Delivery-Date: Sat, 03 Oct 2015 16:00:26 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DATE_IN_PAST_06_12,
	RCVD_IN_DNSWL_MED,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 4601D1E042C;
	Sat,  3 Oct 2015 16:00:24 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D332637FF6;
	Sat,  3 Oct 2015 20:00:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 77B7E37FE4
 for <tor-talk@lists.torproject.org>; Sat,  3 Oct 2015 20:00:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id LCIGIulp_wOK for <tor-talk@lists.torproject.org>;
 Sat,  3 Oct 2015 20:00:14 +0000 (UTC)
Received: from mail01.sigterm.no (mail01.sigterm.no [193.150.121.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.sigterm.no", Issuer "RapidSSL SHA256 CA - G3" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 1C8B437924
 for <tor-talk@lists.torproject.org>; Sat,  3 Oct 2015 20:00:14 +0000 (UTC)
X-Greylist: delayed 490 seconds by postgrey-1.34 at eugeni;
 Sat, 03 Oct 2015 20:00:14 UTC
Received: by mail01.sigterm.no (Postfix, from userid 1006)
 id 4D6032E10A6; Sat,  3 Oct 2015 21:51:59 +0200 (CEST)
Received: from smtp.postman.i2p (i2p-outproxy01.privacysolutions.no
 [193.150.121.66])
 by mail01.sigterm.no (Postfix) with ESMTP id A898B2E340D
 for <tor-talk@lists.torproject.org>; Sat,  3 Oct 2015 21:51:52 +0200 (CEST)
X-Virus-Scanned: clamav-milter 0.97 on milter.postman.i2p
To: tor-talk@lists.torproject.org
References: <CADop2NG232W9WKdu4azvr5kncqaGF5KRmd60Frq3K7JE3rkEsg@mail.gmail.com>
 <20151003062619.A8324AE4BB@smtp.postman.i2p>
X-Mailer: smtp.postman.i2p - Official I2P Mailer
From: str4d <str4d@i2pmail.org>
MIME-Version: 1.0
In-Reply-To: <20151003062619.A8324AE4BB@smtp.postman.i2p>
Message-Id: <20151003105531.52563AE4C1@smtp.postman.i2p>
Date: Sat,  3 Oct 2015 10:55:31 +0000 (UTC)
Subject: Re: [tor-talk] Accessing Cloudflare sites on TBB
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Griffin Boyce wrote:
> Virgil Griffith wrote:
>> For unrelated reasons I'm meeting with Cloudflare.  Can someone
>> enlighten me on the current state of the captcha situation?
>> Presuming they are unwilling to completely drop the captcha, what
>> would be a step in the right direction?
>> 
>> The last I heard from Cloudflare is: 
>> https://support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloud
Flare-block-Tor-
>>
>>
>>
>> 
What is a step they can take right now for improving Tor user experience
?
>> -V
> 
> A main issue is that the captcha simply loops instead of allowing 
> access to the website.  This is intermittent, so not sure if this
> is because they are trying to fix the issue, or if the issue
> happens more often on sites that have a lot of traffic (and all the
> traffic can be assumed to come from different sources).  This is a
> pretty basic issue, which they know exists, and I hear endless
> complaints about.  If you hit the captcha-loop, you're likely not
> to be able to access the website at all.
> 
> Another is increasing the size of the user-defined whitelists.
> Right now, the list only allows 200 IPs, which is insufficient if
> a highly-technical user wants to manually whitelist Tor exits.
> This actually kept me personally from being a user -- that
> $200+/month instead goes to Amazon and Azure because I don't want
> Tor users penalized when they come to my sites.

A third is the cross-domain problem. Even if the user answers a
CAPTCHA for a site, if the site uses another domain for static
content, that content never loads. Specifically, the static content
requests themselves return a separate CAPTCHA. Since these can never
be answered in that tab, the real content can never be fetched. The
user can't e.g. open an image URL in a new tab and solve the CAPTCHA
there, because TBB by default opens a new circuit, so CloudFlare sees
it as a separate "session".

At best, the site looks rubbish. At worst, it can make the site
unusable (if it requires JS).

Ideally, CloudFlare should be more intelligent about cross-domain
content. Site admins should be able to list expected cross-links
between their CloudFlare-controlled domains. If a request comes in on
spamalot.com and shortly after multiple requests come in on
slstatic.com, it should mark those as the same session, somehow
(whether by adding a query parameter or header to the static requests,
or being more intelligent on the server side).

str4d

> 
> best, Griffin
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWD7QHAAoJEBO17ljAn7PgT2AP/RUq9VGiYXBJUoVhXzmAr3V4
oE4QD8UNgJXykwIGWC6TABaNcg2bZKqZU362K94z1uTUMFWl6NJNk6M27ARkRtWz
lGLtlAThXMUU63X5HEj6jP7Tzw5k5u7S0vqpOTJc7lbisVsDNg0UDoMc4HzNg0cR
kKKaOPPha4eqVLHBWW/90Grqp+++6k5WO0oHYQZXBoX00ne+gDCulxPPzd6fmcSf
evJaqllSpbFHY5QsjM+HTWKwVeta7y4+oOJWWriG5KsYDn9RX8flnKcOprO28gKX
Rqk/tVSNtATDw7BUuvlEOe2air5a96oRaH5SsyNQnb5ImKXilOHJkPEz1v2Ys2i9
ezewNcRvUXwfZVBmpRvol52TaALc3KVfFi/fs+tKZfZuwD8tGu2WTRBCCriOSrLE
0SSdUhPz4SrsH3j6/gDuiWOPb+ZqCiwZiWBH1AxRpsickJdtNobDDNtnSAOBkBj+
3zVHhvClV2SOzvFJAk3hp/6OWADztVylgCHksQwvz5887Bkymba0PH1kakgc8TXV
BKQSq173XnDCGTzzapVndKRDcqFAkPXFAHnii4Y9pMV+TBpE3dZZi0+RVdr6tofo
IFtnhmpiFuFN430wPT2zJbrCAIZCTbC/SAyTlpQVQgy2uyDACA1Hha+l2GwAYXlJ
dSAKN8qaKS74n9BWLpLS
=IxrR
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

