[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Request for feedback/victims: cfc

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Request for feedback/victims: cfc
From: David Fifield <david@xxxxxxxxxxxxxxx>
Date: Wed, 23 Mar 2016 09:19:04 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 23 Mar 2016 12:19:25 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bamsoftware.com; s=mail; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=s+C7IpQU4+jsSnulm5Yp1B8FStOGmD05I8plUtxUO68=; b=rxZEjcbepLsE11lzV5gsQWih/vkavwgzXr2F/4mJA/F5b9ShLJp6Dv2tE3bh5a5bke543YkLUguHZsTe1Nm8icr2Pppz9EweV53RLmv+F7Anb2eq5t3imDwbq3ic9QS30MbiN3AKo5xjMaB/ny2vwOWMQp3w0mBZAFmWho99NZw=;
In-reply-to: <20160323110029.1c3ce6ed@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
References: <20160323091536.3b8e093b@xxxxxxxxxxxxxxx> <20160323110029.1c3ce6ed@xxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.24 (2015-08-30)

During the OONI survey to find instances of server-side Tor blocking, we
found a few variations on CloudFlare captcha pages. They don't all say
"Attention Required!". Apparently there is an option to customize the
page, but few sites make use of it. Here are the regexes we used
(excerpted from https://www.bamsoftware.com/git/ooni-tor-blocks.git):
    if status == 403:
        if server == "cloudflare-nginx" and re.search("<title>Attention Required! \\| CloudFlare</title>|One more step to access", body):
            return True, "403-CLOUDFLARE"
        if server == "cloudflare-nginx" and re.search("<noscript id=\"cf-captcha-bookmark\" class=\"cf-captcha-info\">|<button type=\"submit\" class=\"cf-captcha-submit\">", body):
            # A customized captcha page.
            return True, "403-CLOUDFLARE"
        if server == "cloudflare-nginx" and re.search("<title>Access denied \\| [^ ]* used CloudFlare to restrict access</title>", body):
            # With this one you don't get a captcha. May be controlled by the
            # site operator.
            return True, "403-CLOUDFLARE"
    if status == 503:
        if re.search("<div class=\"cf-browser-verification cf-im-under-attack\">", body):
            return True, "503-CLOUDFLARE"
I now think the 'server == "cloudflare-nginx"' tests are unnecessary.
The last two patterns above don't even give you a captcha to solve, just
deny access. You might want to limit your detection to 403 and 503
responses (or maybe exempt 200-series and 300-series responses).

These are a couple of sites that used customized CloudFlare:
	https://4chan.org/ ("Verification Required")
	https://yelp.com/ ("You're not barking up the wrong tree...")
yelp.com only started using CloudFlare a little while ago. It's a funny
case, because they *also* implement a hard Tor blacklist. Once you get
through the CloudFlare captcha 403, you get a 503 from a different
system.
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Request for feedback/victims: cfc
  - From: Yawning Angel
- Re: [tor-dev] Request for feedback/victims: cfc
  - From: Yawning Angel

Prev by Author: Re: [tor-dev] GSoC'16 proposal: the Torprinter project (a Panopticlick-like website)
Next by Author: [tor-dev] Using Let's Encrypt for meek bridges
Previous by thread: Re: [tor-dev] Request for feedback/victims: cfc
Next by thread: Re: [tor-dev] Request for feedback/victims: cfc
Index(es):
- Author
- Thread