Delivery-Date: Mon, 15 Sep 2014 19:45:55 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 3C9661E0B4C;
	Mon, 15 Sep 2014 19:45:54 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BFA0C220FE;
	Mon, 15 Sep 2014 23:45:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3B33221BBF
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 23:45:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id KUJ04MesApEg for <tor-talk@lists.torproject.org>;
 Mon, 15 Sep 2014 23:45:47 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 1A39120C4E
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 23:45:47 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus002)
 with ESMTPSA (Nemesis) id 0M8lOE-1XdXJk0alw-00C9wa for
 <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 01:45:44 +0200
Message-ID: <54177A0E.7030005@gmx.com>
Date: Mon, 15 Sep 2014 18:45:18 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <541739B5.4070103@gmx.com> <20140915224224.71bed7bf@meilong>
 <20140915211606.GB4565@torproject.org>
In-Reply-To: <20140915211606.GB4565@torproject.org>
X-Provags-ID: V03:K0:ZGlaTjSv/6Xf3gbT7REIWF1Nb48KUbJjuVJN+xeW4oJzy6CoV+m
 mg2A9Rf0eFNhncF5GW544JnQqmg/PrVID6debcWKadKWjS6EdlV0f1d8zARd15aOh2FyhmI
 OOeNrFZ8t03mhN9IqVVicImUjdP9gj+p4+dLCWWqbjMchKMar88S2orIx9hn8Mn8jmoVONY
 LCtWS5fuPmJjhmM4rO4nQ==
X-UI-Out-Filterresults: notjunk:1;
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] more sites requiring captchas from Cloudfare (using
 Google API?)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


On 9/15/2014 4:16 PM, Mike Perry wrote:
> =D6yvind Saether:
>>> These captchas recently started appearing (more often) on all kinds
>>> of sites.   By far the most common name that pops up associated with
>>> this security is "Cloudfare," but also some others.
>>> Aside from being forced to allow scripts in NoScript from Cloudfare
>>> for the captcha to work (or which ever one it is), it also seems to
>>> require allowing scripts from... Google.com.
>> I too have noticed the Cloudflare annoyance on a wide variety of sites
>> lately (not sure if more sites use Cloudflare or if Cloudfare has begun
>> asking for a captcha in more cases).
> It has also proven to be buggy: I've gotten infinite
> captcha loops, no captchas, and broken no-JS support (even though
> ReCaptcha does support no-JS operation). I've also experienced repeated
> captchas even if I'm logged into a given site, and the captcha prompting
> has also caused me to lose web application state, form submissions, and
> authentication status on more than one occasion.
So far, other than more & more sites are in the "information gathering =

business," I can't imagine that most sites where I've seen Cloudfare =

captchas would be anti-Tor.
Unless, information gathering has now become too profitable to let it =

slide by.  Since they don't get much info from Tor users, perhaps they =

just make the process irritatingly difficult.
Perhaps outside forces (read:  3 letter agencies) are putting pressure =

on some sites to discourage TBB use.

Yes, I've experienced most of the problems you mention.  Like (but not =

limited to), after I've done the captcha & successfully gained site =

access, sometimes (not always?) it'll ask me to repeat the captcha process.
That seems to often happen when changing pages (on the same base domain =

of the site).   Even with 1st party cookies enabled.
But it asking to repeat the captcha could also be from TBB's IP address =

changing??  Not sure.

Like oyvinds, usually as soon as I see the Cloudfare captcha page, I =

just close the tab & move on.  And that's what I'll continue to do.
If the sites using this have that much problem w/ spam, I do feel for =

them, but I also wish them luck in not driving most users away.
I suspect they (or 3rd parties) are getting more out of it than just =

preventing spam / bots.

I don't care if the site or captcha process is broken or not.  Aside =

from seeming to also require GOOGLE (which is enough to make me leave =

immediately), the process is too time consuming & doesn't work =

consistently - even when 1st arriving at the site & necessary js is =

enabled for required parties.
Sometime the captcha image is truly unreadable.  Sometimes refreshing =

the image results in equally unreadable ones.  Sum total:  Far too much =

hassle, even if it worked.
>
> I think the next step here is to try to gather a list of cloudflare
> customers we suspect to be Tor friendly, and have them politely request
> that their Tor users not be discriminated in this way, and failing that,
> publicly leave Cloudflare for a competing ISP. I think pushback
> from actual CloudFlare customers will carry far more weight here than
> pushback from the Tor Project or the EFF. It also makes zero sense for
> CloudFlare to serve Tor users captchas at all if their customers are the
> ones paying the hosting bills and are happy to serve Tor users.
>
> For my part, I've noticed that nearly all of the Bitcoin web
> infrastructure is hosted on Cloudflare. Surely some of those people
> might be willing to speak up for us.
>
> Has anyone else noticed Cloudflare captchas on sites that they would
> otherwise expect to be run by Tor-friendly entities?
>
>
>

-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

