[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Accessing Cloudflare sites on TBB
-----BEGIN PGP SIGNED MESSAGE-----
Griffin Boyce wrote:
> Virgil Griffith wrote:
>> For unrelated reasons I'm meeting with Cloudflare. Can someone
>> enlighten me on the current state of the captcha situation?
>> Presuming they are unwilling to completely drop the captcha, what
>> would be a step in the right direction?
>> The last I heard from Cloudflare is:
What is a step they can take right now for improving Tor user experience
> A main issue is that the captcha simply loops instead of allowing
> access to the website. This is intermittent, so not sure if this
> is because they are trying to fix the issue, or if the issue
> happens more often on sites that have a lot of traffic (and all the
> traffic can be assumed to come from different sources). This is a
> pretty basic issue, which they know exists, and I hear endless
> complaints about. If you hit the captcha-loop, you're likely not
> to be able to access the website at all.
> Another is increasing the size of the user-defined whitelists.
> Right now, the list only allows 200 IPs, which is insufficient if
> a highly-technical user wants to manually whitelist Tor exits.
> This actually kept me personally from being a user -- that
> $200+/month instead goes to Amazon and Azure because I don't want
> Tor users penalized when they come to my sites.
A third is the cross-domain problem. Even if the user answers a
CAPTCHA for a site, if the site uses another domain for static
content, that content never loads. Specifically, the static content
requests themselves return a separate CAPTCHA. Since these can never
be answered in that tab, the real content can never be fetched. The
user can't e.g. open an image URL in a new tab and solve the CAPTCHA
there, because TBB by default opens a new circuit, so CloudFlare sees
it as a separate "session".
At best, the site looks rubbish. At worst, it can make the site
unusable (if it requires JS).
Ideally, CloudFlare should be more intelligent about cross-domain
content. Site admins should be able to list expected cross-links
between their CloudFlare-controlled domains. If a request comes in on
spamalot.com and shortly after multiple requests come in on
slstatic.com, it should mark those as the same session, somehow
(whether by adding a query parameter or header to the static requests,
or being more intelligent on the server side).
> best, Griffin
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to