On 9/16/2014 12:13 AM, isis wrote:
+1 However, I don't know of a competitor to Cloudflare who privides *free* (as in beer) (D)DoS-protection via reverse webproxies, not to mention all the other bells and whistles which Cloudflare offers. It'll be hard to make the argument to switch for user-privacy reasons, given the seeming lack of marketed alternatives. Can anyone recommend a comparable alternative to Cloudflare?I know nothing about Cloudfare's "business model." But, the old saying, "There's no such thing as a free lunch," is still true. Unless they're a philanthropic org., that gets all funding from donations & grants, they are making money somehow. Leaving the most likely explanation for them providing a "free" service (similar to): *Cloudfare makes money from user data on the site(s).*
They may / may not be able to get enough data from Tor users to make it worthwhile. Thus, possibly the captchas for TBB, that often don't work, or requiring Tor users to repeat captchas, on the same site during SAME session. Even when JS & cookies are enabled.
Cloudfare's captcha process could be buggy - accounting for some of the issues, but (1) They still can't operate w/o generating income. They're not Santa Clause; (2) Captchas don't seem to be presented to Firefox users (definitely not EVERY time, as with TBB). (3) They're also requiring that scripts be allowed from Google.com. And Google is NOT a philanthropic organization. (4) A fact that must be accepted is, a lot of people & malicious "groups" do use TBB for spamming & all sorts of undesirable things. Which sites must protect themselves against. (5) Comments from Cloudfare's Nick Sullivan (or heads of any company or LEA) are basically worthless. These people get paid to lie to protect their organization's interest. They all *regularly lie* at Congressional hearings & in courts of law. That's a fact. Sometimes they're caught telling bald faced lies, but usually nothing happens to them.
Now, if Cloudfare *changes* how their captchas work & stop requiring JS / cookies from them & Google, that will actually mean something. Until then, it's just a lot of hot air.
I have considered starting an outreach effort to speak to the maintainers of some of these sites, with the idea that I might gather sympathy from certain communities who use Cloudflare. For example, as you mentioned, the Bitcoin community, which I have personally noticed while having discussions with some of the core bitcoin developers, who pointed me to various bits of Bitcoin documentation... which I was frustratingly unable to access due to an infinite CAPTCHA loop from Cloudflare. The core Bitcoin developers, from my experience, are all extremely well-informed about Tor and related privacy and security issues. I would guess that they are likely using Cloudflare primarily as a mechanism to decrease the attack surface of their sites, and probably are already aware (or would be upset to learn) that Cloudflare sometimes prevents Tor users from accessing the content entirely.Has anyone else noticed Cloudflare captchas on sites that they would otherwise expect to be run by Tor-friendly entities?Here's the beginnings of your list. Others should feel free to amend. Possibly-Tor-sympathetic sites which use Cloudflare: ---------------------------------------------------- * [The Bitcoin Wiki](https://en.bitcoin.it) * [Open Tech Fund](https://www.opentechfund.org/)
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk