[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Accessing Cloudflare sites on TBB

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Accessing Cloudflare sites on TBB
From: str4d <str4d@xxxxxxxxxxx>
Date: Sat, 3 Oct 2015 10:55:31 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Oct 2015 16:00:26 -0400
In-reply-to: <20151003062619.A8324AE4BB@xxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CADop2NG232W9WKdu4azvr5kncqaGF5KRmd60Frq3K7JE3rkEsg@xxxxxxxxxxxxxx> <20151003062619.A8324AE4BB@xxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Griffin Boyce wrote:
> Virgil Griffith wrote:
>> For unrelated reasons I'm meeting with Cloudflare.  Can someone
>> enlighten me on the current state of the captcha situation?
>> Presuming they are unwilling to completely drop the captcha, what
>> would be a step in the right direction?
>> 
>> The last I heard from Cloudflare is: 
>> https://support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloud
Flare-block-Tor-
>>
>>
>>
>> 
What is a step they can take right now for improving Tor user experience
?
>> -V
> 
> A main issue is that the captcha simply loops instead of allowing 
> access to the website.  This is intermittent, so not sure if this
> is because they are trying to fix the issue, or if the issue
> happens more often on sites that have a lot of traffic (and all the
> traffic can be assumed to come from different sources).  This is a
> pretty basic issue, which they know exists, and I hear endless
> complaints about.  If you hit the captcha-loop, you're likely not
> to be able to access the website at all.
> 
> Another is increasing the size of the user-defined whitelists.
> Right now, the list only allows 200 IPs, which is insufficient if
> a highly-technical user wants to manually whitelist Tor exits.
> This actually kept me personally from being a user -- that
> $200+/month instead goes to Amazon and Azure because I don't want
> Tor users penalized when they come to my sites.

A third is the cross-domain problem. Even if the user answers a
CAPTCHA for a site, if the site uses another domain for static
content, that content never loads. Specifically, the static content
requests themselves return a separate CAPTCHA. Since these can never
be answered in that tab, the real content can never be fetched. The
user can't e.g. open an image URL in a new tab and solve the CAPTCHA
there, because TBB by default opens a new circuit, so CloudFlare sees
it as a separate "session".

At best, the site looks rubbish. At worst, it can make the site
unusable (if it requires JS).

Ideally, CloudFlare should be more intelligent about cross-domain
content. Site admins should be able to list expected cross-links
between their CloudFlare-controlled domains. If a request comes in on
spamalot.com and shortly after multiple requests come in on
slstatic.com, it should mark those as the same session, somehow
(whether by adding a query parameter or header to the static requests,
or being more intelligent on the server side).

str4d

> 
> best, Griffin
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWD7QHAAoJEBO17ljAn7PgT2AP/RUq9VGiYXBJUoVhXzmAr3V4
oE4QD8UNgJXykwIGWC6TABaNcg2bZKqZU362K94z1uTUMFWl6NJNk6M27ARkRtWz
lGLtlAThXMUU63X5HEj6jP7Tzw5k5u7S0vqpOTJc7lbisVsDNg0UDoMc4HzNg0cR
kKKaOPPha4eqVLHBWW/90Grqp+++6k5WO0oHYQZXBoX00ne+gDCulxPPzd6fmcSf
evJaqllSpbFHY5QsjM+HTWKwVeta7y4+oOJWWriG5KsYDn9RX8flnKcOprO28gKX
Rqk/tVSNtATDw7BUuvlEOe2air5a96oRaH5SsyNQnb5ImKXilOHJkPEz1v2Ys2i9
ezewNcRvUXwfZVBmpRvol52TaALc3KVfFi/fs+tKZfZuwD8tGu2WTRBCCriOSrLE
0SSdUhPz4SrsH3j6/gDuiWOPb+ZqCiwZiWBH1AxRpsickJdtNobDDNtnSAOBkBj+
3zVHhvClV2SOzvFJAk3hp/6OWADztVylgCHksQwvz5887Bkymba0PH1kakgc8TXV
BKQSq173XnDCGTzzapVndKRDcqFAkPXFAHnii4Y9pMV+TBpE3dZZi0+RVdr6tofo
IFtnhmpiFuFN430wPT2zJbrCAIZCTbC/SAyTlpQVQgy2uyDACA1Hha+l2GwAYXlJ
dSAKN8qaKS74n9BWLpLS
=IxrR
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Accessing Cloudflare sites on TBB
  - From: Virgil Griffith

Prev by Author: [tor-talk] Making TBB undetectable!
Next by Author: [tor-talk] Tor Messenger Beta: Chat over Tor, Easily
Previous by thread: [tor-talk] Accessing Cloudflare sites on TBB
Next by thread: [tor-talk] Potential uses for the Tor network
Index(es):
- Author
- Thread