Re: [tor-talk] do Cloudfare captchas ever work?

[ÃaÄÄl P. Åesto <secpost@xxxxxxxxxxx>]

TL;DR: If you can, consider not using that services/sites find
alternatives and promote them.

On Sat, Jun 20, 2015 at 03:43:37PM +0200, Juan Miguel Navarro MartÃnez wrote:
> El 20/06/2015 a las 10:18, Mirimir escribiÃ:
> > Is Javascript always needed to get the number photo CAPTCHAs?
> At least for me, it does 100% of the time:
> No JS: Infinite unreadable CAPTCHA.
> JS: Either number photo or readable CAPTCHA that work at first try.

I like to confirm that, and I like to add, that to get those captchas
you are doing at least two requests not related to the site you are
visiting, one is to g**gle.com (for the captcha) and one to
ajax.clo*dflare.com. So you need Javascript and additional sites
whitelisted in noscript or your other favorite blocking tool.

If cl*udflare is involved, you may requesting data from them too.

If javascript stays enabled, your session (until cookies expire or
your filesystem cache is cleared) is very trackable by either
g**gle (analytics i.e.) and/or cl*udflare (their cdn), as long
as sites you visit use at least one of their many services like
g**gle analytics or cl*udflare cdn. In terms of cdns, turning
javascript off isn't enough (see E-tags and Cache-Control like
Modified-since).

One reason may be that the captcha process isn't working anymore.
Sopisticated adversaries break those captchas, thats the reason
you get so many of them. The idea of proving you are human is
insane, imho you are proving you are no bot and worth tracking
when you solve the easy captchas, and doing google a favor
doing OCR for their whatever-services.

Consider charging them for that. :)

If cl*udflare would care, the process would be, solve that
captcha provided by cl*udflare or use their "Darknet CDN" and
visit the site under the following onion adress. Because their
customers care about tor users etc. 

But they are busy in terms of legal compliance, certainty. :)

There are many other options - and in my experiance most 
cl*udflare customers don't know or don't understand that.

cl*udflare is cheap (in implementation and price) and solves
these problems for their customers, they consider us site-effects.

Anyway, many popular sites that have content and community
using cl*udflare, project.h*neyblock or simliar blacklists.

They are easy to implement and keep the trolls and trouble at
bay.

I've tried to reason with some sites to keep the site at least
read only or offer a hiddenservice, most to no avail.

Often, if it comes to offer a hiddenservice someone insists that tor
isn't safe enough. :)

Seems like most software hasn't such elaborate and fine grained
acls, it seems.

Site operators are frustrated and won't give tor users an inch.
If you understand that, you have solved half of the equation.

Their assumption is, that one identifies users by ip, and by using
tor you become indistinguishable from the bad bots and possible
adversaries, so you are not allowed to participate or denied usage.

Btw, that is proof enough, that tor is working very well for most of
my thread models which involve malicous or clueless siteoperators,
users that may compromise my privacy or anonymity.

I like to elaborate about the presumption of innocence, that is
reversed on tor-users: If you use tor you are presumed an adversary
or bot by those entities and have to jump through their hoops to proof
you are a good person (worth tracking).

It is usually not enough to whitelist two sites, you may need
various other cdns for liraries, g**gly fonts and apis and what not
to let these "programs" render the data in a way you can receive
them (you can't simply "view" them anymore).

This sounds like bad news, but the www is so diverse, finding
a replacement site is in most cases a matter of breaking with some
habits - usually one can migrate members to the newfound site too.

Some food for thought, since you usally provide valuable personal
information to those entities or sites, do you really think their
security, which based on the assumption earlier, is good enough to
protect your data?

In my experiance it isn't, if so, they wouldn't need such desperate 
measures and tolerate such a high rate of false positives when it comes
to tor-users.

Personlly, I find it amusing, that webdevelopers still believe I accidently
turend off javascript or I am not understanding my client well
enough, and need to be reminded to turn it on again. :)

Or try this reasonsing: Do you like to do business with, receive information, 
data, content from or participate in a community provied or hosted 
by an entity that considers you, or tor users in general bad persons or
adversaries while itself waives any responsibility for your data, your 
privacy, your anonymity?

Yes, **** ****!

Feel free to remind them, that tor users, in most cases aren't adversaries,
they are using tor to circumvent censorship, blocking or insisting on
some form of privacy or anonymity.

It is we, who have to use such desperate measures to protect our privacy
or anonymity. They could try to respect that, they are not interested.

Sorry for being so elaborate, and using the term adversary so often.

"Darknet CDN" is meant ironically, if that wasn't clear.

I can haz udp too in the future pls. :)
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk