Not to detract from the point but I find Cloudflare to be on the more reasonable side when it comes to blocking Tor. A lot of sites end up effectively banning all Tor IPs, Cloudflare merely requires CAPTCHA. And they do offer Privacy Pass as a sort of approach to make it a little less annoying.
I do agree that Privacy Pass is in theory a good idea, although to say that CloudFlare "merely" requires captchas to be filled out is a bit disingenuous. You're often required to complete 5-10 captchas, and sometimes even after that, you get denied. Had that happen to me multiple times.
I don’t use Tor for all of my traffic, but sometimes I do use it just because I can. And my experience lately is that I usually get hCaptcha and I usually pass it once and get in. It’s Recaptcha that is a serious problem.
Yeah after years of suffering from reCAPTCHA I'm somewhat thankful for
hCaptcha. It is still annoying (especially Cloudflare's integration which
seems barely compatible with the Tor Browser's cookie and circuit management),
but at least I don't have to switch exit nodes twenty times just to have a
chance of my solution being accepted (like with reCAPTCHA).
If you can't pass a CAPTCHA, you need to stop and ask yourself -- are you really a human being, or have you just been programed to believe that you are?
If you have been trying to solve the same captcha for several hours, you need to stop and ask yourself -- are you really a human being, or have you just been programed to believe that you are?
> And they do offer Privacy Pass as a sort of
> approach to make it a little less annoying.
The Privacy Pass extension requires, as it mentions when installing it, access to all the data on all websites that you visit. So in order to stop getting so many Captchas, one has to give this company unfettered access to all sites that one visits? Why even bother with an HTTPS connection when the browser is potentially leaking the information away with explicit user consent?
And I don't even use Tor. But every few weeks I'll have a two or three day spat where every webpage that I visit requires at least two captchas to be solved. Maybe another user from my ISP is scrapping, but I'm a good citizen on the 'net.
"Some" because they seem to have internal heuristics for detecting Tor Browser users before they enable that feature for a connection, so it doesn't apply to all connections made through Tor. YMMV I guess but I haven't seen a Cloudflare CAPTCHA over Tor in a long time.
I still wonder how that detection thing works. My custom Firefox setup with
requests proxied through Tor passes as the TBB, but copying the same request as
a curl command somehow doesn't.
Yeah, it's pretty weird and apparently it's being updated as well. Like, a year ago or so I wrote a browser extension to trick that detection mechanism when I'm on stock Firefox. Just when writing that comment I discovered something has changed and that's not needed anymore.
Try signing up to gitlab and then signing in. It’s completely broke with TOR because of cloudflares crappy redirect and nobody has done anything about it. The captcha also breaks after you spend about thirty mins trying to find a relay which doesn’t trigger the redirect page protection loop.
It’s just silly to suggest this when quite simply not all IPs behave equally and the differences are not subtle. It’s annoying when “bad” IPs get reassigned and change, but that is a relatively infrequent event - and certainly CloudFlare is at least adaptive. It’s just not a principal aligned with reality.
The problem that no one seems to acknowledge: one IP doesn't necessarily mean one person or entity behind it. Residential ISPs often use a single public IP as an exit point for many subscribers simultaneously. So if one, just one, of these subscribers does something that our internet overlord Cloudflare considers nefarious, everyone else sharing this IP gets punished for doing nothing wrong.
This specific problem happens all the time. That’s the ISPs problem, not cloudflare. The ISP has a user negatively impacting other users, best course of action would be remove that user and notify cloudflare after.
Do ISPs actually do any of this? Does any ISP ever do any of this? I don't think so. Also, no one knows what was the particular thing that pissed off Cloudflare, because it's a black box.
I'll say it again: centralizing the internet around a single company is a terrible idea. Especially so when said company terminates TLS and thus has access to unencrypted traffic.
ISPs don’t because they don’t care. Until there’s a legal or monetary reason to do so ISP providers will do the bare minimum. My spouse worked for a large American ISP for would hear all the time that apartment complexes would not be able to access certain services because one user did something that got the IP blocked and nobody cared because it wasn’t their problem.
ISPs don't care so they don't do anything. Website operators don't care so they offload the responsibility to Cloudflare. Cloudflare doesn't care so it bans and/or humiliates unrelated people however it sees fit. Nice.
In 50 years when half the internet users will finally have access to IPv6. Or, I'm pretty sure some people, or Cloudflare, will start banning entire /32 or even bigger subnets because why not. Oh you're from Russia? Here, have a 403 for no apparent reason.
It may be important to tease out the mobile operators and VPS providers like AWS/Azure/GCP first. They have skewed the numbers a bit. Almost all VPS providers and cell providers are IPv6 now. Residential is hit-or-miss. Maybe that will change as more people use Starlink and other newer tech.
100% of the bad traffic to my servers comes from TOR. Not all IPs are equal, some aren’t playing nice. Cloudflare makes it so I don’t have to worry about it.
That's how responsibility is shifted always to the next person or institution.
You make your life simple by saying "Cloudflare makes that decision." Cloudflare says "We are merely offering a service here! You don't have to use it, if you think it's wrong." And ISPs say (or should say): "We are here to sell Internet access, not to watch what everyone on the Internet." and may by law not be allowed to look into the traffic.
In the end the user suffers and is discriminated against and no one wants to be responsible.
I would take the position, that each person, who uses Cloudflare, has to live with being responsible for whatever Cloudflare imposes upon users / visitors. The mass of people using Cloudflare services makes the difference. Each person using it adds a little bit to it. It is a collective responsibility.
Then what’s the alternative? If I don’t use a service like Cloudflare I have to invest a lot of time and money into making sure my servers accept the traffic I want and reject the traffic I don’t. This isn’t an ethics dilemma, bad actors wreck a lot of innocent people’s lives all the time it wasn’t going to stop on the internet.
No, we won't. Many of those IPs are the origins for spam, botnets, crawlers, DDoS, exploitation engines, etc. The only feasible solution even with all modern heuristics and ML is still good ol' IP scoring and/or banning.
Cloudflare doesn't "require" captchas for TOR users. By default, they treat TOR IPs it like any other IP. However since a lot of traffic comes out of a TOR IP, it looks like bot traffic
