious Tor users, I think that's just the price you pay.
Also found this interesting for more context: https://support.cloudflare.com/hc/en-us/articles/203306930-D...
this pisses me off even more than writing captcha
Maybe to get around this the vending machine could ask for an identity card to confirm this person was safe.
In the same way, could Cloudflare (or anybody else) cookie people who were deemed safe? Sure. But then that sort of defeats the purpose of Tor.
From the perspective of somebody operating these systems: they are either damned if they do, damned if they don't. Given the relatively small number of people using Tor, I think what has been done here is perfectly reasonable.
An analogy? Being required to show you passport to use a vending machine.
Cloudflare is working on a new solution to this problem that allows us to differentiate between abusive visitors and legitimate users without de-anonymizing them.
If you’re a Cloudflare user and want to sign up for this feature, email email@example.com for details.
Cloudflare decrypts the traffic, which in many cases includes personally identifiable information like names, email addresses, transactions, etc. It's hard to imagine something more anti-privacy than allowing a third-party access to all of your users' data.
Tor users should take those CAPTCHAs as a sign that they're visiting a web site that they can't use while maintaining their privacy.
a) any SaaS
b) any of the cloud providers when their load-balancing offerings are used in HTTP mode (e.g. Amazon ELB)
c) any traditional "shared" hosting company
Are VPSes trustworthy enough, or does it have to be dedicated hardware? Dedicated hardware under direct control of the company only? And how many companies run those, vs setups falling under a-c) above?
I see people make comments like this all the time when it is about Cloudflare, but somehow very seldom if it's about Amazon AWS, Shopify, ..., despite the same caveats applying to those, and it being widely accepted that third-party processing is fine if for a clear purpose and under proper contracts.
In practice, a rented VPS or dedicated server that terminates its own TLS connections can be considered very private. It's not impossible for the hosting company to acquire the private key but it would require real effort, business risk, and potential liability.
Even if you're not worried about rogue employees, you have to worry about mistakes like the infamous "Cloudbleed" bug that leaked private user traffic.
Using Cloudflare gives control for control over which part of their site can use shared cache and which is direct link.
If you don't trust anyone, run your own servers and don't hire sysadmins.
People you hire can be vetted, fired, sued, and even imprisoned for violating your users' privacy. Blindly handing over your users' data to a third-party includes none of these protections. You're simply abdicating responsibility.
But you must have them on site 24/7 to be able to respond as fast as Couldfare to any new security issues. You must pay them a lots of money because they must be expert level. You also need to have 24/7 security around your servers and all the backups and redundancy.
Very few businesses have customer information that is wroth the paranoia and investment to doing everything inhouse.
I've been browsing anonymously with tor and other services for about five years now and the web just gets more and more hostile every day. So many pages, apps, services, etc just flat out don't work anymore even if you solely have a VPN running.
Not to throw cloudflare under the bus, Google and Apple have have created way more issues for me with their hostility to anyone who evades tracking.
That's not what "net neutrality" means: Cloudflare is a service the site operators choose to pay for.
An example of actually saying fuck you to net neutrality would be your ISP announcing that access to "premium web sites" will be slowed to 10kb/s unless you pay an additional fee.
But perhaps you need a motivating example, since you don't think there's any value in supporting Tor! I'll give you some.
- Security researcher wishes to contact an organization about a security hole in their site or product, but doesn't know if they'll be sued, so they want to protect their identity. (source: this is me; have met other people doing this)
- Pedophile (who doesn't want to be one) seeking therapy options that don't involve a high risk of being incarcerated or killed. (source: read an article about this)
- Teenager in a repressive environment trying to access LGBTQ resources; parents have a netfilter on, or maybe have snoopware on the router. (source: several acquaintances)
- Chinese citizen trying to find a different view of history (source: pretty freaking common, although Great Firewall makes it tricky)
These are people who don't have other, good options. And you'll need to be able to withstand the sizeable quantities of malicious traffic that don't come through Tor, so it's not like you really win anything. It's worth not blocking Tor.
I never said that.
I do think that the onus is on you to explain to whatever company you're railing against here why its in their best interest to welcome Tor traffic, particularly if it will make them more vulnerable. And sorry, to me you're not doing a good job of making that case. These examples seem like edge cases for the vast majority of websites. If I was blocking Tor (I'm not), I wouldn't reconsider my position from these scenarios. The cost is simply too high for too little benefit to too few people, probably none of which are my target audience.
And just to be clear, I truly understand the value of Tor and similar projects, and I hope we get more of them and they're more widely supported. But they come with real downsides too, so it's not surprising to me that many businesses and governments aren't going to out of their way to support them. That's the price you pay.