[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] CloudFlare blog post

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] CloudFlare blog post
From: Philipp Winter <phw@xxxxxxxxx>
Date: Wed, 30 Mar 2016 11:01:51 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 30 Mar 2016 11:02:06 -0400
In-reply-to: <20160330132105.GA8024@xxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
References: <20160330132105.GA8024@xxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, Mar 30, 2016 at 01:21:05PM +0000, Martijn Grooten wrote:
> CloudFlare CEO Matthew Prince just posted this blog post
> 
>   https://blog.cloudflare.com/the-trouble-with-tor/  
> 
> which I think is worth a read for people on this list.

My blog comment is still awaiting moderation, so I'll post it here too:

---
I don't see any mention of a client-side PoW scheme in the draft, which
may be good because it seems difficult to discourage attackers
sufficiently while not inconveniencing users too much.  See also:
<https://www.cl.cam.ac.uk/~rnc1/proofwork.pdf>

I am also skeptical about the sentence "Based on data across the
CloudFlare network, 94% of requests that we see across the Tor network
are per se malicious."  I would really like to hear about the method you
used to get to that number and what, exactly, you classify as
"malicious."  For example, for how long did you observe requests coming
out of the network? After all, you justify the use of CAPTCHAs with this
high number, so it would be great if we could all verify the problem.

I also wonder how effective your CAPTCHAs really are.  Deep learning
techniques suggest that bots are about to become just as good, or even
better, at solving CAPTCHAs than people.  Therefore, I wonder if a long
term solution should also center around the question if the distinction
between people and machines is still meaningful.

Still, thanks for trying to improve the situation.
---
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] CloudFlare blog post
  - From: Joe Btfsplk

References:
- [tor-talk] CloudFlare blog post
  - From: Martijn Grooten

Prev by Author: Re: [tor-talk] Extend auto-IP-switching-time in TorBrowser (and depending from time of inactivity)
Next by Author: Re: [tor-talk] cloudflare blocks connection
Previous by thread: [tor-talk] CloudFlare blog post
Next by thread: Re: [tor-talk] CloudFlare blog post
Index(es):
- Author
- Thread