What if Tor Browser Make Cachpa Again and Again

"To make sure our team understood what a pain CAPTCHAs could be, I blacklisted all the IP addresses used in CloudFlare's part then our employees would need to pass a CAPTCHA every time they wanted to visit any of our customers' sites." Say what you will well-nigh cloudflare, that's an impressive move.

Impressive, yes, but I'm going to take a chance a guess that they didn't road all of that traffic through Tor to feel the CAPTCHA with the bandwidth constraints imposed by using an get out node. The CAPTCHAs are (more often than not) easy to solve, just all of the ones I was presented with were "selection the correct one out of nine different images" and loading the unabridged CAPTCHA in Tor Browser took several seconds (and many revealed a new image after clicking i of the nine). This is then repeated at least once (I received 3 on ane site, I'm guessing because I didn't know if the motion-picture show was a store forepart or only the front of some building). After completing the claiming I was given a connexion error and had to repeat the entire thing once more in 1 example. There are much lower bandwidth CAPTCHAs out in that location and those should be favored over these large image-based ones for connections originating from the block of addresses represented by Tor exit nodes.

The unabridged CloudFlare recaptcha page is < 100 KB, and that's including the images. If y'all're annoyed past the fourth dimension it takes for that page to load, yous won't exist happy browsing any site via Tor - even Google is > 200 KB.

Yous're right, they're not really that big. They load extraordinarily slowly. Each load 1 at a fourth dimension from upper left to lower right and you can lookout man them download -- they don't only "announced", they bear witness up like they would on a slow punch-up connexion. Once you get onto the site, it loads more slowly than in a non-Tor connection, just a news site I hit loaded everything at nigh the same speed as the fiddling reCAPTCHA form, so I'm left wondering if information technology'south something related to reCAPTCHA.

Probably but bad luck with your circuits and their latency to the prototype host. Tested this with a small number of circuits and didn't notice anything loading significantly faster or slower compared to other sites.

Then your excuse to doubling the time it takes to go to a website is that someone's connection is already tedious? People don't utilize tor because it's fast but that's no reason to punish them even more.

You're putting words in my mouth. I but pointed out that the reCAPTCHA folio is not in any way a bandwidth hog. Whether you think captchas are an appropriate tool to filter out abuse from Tor users is a different discussion birthday, my point is that if y'all're going to have any kind of captcha, then the ane CloudFlare is using is probably smaller in size than about other pages you lot might visit.

this is a crucial point, new domains mean setting upwards new circuits, which is the real delay here. Its like the http blocking load RTT trouble magnified by x.

AFAIK TBB doesn't create per-domain circuits for every subresource on a site (that would impale performance on many sites with 10s of third-party trackers, CDN hosts, etc.), only rather one circuit per "URL-bar domain". That domain doesn't change when a CloudFlare site renders reCAPTCHA.

Simply it is a bandwidth hog because it's purely overhead (in terms of bandwidth and latency) added to every page behind cloudflare that a TBB user visits.

Both requested with a clean cache using Tor Browser Bundle. Not certain if TBB does any caching at all anyway, seems like that would make fingerprinting easier, simply I haven't checked. FWIW, the bodily captcha prototype is ~xx KB.

Eugh, I hate the image based CAPTCHAs, they take mode more mental power than the old text based ones did and ofttimes take me ii or iii tries to get right. Is there a way to permanently opt back to the text based ones?

I'm guessing you lot aren't talking nigh the ones displayed to Tor users before. The text-based ones presented to Tor users with Javascript disabled were virtually impossible to answer correctly. The CAPTCHAs still irritate me, but the epitome-based ones are far superior to what I was being given previously.

Glad that I'grand not the just 1 who dislikes the new fashion. They do accept 1 advantage - they seem to be solvable 100% of the time (at least for now). In every other aspect though I find them to exist way more abrasive than the old ones. They're slower to load, take longer to solve, require much more than concentration, and take extremely variable difficulty. The worst are the ones which replace each paradigm you click with a new i, requiring another 5-10 seconds for loading.

I've gotten one or two wrong before. Sometimes the questions aren't well defined for a given picture. For example, the question was "Does this have a river in information technology?" with a picture of the Grand Canyon, where y'all couldn't quite meet down to the Colorado River.

I find them easier (and thus prefer them) than the gibberish "words" CAPTCHAs Google uses that deem me a machine time and time over again.

disabling javascript goes back to the older "squiggly words" way in my experience. I have no idea if that happens with cloudflare though.

Unfortunately, information technology doesn't ... I wish information technology did. Yous now get a page with images that have checkboxes adjacent to them. When yous submit the class, y'all go a Base64 key to paste into a text box.

Hmm, wonder if they're doing this to try to get effectually captcha solver services... this seems easy enough to construct into a unmarried image with numbers that you could tell someone to enter via a solver service though.

What he didn't say was that he did it without alert and it lasted 30 days. Imagine what that was like for the technical support and customer success teams who were helping customers with their sites.

Imagine what that was like for the technical support and customer success teams who were helping customers with their sites. It sucks. But that's exactly the point. Using the internet is a mission disquisitional thing for many people and for some that ways using Tor Browser or like to get around oppressive governments. This sounds like a really effective way to make certain the things you're doing are impacting your customers minimally. I bet you guys screamed loudly and were heard more clearly than a random customer trying to employ Tor solar day-to-day.

Dogfooding is great, if at that place really is a gear up to the outcome at hand. If the issue is "bearding internet access gets driveling a lot" and so I'yard non certain what a tech support guy is meant to usefully contribute to ending the dogfooding pain.

> Dogfooding is smashing, if there actually is a fix to the event at manus. If the upshot is "anonymous internet access gets driveling a lot" so I'm non sure what a tech support guy is meant to usefully contribute to catastrophe the dogfooding hurting. The problem being solved was not "bearding internet access gets driveling a lot", information technology was "the machinery we use to combat corruption is too aggressive for some segments of our users and thereby denying service to actual humans, and these challenges are invisibile to our engineers and employees because they don't browse on connections that trigger the system". As the blog mail service shows (and this is backed up past my experience as a user of Tor) CloudFlare significantly improved its handling of this in response. So I would say this is a success. I am sure that pressure from employees, including support guys, caused this long-running result to finally go the attention it deserved.

Others have already mentioned how Tor bandwidth/latency issues could make things substantially worse for 'real' Tor users exterior of their simulation. But the bigger event I would wonder about is Google's reputation systems. Google does non treat all CAPTCHA requests every bit. An office total of CloudFlare employees peaceably going about their daily browsing is going to go a much easier CAPTCHA situation than a Tor IP containing a mix of automatic nefarious activeness and individuals peaceably browsing from infomatically repressed countries.

Sounds similar the "quondam wise sage master teaching grasshopper employees a lesson" pattern. But has he such depression opinions of his employee that he couldn't have simply told them "captchas are bad UX, effort information technology out if you don't believe me"? information technology just seems cavalier to me

I didn't see information technology like that at all... It was more than of a "let'southward really feel the pain from this and effort to come with a better solution". And at the end of it they didn't. They felt the pain of having to practice information technology for simply about everything, and still couldn't come up upward with a ameliorate solution other than "improve the captcha system". And from there they gave some suggestions on how they could work with tor to give a ameliorate experience. Only saying "captchas suck, find a better mode" would have gotten nowhere because the people involved wouldn't personally know the pain points, they wouldn't know the exact problems, or what exactly nearly information technology was the most annoying. (was it the captcha itself, or the frequency y'all had to fill it out? Did information technology completely break some of their workflows, and what were the means they ended upward getting around those breakages, and tin they foreclose them? Peradventure they found the redirect folio broke some browsers/software/extensions!) I would impale to have a one-on-1 with a typical "user" of my products. A long sit meeting to understand exactly what they want/need above "i want it to work better". Making your developers/staff users of your production is a cracking style to do that and to really internalize it.

This isn't actually a vulnerability even so, as SHA-1 is only known to be vulnerable to collision attacks (where y'all try to detect ii messages with the same hash) rather than pre-prototype attacks (where you try to discover a message with a specific hash); most no hash functions have ever been found to be vulnerable to pre-paradigm attacks: https://github.com/zooko/hash-function-survey/blob/master/pr... Secondly, the issue is moot because generating collisions on 80 bits takes just 2^40 work - non hard at all. Basically what that ways for Tor, is that while it'd be pretty easy for a Onion site operator to generate 2 keys corresponding to the same .onion address, an _attacker_ nevertheless has to do 2^eighty work to assault a site past generating a key with the same Onion address. While that's not great - 2^128 work is considered "standard" in cryptographic work - ii^eighty piece of work is still hard enough that there are probably cheaper means of attacking Onion sites (for reference, the cumulative total work done past all Bitcoin network miners in the entire history of Bitcoin is about ii^fourscore hashes). Every bit for the 1024bit pubkeys, I'm not sure what the status of that is; from what I hear Tor is actively working towards a Onion redesign that volition fix these issues, and longer pubkeys may accept already been fixed.

nitpicking but: > This isn't actually a vulnerability all the same, every bit SHA-i is only known to be vulnerable to standoff attacks should be: * this isn't a vulnerability (in that location are no reason to believe that we might see information technology vulnerable to pre-paradigm attacks one mean solar day) * SHA-i is thought to become vulnerable to standoff attacks > full work done by all Bitcoin network miners in the entire history of Bitcoin is about 2^lxxx hashes without thinking of hashes, current cycles done per 2d by the bitcoin network is around ii^90

SHA-1 is thought to become vulnerable to collision attacks SHA-1 is really known to be, not just thought to become, vulnerable to standoff attacks at less than the full bit forcefulness of the hash[0]. The of import function is the pre-image resistance, of which in that location is no known attack. https://en.wikipedia.org/wiki/SHA-one#Attacks

Correct, it'southward more than certain now that with time we will be able to notice a standoff ("an estimated cost of $two.77M to break a unmarried hash value by renting CPU ability from cloud servers"). But there is a departure between the theory and actually finding a standoff. And so a huge deviation equally well on how to exploit that.

I accept never successfully completed a captcha served up by cloudflare (and thus Google) on Tor. They are fiendishly hard to the point I suspected the mechanism is cleaved.

I apply the audio captcha. Works every fourth dimension. The ones that are impossible for my are the street signs, and after that all of the cultural ones (I see US captchas and when asked to select a sandwich or a recreational vehicle I'm doomed to not complete them). An interesting side effect of failing a captcha is that to Google this looks similar proof the captcha is working, that you're likely to be a bot, and that they should definitely give you the hard captchas. As such, if you cannot consummate a captcha the chances increase that you must now complete multiple difficult captchas. The sound captcha is delightfully simpler though it does accept a moment longer to complete.

Doesn't the audio captcha piece of work only if you have javascript enabled? If you enable javascript on TOR then y'all are doing it incorrect. I could exist wrong though

> I have never successfully completed a captcha served upwardly by cloudflare (and thus Google) on Tor. They are fiendishly difficult to the bespeak I suspected the mechanism is broken. Have you tried recently? They accept gotten way better. At that place was a time non long agone where I would have agreed with you (the CAPTCHAs were literally impossible for a human in most cases). CloudFlare has toned the CAPTCHAs down a lot recently, they're now presenting epitome classification tasks (select street signs/bodies of water/storefronts/cactuses/...), and in my experience, my success rate is close to 100% on those. Admittedly they withal brand me solve 3 of them and they get tiring, but at least they're not completely cutting off access to Tor users anymore.

I accept to inquire! Can somebody tell me: Am I supposed to click the tiny corners of signs in another square? If it is a sign that is not a "street sign", such as a billboard, do I click it? ::confused::

In my experience, some edges and corners count, and others don't. Simply what the cutoff is, I don't know. It does seem clear that signposts don't count.

I honey Tor, and I similar CF as a service though I'm not convinced they're a net positive for society. But wow, the non-CF guy (cypherpunks) on that ticket was really being a dick. Gotta hand information technology to the CF people that they kept engaging and trying to effigy out some solution. Though it seems that the idea of assuasive GETs when a site isn't under load attack is probably the right solution?

I'k glad to see CloudFlare addressing Tor users and bug with CAPTCHA, as I've been victim of this myself multiple times in recent years. In detail is the upshot that CloudFlare assumes javascript-enabled browsers, a condition which may well not be met. I recorded an commutation with CloudFlare support some time back in which the CloudFlare rep was apparently unaware how or why this might occur: https://plus.google.com/104092656004159577193/posts/H2sakaRx... I'thou also aware of some tools/approaches which address the question of fair anonymity -- ensuring well-behaved clients while retaining anonymous status for the client. Best I'thousand aware these are very experimental. I've besides forwarded the data to TK Hyponnen of F Secure, who may take some impression of the approaches. FAUST: https://gnunet.org/node/1704 (Efficient, TTP-Gratis Abuse Prevention by Anonymous Whitelisting | GNUnet) Off-white Anonymity: http://arxiv.org/pdf/1412.4707v1.pdf Assessing these is across my skills, but the references may exist useful to CloudFare (or others).

I previously didn't have an opinion on cloudflare until recently using the net from a network that was black listed - web surfing was reduced to constantly filling captachas. Lesser line for me is no single organization should have and then much power and I have stopped using cdn's and encourage everyone else to do the same.

I'm one of Cloudflare's customers who would blacklist all Tor traffic if I could. I genuinely don't understand why and so many people obviously use Tor for all their browsing, and non merely for sites where remaining bearding is desirable. Why not merely switch to a normal browser for normal sites? Some background - we run several SaaS services for schools, which are politically and socially non-sensitive. The just realistic reasons anyone would want to connect anonymously would be nefarious. Allowing Tor traffic is like a bank having a special ATM round the back with no security cameras - y'all're giving a free laissez passer to attackers to effort anything they want with impunity. I'm having a hard time seeing what the compensating reward is. How does not accepting Tor traffic to our "normal" sites lessen the anonymity of Tor traffic to sites where information technology is important?

Internode, in Australia. They're subject to the data memory laws, and then I utilize HTTPS and VPNs equally necessary. When they're completely consumed past their new owners, TPG, then no, there won't be a trustworthy ISP in Commonwealth of australia. I have high hopes for SkyMesh, though.

If y'all use TOR only for "bad stuff" and so information technology means that if you are on TOR you lot must be surely doing "bad stuff". Using TOR for everything helps to build plausible deniability, if you are ever on TOR and then an external watcher can't determine if you are doing good or bad stuff. Of course good and bad are relative terms, if your country doesn't have free voice communication obviously the "bad stuff" is just speaking freely

So allow the Tor users and scout them carefully. If you call up you accept a style to definitively tell that some traffic is malicious, why oh why would you lot interrupt your enemy while they're making a mistake? Practise you think they're not going to come back at y'all from a clearnet IP? Edit: > I'one thousand having a hard time seeing what the compensating advantage is. How does not accepting Tor traffic to our "normal" sites lessen the anonymity of Tor traffic to sites where information technology is important? The anonymity of Tor depends upon diversity. The more people using Tor for more than things, the harder it is to correlate whatsoever item person'due south traffic. That being said, information technology is your website, and if you determine to cake Tor you have equally much correct as your users exercise to use Tor. Simply I'd ask you to retrieve nearly whether you are really attaining whatever benefit.

CAPTCHAs are essentially a broken thought: it is easy for an attacker to transport the CAPTCHA epitome to another website and enquire users to fulfill the CAPTCHA for a completely unrelated goal. This fob has been used in the by on certain pr0n websites (users are allowed to see a moving picture only after they complete the CAPTCHA). Too, one could use a mechanical turk service to circumvent CAPTCHAs.

Information technology means the action done needs to exist more profitable than the cost of a captcha, which means some activity will exist deterred.

I really think that the importance of all that extra stuff is massively overstated. I do a large amount of browsing while in incognito way without being signed in to a Google account and I have NEVER been able to laissez passer i of the new reCAPTCHAS with just a click. I take to complete a challenge every time. Conversely, while signed into my gmail account I go passed through immediately, regardless of whether I click the box or tab into it and hit infinite.

To exist fair, the "I'm not a robot"-ane-click-thing wasn't done to make automation harder or impossible, but rather to make things more than convenient for users. It volition fall back to a regular visual captcha if you're doing anything suspicious like requesting captchas at the charge per unit necessary to do comment spam or vulnerability scanning efficiently, then that's probably not going to reduce anyone'southward captcha typer farm neb too much.

> and a bunch of other hocus pocus Sounds like security past obscurity. By the way, some people apply a rail pad (with a stylus), where the mouse can jump discontinuously.

They aren't taking any i affair at face up value, but are combining them to get a meliorate pic. Yous might use a trackpad, so you'd "fail" that test, but your useragent is normal, yous've been seen before with those cookies, and your IP is good so yous are fine. But if your IP is a known "bad actor", your useragent is something never before seen, your mouse movements are abnormal, and your keyboard inputs are instant, well all of that combined means you are getting blocked.

> But if your IP is a known "bad actor", your useragent is something never before seen, What if I install a new calculator on an IP address freshly provided to me by my Internet service provider? Or what if I only open up a new incognito window? Will I get blocked? > your mouse movements are abnormal, and your keyboard inputs are instant Information technology seems to me these are really like shooting fish in a barrel to imitation programmatically.

>What if I install a new calculator on an IP address freshly provided to me by my ISP? Or what if I just open up a new incognito window? Will I get blocked? If there are enough "red flags" you'll probably get a captcha, if there are an overwhelming number of "red flags" yous might simply get blocked. Over again, merely opening an incognito window or a new reckoner/ip isn't going to do information technology alone. >It seems to me these are really like shooting fish in a barrel to simulated programmatically. I'chiliad certain they are, simply they make the bar for "automated traffic" a piffling college, and weed out some of the lower hanging fruit.

I encountered an incommunicable state of affairs working on a wordpress site the client insisted needed to be fully reachable via Tor. Parts of the folio loaded from a cloudflare CDN simply the main site didn't. The user was never presented with the CAPTCHA of course, iii/4 of the page was just missing with no caption. I never did find a manner effectually that.

Probably not cdnjs -- there are lots of people who use CloudFlare for an assets domain (since it'southward free) -- if they are just serving images, it's a trouble to display the CAPTCHA. Information technology is probably best practice, if none of those avails are sensitive, to disable equally much security as possible on that domain. It might be worth having some packages of defaults for tuning that. (Ane of the benefits for our enterprise customers is one of our staff works with them to tune settings.)

Something people need to sympathize: existent anonymity is really, really hard. Your COMSEC is a adequately small portion of the assault surface area, and the issue of this is that staying bearding is, BY NECESSITY, going to be very inconvenient. From this perspective, captchas are a very minor concern. I'thousand every bit pro-privacy as anyone, but this expectation that anonymous activeness is supposed to exist easy or convenient will never be satisfied. Thousands of years of lessons from both armed forces and civilian underground operations bears out the disquisitional lesson that anonymity is, past default, very very inconvenient. Nix is going to modify that.

Agree, though pointless systems that likely excerpt the identity of a user, force them to work for complimentary, etc - and fail to counter the chance they supposedly stop is abusive.

One should always be doubting when it comes to security features that exercise not nowadays the benefits in a articulate style. The commodity for example claims that 18% of global email spam comes from harvested emails that is collected using tor, but is those xviii% exclusively using tor? Do uses who publisher their email address on their website that is hosted through cloudfare meet a lower number of spam? It should be a fairly like shooting fish in a barrel affair for cloudfare to test, while also testing vulnerability and login attempts. As an aside, it would too be interesting to run into if at that place is a quality vs quantitative differences in the malicious action (ie, if serious attempts are done through botnets, and script kiddie activity is done through tor). The last a final test in social club to verify a security measure that has such a high cost as this i, is to ask if its has whatever meaningful bear upon to the finish issue. A website with 10000 vulnerability scans per twenty-four hour period is non going to exist meaningful improved if it was reduced to 5000 per 24-hour interval, even if that is a 50% reduction. If there is a known vulnerability, the site is going to get hijacked either way.

Worth noting that a surprisingly common amount of sites have other sections of their site which are not routed through Cloudflare. Wait for instances of DNS records similar this: admin.case.com Such a tape is unremarkably not routed through Cloudflare considering the last thing a webmaster wants is to solve captchas for their own website. They don't however intendance much for their visitors if they're subjecting (mayhap a substantial amount of them) to captcha solving nonsense. The content in the non-cf sections of a site tin can still be accessed because the webmaster is lazy and didn't intendance to check if a visitor can practice a DNS DIG on all their DNS records. Or y'all can simply utilize TOR pluggable transports to pretend you lot're Googlebot, and also hide all your traffic in Google-like traffic. I would reserve this for rare cases every bit at that place are people in censorship decumbent countries who really demand this bandwidth :)

The pluggable transports are for connections from your Tor client into the Tor network, not connections from go out nodes to the rest of the Net. Cloudflare (or any destination host) would still be able to detect your connection as originating via Tor.

In that location are innumerable means infact to spoof the fact you're not using TOR to a website, and you tin read upwardly on these in the TOR documentation. Ideally you're looking to use TOR as the starting time hop, and then yous dial into the wider Internet with a VPN, or as I mentioned: Using various Google services to camouflage traffic instead of a VPN. This is where pluggable transports come in, considering Google doesn't similar TOR, so you lot want to choose how you're connecting to Google, and become to traverse the TOR network to find an optimal route.

I don't use Tor daily (although I run a small exit node), only I do surf via a VPN. cloudflare's captchas drive me to the brink of insanity, I run across at least fifty each 24-hour interval...

Cloudflare says: > With most browsers, we can utilize the reputation of the browser from other requests information technology'south made across our network to override the bad reputation of the IP address connecting to our network. For instance, if you visit a coffee shop that is only used past hackers, the IP of the coffee shop's WiFi may take a bad reputation. But, if nosotros've seen your browser deport elsewhere on the Internet acting like a regular spider web surfer and not a hacker, so we tin can use your browser'south good reputation to override the bad reputation of the hacker coffee store's IP. I occasionally use a VPN, but I've never gotten a CloudFlare captcha. Is information technology possible that you might be doing something else other than just using a VPN, such as blocking cookies?

> Take you considered setting up your own VPN? That would make the ip "make clean" and become less captchas, correct? And would negate any anonymity offered past using a VPN.

I recall you misunderstood -- I parsed it equally "And using a VPN would negate whatever anonymity offered (by using Tor)".

In addition to CAPTCHAs, why non just have a button that runs some JavaScript that completes a proof-of-work like to what mining bitcoins does? You lot could get in just take 5 seconds on a modernistic laptop CPU, about equally long as it'd take to enter the CAPTCHA anyway, but it'd potentially be a very large road block for spammers/DDOSers. For those on phones, yous can yet opt for CAPTCHA if you don't desire to kill your battery.

Spending five CPU seconds to submit one comment might exist significantly cheaper for a spammer than paying someone to solve the captcha for them. Additionally, specifically with Tor users, y'all can wait a big chunk of the user base of operations to have JavaScript disabled completely. You can do many things with JavaScript that could be used to build a browser fingerprint, and then someone who'south already using software to browse the web anonymously is very probable to disable that.

But it isn't cheaper than just mining bitcoins with that same CPU load. This wouldn't prevent spamming, it would merely make information technology unprofitable compared to the alternatives (mining bitcoins). The JavaScript outcome can be gotten around with a browser plugin that does it too, which would be easy to parcel on the existing Tor browser. JavaScript would withal be fine for all the VPN users who get stuck with these things, and the regular users who get them occasionally for whatever reason.

You're not going to make any significant turn a profit mining bitcoin on a desktop CPU, or any "normal" CPU for that affair. If we presume 5 seconds of CPU fourth dimension per comment, that's ~17k per solar day or ~500k per month. The first captcha solving service I found sells 100k solved captchas for $139, so that's well-nigh $700 for 500k. As a spammer, I could probably mail 5 to ten times more comments for the aforementioned amount of money using your system. This is obviously a very rough judge, but it should become my point beyond.

I did this with the comments box on my weblog. I don't retrieve information technology's technically effective, because doing proof of work in JavaScript is orders of magnitude slower than doing it natively (peculiarly with GPU acceleration). It works well enough for me, considering I'm not a large enough target, but it wouldn't be a major obstruction for someone who actually wanted to cause havoc. It would be interesting to see how fast you could make the JavaScript code. I'thou sure my version is just terribly unoptimized. The requirement to support the least common denominator will present a major trouble, though.

I would look at asm.js, exercise some tests with major browsers and beef it up. It would make it painful under user agents that don't JIT (or compile AOT) by leveraging asm.js conventions (many do though). If the wasm effort works out (it'due south looking like it will), information technology would hopefully alleviate the issue you present entirely and make this solution feasible in a very sane fashion.

Considering that wouldn't stop them. Let's rather say instead everyone gets a fixed delay in seconds. Then the spammers will just wait out that delay and so spam. Even if the delay is on every single folio visit, that doesn't harm a botnet, because they tin can withal do delay/machine_count visits per second.

Information technology generally will end them. The phrase that applies is something like "y'all don't have to outrun the chetah, but another gazelle". It's non about eliminating the spammers, but about making it expensive enough - in CPU, retentivity, bandwidth, fourth dimension, homo intervention, etc. - that it's non worth them attacking y'all. These days a spammer could train a ConvNet to pass reCAPTCHA with > 90% accuracy and very little processing overhead if they really wanted to. The but reason information technology works is because the bar is "high enough" that it's cheaper to spam somewhere else that has a lower bar.

It doesn't stop them, but it raises the costs of it significantly. Instead of hundreds of requests a second, they're downwardly to one request every 5 seconds, and they're having to run the computer at a full CPU load 100% of the time. Information technology would be more profitable for them to just mine bitcoins at this point, meaning they wouldn't waste that CPU load on spam submissions.

You're mixing the two cases. If every page is limited then yes they accept to work hard, just even so go delay/machines visits per 2d. But a human will have to look the full delay every time a page is visited. This is unacceptable for modern browsing. If the delay is simply once per, allow's say a domain, and then you don't do anything confronting the spammers, they simply have to wait a total delay once.

Peradventure Cloudflare could have a browser plugin that preemptively creates "tokens", or essentially just mines Cloudcoins that you so spend to bypass CAPTCHAs. That way you could make it much more than expensive than five seconds of CPU and at that place'd exist zero delay (or maybe non even the Cloudflare splash page). The use case for needing to constantly featherbed CAPTCHAs is rare enough it seems reasonable to ask those people to apply a browser plugin.

Beloved it! I hope almost all authentication will go automated. My personal customer machine is much better at proving who it (I) am that a human.

> Nosotros also made a change based on the experience of having to pass CAPTCHAs ourselves that treated all Tor exit IPs equally part of a cluster, and then if you passed a CAPTCHA for one you wouldn't have to pass one again if your circuit changed. I don't get how this is unlike than a super cookie. Anyway, I call back globally that's a well balance reaction to the TOR issue.

> I don't get how this is different than a super cookie. The supercookie would survive or be detectable across multiple browser sessions (continue in heed that the Tor Browser automatically deletes regular cookies when yous quit). The behavior that CloudFlare is describing hither works within a unmarried Tor Browser session but not beyond multiple sessions. I believe the Tor Browser is willing to ship some first-political party session data to a site after changing circuits, so that you wouldn't exist logged out of an business relationship if you lot logged in over Tor and kept that session active for long enough that Tor switched over to a dissimilar circuit. This behavior is basically what should let CloudFlare to recognize that a particular Tor user has recently passed a CloudFlare CAPTCHA (on a particular site). However, if the user quits and restarts Tor Browser, CloudFlare will no longer be able to detect that it'south the aforementioned visitor (if it could, that would be the supercookie case).

The 1 time I used TOR the captchas were the ones with both words equally squiggly letters which wouldn't piece of work even after 20 attempts, I had to surrender. I was pleased when, recently, I found out they switched to the image based one. Sure, sometimes it still refuses to accept that I selected all the street signs but at least I don't have to give up in frustration later 30 sequent failed attempts

Why do CAPTCHAs even exist for standard websites (as opposed to account creation, etc)? Wouldn't something like rate limiting or proof of work achieve the same consequence? If you lot're simply allowing someone to browse, you don't actually care whether a user is existent or not. You intendance nigh stopping automated comments/spam. Is this only another tentacle of the advertising industry?

It's explained in the commodity. On the other hand, anonymity is also something that provides value to online attackers. Based on data across the CloudFlare network, 94% of requests that nosotros see across the Tor network are per se malicious. That doesn't hateful they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large per centum of the comment spam, vulnerability scanning, advertising click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, eighteen% of global email spam, or approximately six.5 trillion unwanted messages per yr, brainstorm with an automated bot harvesting e-mail addresses via the Tor network. Rate limiting would block legitimate users, and pow doesn't impede the malicious uses of tor.

That doesn't answer my question, though. All of those are reasons to suspect Tor go out nodes, only non reasons to place CAPTCHAs on standard commodity pages on a site. The only vaguely reasonable one I tin can see there is 'ad click fraud', and I remember that fundamentally restricting the usefulness of a site for advertising purposes is awful.

Are in that location whatsoever public projects that accept used deep learning to defeat captchas? If not, I'm sure information technology'south only a thing of time.

It's a true cat and mouse game, of grade captchas have been defeated in the past, but captchas simply proceed getting increasingly complex. Currently, for anonymous requests, reCAPTCHA by Google, which is what Cloudflare uses, asks you to "choose bodies of water" or street signs from a series of images, with each click sometimes revealing more options. Information technology's fairly circuitous so I approximate it hasn't been broken yet. It's also a massive hurting in the pass for legitimate visitors.

> If nosotros provide a way to treat Tor differently past applying a rule to whitelist the network's IPs nosotros couldn't call up of a justifiable reason to not also provide a way to blacklist the network as well. Yes there is: "we don't provide censorship as a service".

My trouble with reCAPTCHA... Past using reCAPTCHA, mentioned in the article as a preferred solution, visitors from China are routinely blocked, as reCAPTCHA information technology is at present hosted past Google. The trouble with CAPTCHA hosting: And if you intend to do annihilation with China based orgs.

This wouldn't apply to Tor users (which this commodity is about), as reCAPTCHA tin can't identify users from China while they're using Tor.

Rather, The Great Firewall of China cannot identify reCAPTCHA (Google) when they are are using Tor. I think it blocks Tor specifically though.

Yep, that's it. I think "normal" relays become blocked virtually immediately, but bridges with OBFS work to a certain caste.

This is why people should browser a lot more over Tor, such that the relative amount of malicious traffic is reduced and thus operators will non exist able to uphold the argument that Tor is often malicious traffic anymore.

Unfortunately, it won't work. 1. Information technology'due south a charity tax; y'all have to convince people to incur the cost of Tor (i.due east. CAPTCHAs everywhere) for activities that don't crave Tor. two. You tin't neutralise a poison by diluting it. Firstly, from the operators' POV, if there'southward a widespread understanding that people use Tor even though they don't need to, then they know voluntary users can be pressured not to use Tor through sheer inconvenience. Fifty-fifty if you wanted to boycott a service that blocked Tor, information technology's notoriously hard to make practiced on that threat unless you wield a lot of power or annoyed a very large number of people. And then the consequences are small. Secondly, the percentage of malicious Tor traffic is a ruby-red herring. What operators care about is the origins of malicious traffic. If l% of your attacks come from one detail country (or Tor) and the toll of losing that traffic is less than the price of that malicious traffic, in that location is a real incentive to block that traffic. Combined with the first bespeak, the cost of losing voluntary Tor users is insignificant if they can easily choose not to employ it.

> 1. It's a clemency taxation; you have to convince people to incur the price of Tor (i.e. CAPTCHAs everywhere) for activities that don't crave Tor. Some people will (and do) practice it. You're right that you won't convince everyone to run Tor all the fourth dimension, but you won't need to. Also, mozilla have been floating ideas such as integrating Tor into firefox for use in a new kind of private browsing mode. This affects things considerably. > two. Yous can't neutralise a poison by diluting it. Yes, you can. Both in the metaphorical likewise as the direct sense. At some point the solution is too dilute for the poison to crusade impairment. I use Tor all the fourth dimension. I know of local web shops that have rejected the idea of blocking Tor because they looked at their logs and saw that they get actual sales through it - from people like me.

> 1. It'due south a clemency tax; y'all take to convince people to incur the cost of Tor (i.e. CAPTCHAs everywhere) for activities that don't crave Tor. People are willing to invest personal ressources for charitable purposes. Why not here? People are willing to fight against bigotry. Why not against discrimination of Tor users? > two. You lot tin't neutralise a poison past diluting it. There is also poisonous traffic from non-Tor adresses. > Combined with the first bespeak, the price of losing voluntary Tor users is insignificant if they can easily choose not to utilise it. People would strictly avoid restaurants that don't serve coloured people. Why don't they avoid services that don't serve Tor users?

How easy is information technology for yous to know they don't serve Tor users unless you lot are a Tor user? This is like maxim "Why don't colored people avoid restaurants that don't serve colored people?"

HN is the but place I carp solving CAPTCHAs. For everything else, Firefox (Tor Browser) has plugins to get a copy from arhive.org, archive.is, or google-cache. And so if the page asks me to solve a CAPTCHA, I don't visit them. This could exist a benefit for the website (lower server load) or a harm (fewer people appear to be reading their content, fewer people see their ads). Whatsoever the case may exist, I'm caught in the crossfire between crackers and servers. I don't care about their war at all. Equally far as I'm concerned, I'one thousand winning. Cloudfare wanted me to solve a CAPTCHA to read their article. I tried to archive it, but arhive.is already had a copy of it. This happens to me quite often. So, obviously, I'm not the only one who has figured out a way around their state of war. > Security, Anonymity, Convenience: Pick Any Two Nah, I usually take all iii.

> I usually take all three ... > Firefox (Tor Browser) has plugins to get a copy from arhive.org, archive.is, or google-cache. So if the page asks me to solve a CAPTCHA, I don't visit them. You don't have convenience.

Certain, but google cache/archive pages oftentimes lack some images, have broken javascript, etc. Additionally, there's a huge difference between "point and click", and "bespeak, click, click again, look for the plugin, some other click, do this for every page".

> "indicate, click, click once again, look for the plugin, another click, do this for every page". Honestly, I don't know how I can brand the process every bit complicated every bit yous described it, fifty-fifty if I wanted to. In reality, it is no more complicated than correct-click, open in new tab.

Smart Tor users have JavaScript turned off anyway. You lot might exist lacking the images, but lately this has been pretty good on archive.org.

Thus cementing the "no convenience" clause. I empathise this is an acceptable tradeoff for some people (myself included) but you can't pretend it's convenient.

Again, I disagree. Not every website today requires JavaScript, and in fact most websites that cater to the sort of audition that includes Tor users are even less likely to. I don't think anyone sees Tor every bit a daily driver for full general web browsing. It'due south not much less convenient for the use-cases information technology's meant to support.

Requite it a endeavor for a calendar week. You might be amazed how fast, calm and content-rich the web can exist, if you disable Javascript by default and whitelist when needed.

I'm well aware of what the web is like without JS. I know it's usable. I'grand saying it's not convenient. Whitelisting is not convenient. If people are pretending it is, they're doing a disservice to the security community. Kinda how like people pretend GPG is usable and convenient, thus property dorsum progress in the security UX front.

I detect SUBSCRIBE TO OUR NEWSLETTER and Similar Usa ON SOCIAL MEDIAS popups and ads much more inconvenient. Pitiful for the late reply.

For users who tin can beget it, routing a vpn through tor solves the captcha issue with cloudflare. Likewise adds an actress layer of security

Can you lot elaborate? I cannot imagine how Cloudflare could distinguish VPN traffic routed through Tor and standard traffic routed through Tor. The just difference is a hop on the front terminate, no alter to what comes out the get out node.

if you setup an access indicate to route all of your traffic through tor, then connect to your VPN through that access point, your IP is the VPN IP, not the get out node.

What the betoken of doing that over connecting directly to the VPN? Seems like the do good granted by Tor (avoiding leaking who connected to the VPN) would be negated by the fact that there are now payment records from you to the VPN.

If you pay with BTC, prepaid souvenir carte du jour (paid for in cash) etc.. then there are no payment records from you to the VPN. The benefit of this is that the VPN provider doesn't know who you are because you are accessing the VPN through tor. Withal the VPN provides you a stable IP that won't be CAPTCHA'd like most normal tor get out nodes are. Edit: This is good if yous are trying to maintain an Internet profile (i.e. Facebook, twitter etc.) that isn't tied to your truthful identity.

Merely yous are losing out on some anonymity here. The VPN provider may not know who you are but y'all are consistently making access with the same user ID and from the same IP. Your action can be correlated to that account and that IP. If that's non your aim (like you say - being signed in to the same facebook account all day suffers you the same problem) so this isn't an issue. But this isn't what a lot of tor users desire tor for.

Right, but then (1) your VPN will have a browsing profile which aggregates your otherwise ephemeral, anonymized and united nations-correlated browsing sessions; and (2) it would be piece of cake for adversaries to extract that very helpful profile. If your threat model does not include (ii), (i) is however bad!

anyone else concerned that the captcha'due south offer an ability to de-anonymize someone completely? for example having a backend algo offer certain captcha'south that show upward only in certain areas of the world? I experience like this is entirely possible and is part of the reason I volition non complete and captcha'due south moving forrad.

I played around with Tor a couple of months ago when it hit the headlines again, only to meet what it was all about, and the feel was awful. Every bit an exercise, I decided to burn down up Tor browser today simply to see if it'due south gotten any improve. It's worse. Here'southward what I constitute: Large Paradigm based CAPTCHA: Tor is tedious. I'm on a 75/25Mbps internet connection and information technology loads images similar to 24k dial-up. The CAPTCHA I was presented with was the highest bandwidth CAPTCHA I've ever seen. I was given a nine pictures and needed to select "Bodies of Water". Each click yielded a new square. I had to look for 4 additional images to load before I could click "Validate". This took over a minute. Then, repeat, this time "Store Fronts", which were hard to discern (is information technology a blurry Apartment Building forepart or Store Forepart?). I received a connexion fault on one site and then I had to echo the process. With Javascript features turned off, it was a little easier, but included the actress step of having to paste a Base64 encoded string into a text box which failed twice. Every site I tried gave me this CloudFlare CAPTCHA page. One of the sites I pulled up had no images. I set my privacy settings to the least protected, enabling JavaScript and HTML5, assuming this was the problem. Nope. They used images from another site and I had to take hold of the epitome URL and paste information technology into a browser to see what was going on. It was yet some other CAPTCHA. A few minutes afterwards, the previous site displayed images properly. On to Google. Privacy settings are even so at the weakest setting. Type "Google" into the search engine and I get a "wavy text in an image" CAPTCHA. This loads speedily and is easy to answer, only merely results in another CAPTCHA. I gave up after 10 tries. Bing, Yandex and Yahoo all worked with Yandex only presenting a CAPTCHA once after the tertiary search I did (uncomplicated, like Google, but worked). This is a terrible experience for people seeking to get around oppressive governments. While I applaud CloudFlare for dogfooding their CAPTCHA arrangement, I uncertainty they did information technology in a mode that truly simulates the feel via an extraordinarily slow internet connexion which is what I ended up with when using Tor Browser. I wonder how much slower things would be if my internet connection was 1Mbps or being interfered with by government infrastructure. I understand the merchandise-off betwixt securing a site from "evil traffic" that is more probable to originate from a Tor go out node, but why must they use such a bandwidth intensive CAPTCHA? A browsing experience that would take taken seconds to complete took me about 5 minutes (and a lot of frustration) not including actually consuming the content I was looking for. Are the text in image based CAPTCHAs not good enough for this task? Are there other reasons I'1000 missing?

> hey used images from another site and I had to grab the image URL and paste it into a browser to see what was going on. Information technology was notwithstanding some other CAPTCHA. Maybe browsers shouldn't asking <img> src with Accept / and cloudflare should use that to detect whether it tin can really serve html?

A "whitelist" tor solution that isn't whitelisting tor past default is really lame. Approximately 0% of website operators will think to enable that then tor users are mostly nevertheless treated like garbage visiting any CF protected website.

