Delivery-Date: Mon, 15 Sep 2014 17:16:22 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 835A41E0C44;
	Mon, 15 Sep 2014 17:16:21 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 16B7D244F1;
	Mon, 15 Sep 2014 21:16:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 24031242F5
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 21:16:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id n_JU3kgR1SL9 for <tor-talk@lists.torproject.org>;
 Mon, 15 Sep 2014 21:16:14 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id E530F22335
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 21:16:13 +0000 (UTC)
Date: Mon, 15 Sep 2014 14:16:06 -0700
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20140915211606.GB4565@torproject.org>
References: <541739B5.4070103@gmx.com>
 <20140915224224.71bed7bf@meilong>
MIME-Version: 1.0
In-Reply-To: <20140915224224.71bed7bf@meilong>
Subject: Re: [tor-talk] more sites requiring captchas from Cloudfare (using
 Google API?)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============3029305876236345054=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============3029305876236345054==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="6sX45UoQRIJXqkqR"
Content-Disposition: inline


--6sX45UoQRIJXqkqR
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=D6yvind Saether:
> > These captchas recently started appearing (more often) on all kinds
> > of sites.   By far the most common name that pops up associated with
> > this security is "Cloudfare," but also some others.
> > Aside from being forced to allow scripts in NoScript from Cloudfare
> > for the captcha to work (or which ever one it is), it also seems to
> > require allowing scripts from... Google.com.
>=20
> I too have noticed the Cloudflare annoyance on a wide variety of sites
> lately (not sure if more sites use Cloudflare or if Cloudfare has begun
> asking for a captcha in more cases).

I too find this situation unacceptable, since it seems to have been
unilaterally decided by CloudFlare and not by their customers who are
paying them. It has also proven to be buggy: I've gotten infinite
captcha loops, no captchas, and broken no-JS support (even though
ReCaptcha does support no-JS operation). I've also experienced repeated
captchas even if I'm logged into a given site, and the captcha prompting
has also caused me to lose web application state, form submissions, and
authentication status on more than one occasion.

I think the next step here is to try to gather a list of cloudflare
customers we suspect to be Tor friendly, and have them politely request
that their Tor users not be discriminated in this way, and failing that,
publicly leave Cloudflare for a competing ISP. I think pushback
=66rom actual CloudFlare customers will carry far more weight here than
pushback from the Tor Project or the EFF. It also makes zero sense for
CloudFlare to serve Tor users captchas at all if their customers are the
ones paying the hosting bills and are happy to serve Tor users.=20

For my part, I've noticed that nearly all of the Bitcoin web
infrastructure is hosted on Cloudflare. Surely some of those people
might be willing to speak up for us.=20

Has anyone else noticed Cloudflare captchas on sites that they would
otherwise expect to be run by Tor-friendly entities?

--=20
Mike Perry

--6sX45UoQRIJXqkqR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUF1cWAAoJEEEC+JXS8eGGfBwP/jejZyBa1lYoUbnBiarjqXV4
2kyTazLN5SAGiU7jSGfVGSCbcKlattU0TXrBSwE8P+zixK7v4ALQ+9W/MMrHfyp1
ygJh8nnDm0sS0QPbHPsAfWiAKUsHtZTFk1NnCfrBl5fF9/5zbZ3UNkh8P6nIIiPn
T9xsFNdGXFGSpsiDHmbN9drvprGeM1YS85JJN+5rFHcL/qQQ/geaJAJ6SxImxpGU
bFl/LyowqT0HidfkO7u+T8BX2+6HGj0zAjOhQIshpgEoup83dQw4lQt/OtXJ+HXo
lnpqxTDNEjO1wnasLMcUeSxUxFg9YV5aEVidQCGe0j1Ub79umVHUL3b7pK2VYge6
/yt43EqoJYlmvFXoqvielrryFha5IGYtOQJaXrg/74UpuUlXnirufWHE+4BB7gOg
VtAnxT3JbKVXDx5du26ecqj4G033MsepbHFkiHyoihHTWB+ROC1ll9gDpPPVGmYB
JQpWoRpPB8ovtRKLjcA2jjOuM8cUwsMkLktECfZJJhnZ49gQh94zZJuuOUN0f5P2
xSL4NG3TIHO+4vxgBCJa5D6hZghEhM1pesgty1oYr47q5AEVG+Tn9xsj781RUvRh
XdLhD8JlCZ7rjtmeSkr24TIxz2DgpUYAuB5xTQX/gkBhlcMSh/I0tuBChuoBTq66
5wi5V7ka3QI4vaIir27A
=pWPU
-----END PGP SIGNATURE-----

--6sX45UoQRIJXqkqR--

--===============3029305876236345054==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============3029305876236345054==--