"Trouble with Cloudflare" Treating TOR traffic the aforementioned every bit non-TOR traffic makes no sense; read the main link for confirmation they do. Case in point, and for starters, End repeatively requiring a user from a session to keep passing "I'thou not a robot" tests. Set a global cookie that's valid for the session, beyond all of Cloudflair's network, and honor it. If the "I'grand not a robot exam" doesn't work unless information technology's repeatively given, then that is the problem, non TOR. Please accost this consequence; thanks.

If you lot set a global cookie, and then someone intercepting the public traffic (remember NSA, GCHQ,...) can identify what the user is reading. You but killed anonymity.

Global cookie is a session, if the user wipes the cookie, resets the TOR connection, etc. that's their issue. TOR is not designed to hide sessions, nor would setting a global cookie break anonymity unless the user doesn't empathise how TOR works. All get out nodes are watched and session device fingerprints are correlated with or without a global cookie.

If the aforementioned global cookie is attainable via 2 circuits, that a problems in a product that uses TOR, non TOR; I personally go above and beyond simply creating a new circuit, never open up two circuits at the aforementioned time or kick, limit TOR sessions to single use, and locally compartmentize data per session, etc. TOR is non plug in play, it takes effort and discipline, and will never exist a fully automated solution.

Aye, TBB on default settings is vulnerable to associating multiple tabs (if I'g reading the link above correct), if an adversary sets a shared cookie. That does not mean it's ok for someone to set a shared cookie. The possibility of exploitation does non hateful exploitation or making exploitation easier is fine.

Point is Cloudflair giving calumniating volumes of requests is ironic, they should cease, and a global cookie won't harm anyone that knows how to apply TOR and they could fifty-fifty requite the option Not to set the cookie. Not offering a solution because "I'thousand non a robot" doesn't work (happy to bear witness this) and users don't userstand how to use TOR is not an excuse for their behavior and exploitation of users.

Requiring user to do work for complimentary is the very definition. Google and Cloudflair are very enlightened that in that location exam don't work for stopping bots, but they're very good at extracting costless labor.

Cloudflare gets no do good from the captcha, so if they were useless as you claim, they have no incentive to keep them.

Unless you work at Cloudflare and aware of it's relation to Google, any comments on in that location relationship is speculation. That data is vital to Google futurity and it recall being valuable to Google beyond whatever direct do good is of value; I'chiliad not aware of any visitor that provides more of this type of data to Google; Google would have to pay 10k+ contractors $thirty+ an hour to do this if it wasn't beingness done for free; Google [Google Search Quality Rater] if yous're not enlightened of what I'm talking about.

Thank you, might be worth updating the weblog post to reflect this, what percent of Google'due south reCAPTCHA data comes from Cloudflair, and why Cloudflair doesn't coil their own to insure information is non being leaked/given to Google.

That wouldn't actually help much, considering so a bot owner just needs to solve 1 CAPTCHA, receive the "I'm not a robot" cookie, then mitt it over to their bot.

Disagree. They don't work if yous but evidence one CAPTCHA. Your proposal defeats the entire purpose, because information technology just takes homo interaction one time to defeat CAPTCHA over CloudFlair'south entire network. CAPTCHA isn't a silver bullet, and I don't think anyone is lauding it every bit the end-all exist-all to stop spammers and malicious action.

Accept you used TOR and experienced what Cloudflair does? The server 3-10 tests per page requested in some instances collecting massive corporeality to preparation information; I'd in fact be suprise do if Google doesn't place an incentive on collecting as much information as possible; likely enough to ID a user 99% of the time based on the input provided by the user. As for it non being a silver bullet, it's well known that CAPTCHA don't stop bots, but mine data from people. There'south not a single Google "I'1000 not a robot" that can't easily be circumvented, I just know nearly TOR users aren't able to and Google & Cloadflair are exploiting this.

Why is anybody obsessed with knowing whether the user is a bot or an actual person? What differences does information technology brand? A bot it's non inherently malicious, there are thousand of legitimate use cases: a bot may be downloading content equally part of a script or some application, checking updates or creating a enshroud. Traffic generated by bots should not be blocked per se. There are certainly lots of malicious bots scanning for vulnerabilities, DDoSing sites and and then on but this applies to people as well. I think human generated traffic may have priority but blocking bots entirely is nonsense: ultimately the user agent is always a "bot" acting on behalf of an actual person: by blocking this traffic you may always break some user workflow.

>There are certainly lots of malicious bots scanning for vulnerabilities, DDoSing sites and then on but this applies to people as well. Nah, a human isn't going to waste material their time refreshing a page manually 50,000 times.

Just it surely tin can attemp cantankerous-site scripting, send phishing and spam letters, broken requests and look for exploits. Also TOR is more often than not and so slow I don't think there is fifty-fifty the possibility of generating enough traffic for a DOS.

It would depend on the website's resources and services. For instance, a layer vii DoS which just queries an expensive endpoint on the website over and over may not demand loftier traffic book to overload the website's systems.

CAPTCHAs are useful when yous want to charge per unit limit something to an extremely depression rate, like for example attempting to login with a username and password.

You could slow downwards the responses or charge per unit limit the requests, with no need to completely block automatic logins.

Tor largely prevents most approaches to this. You'd demand some way to provide a ticket to a given client, check for information technology later, and, preferably, ensure anonymity over time. I've just posted elevation-level in this thread listing ii projects of which I'm enlightened that provide this, though as experimental protocols only. I've been mildly agitating for farther development of such tools. Looks equally if CloudFlare are working in a similar direction, which I run into equally positive.

If you are a valuable enough target, this is not an choice. IPs are cheap, if you permit someone try 20 times in an 60 minutes before banning an IP, there are targets that people volition cycle through IPs that chop-chop for.

You would take to limit it per IP accost if you lot practise not want to afterwards all clients. So information technology would non be constructive confronting someone who can use many IP addresses (eg. with Tor)

willardhispout87.blogspot.com

Source: https://news.ycombinator.com/item?id=11388560

Share this post