Delivery-Date: Tue, 16 Sep 2014 00:51:28 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 63E941E0D13;
	Tue, 16 Sep 2014 00:51:27 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id BC4532665D;
	Tue, 16 Sep 2014 04:51:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8218D265C1
 for <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 04:51:19 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id GZUI22g9EJBZ for <tor-talk@lists.torproject.org>;
 Tue, 16 Sep 2014 04:51:19 +0000 (UTC)
X-Greylist: delayed 1675 seconds by postgrey-1.34 at eugeni;
 Tue, 16 Sep 2014 04:51:19 UTC
Received: from gateway16.websitewelcome.com (gateway16.websitewelcome.com
 [69.93.154.24])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 5487024542
 for <tor-talk@lists.torproject.org>; Tue, 16 Sep 2014 04:51:19 +0000 (UTC)
Received: by gateway16.websitewelcome.com (Postfix, from userid 5007)
 id 6DD163B2062A7; Mon, 15 Sep 2014 23:23:21 -0500 (CDT)
Received: from cm2.websitewelcome.com (unknown [192.185.178.13])
 by gateway16.websitewelcome.com (Postfix) with ESMTP id 64E0A3B20627E
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 23:23:21 -0500 (CDT)
Received: from bravo.websitewelcome.com ([192.185.81.254])
 by cm2.websitewelcome.com with 
 id rgPL1o0085VDZZs01gPMSu; Mon, 15 Sep 2014 23:23:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=danielroskams.com; s=default; 
 h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID;
 bh=KNaaOFiOHkNIa14Rf9qTFHgCh358gizeT5ncggPqIXE=; 
 b=Bfm+1aB3oeIUzi3q3y1vxc1Xa4wj1XODm0FejVNnDA/JLQpvLRlvsgwaNVR4TG6GybFiUWGeHLJfXneypv8eQtnXtWgob7sG+HO0hVwu4L//nr7IHHIIOzMWYroF043Fo9Q4XES1gyjhv5TmxJ3vB1QLJluotEyVGnYtJtNaGIM=;
Received: from [77.247.181.162] (port=5645 helo=[0.0.0.0])
 by bravo.websitewelcome.com with esmtpsa (UNKNOWN:DHE-RSA-AES128-SHA:128)
 (Exim 4.82) (envelope-from <rocketpenguin@danielroskams.com>)
 id 1XTkIR-0003ZD-7B
 for tor-talk@lists.torproject.org; Mon, 15 Sep 2014 23:23:20 -0500
Message-ID: <5417BB31.2080701@danielroskams.com>
Date: Tue, 16 Sep 2014 12:23:13 +0800
From: Daniel Roskams <rocketpenguin@danielroskams.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <541739B5.4070103@gmx.com> <20140915224224.71bed7bf@meilong>
 <20140915211606.GB4565@torproject.org> <54177A0E.7030005@gmx.com>
In-Reply-To: <54177A0E.7030005@gmx.com>
OpenPGP: id=6A0E156E
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - bravo.websitewelcome.com
X-AntiAbuse: Original Domain - lists.torproject.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - danielroskams.com
X-BWhitelist: no
X-Source-IP: 77.247.181.162
X-Exim-ID: 1XTkIR-0003ZD-7B
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: ([0.0.0.0]) [77.247.181.162]:5645
X-Source-Auth: rocketpenguin@danielroskams.com
X-Email-Count: 1
X-Source-Cap: Ym9uc3Rlcjt0aW1teTticmF2by53ZWJzaXRld2VsY29tZS5jb20=
Subject: Re: [tor-talk] more sites requiring captchas from Cloudfare (using
 Google API?)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have experienced this problem many, many times. Seems that I am not
the only one! I agree that we need to do something about it.
(complaining/persuading to Cloudflare etc.) and without JS all the
captchas are buggy and useless.

On 16/09/14 07:45, Joe Btfsplk wrote:
> =

> On 9/15/2014 4:16 PM, Mike Perry wrote:
>> =D6yvind Saether:
>>>> These captchas recently started appearing (more often) on all
>>>> kinds of sites.   By far the most common name that pops up
>>>> associated with this security is "Cloudfare," but also some
>>>> others. Aside from being forced to allow scripts in NoScript
>>>> from Cloudfare for the captcha to work (or which ever one it
>>>> is), it also seems to require allowing scripts from...
>>>> Google.com.
>>> I too have noticed the Cloudflare annoyance on a wide variety
>>> of sites lately (not sure if more sites use Cloudflare or if
>>> Cloudfare has begun asking for a captcha in more cases).
>> It has also proven to be buggy: I've gotten infinite captcha
>> loops, no captchas, and broken no-JS support (even though =

>> ReCaptcha does support no-JS operation). I've also experienced
>> repeated captchas even if I'm logged into a given site, and the
>> captcha prompting has also caused me to lose web application
>> state, form submissions, and authentication status on more than
>> one occasion.
> So far, other than more & more sites are in the "information
> gathering business," I can't imagine that most sites where I've
> seen Cloudfare captchas would be anti-Tor. Unless, information
> gathering has now become too profitable to let it slide by.  Since
> they don't get much info from Tor users, perhaps they just make the
> process irritatingly difficult. Perhaps outside forces (read:  3
> letter agencies) are putting pressure on some sites to discourage
> TBB use.
> =

> Yes, I've experienced most of the problems you mention.  Like (but
> not limited to), after I've done the captcha & successfully gained
> site access, sometimes (not always?) it'll ask me to repeat the
> captcha process. That seems to often happen when changing pages (on
> the same base domain of the site).   Even with 1st party cookies
> enabled. But it asking to repeat the captcha could also be from
> TBB's IP address changing??  Not sure.
> =

> Like oyvinds, usually as soon as I see the Cloudfare captcha page,
> I just close the tab & move on.  And that's what I'll continue to
> do. If the sites using this have that much problem w/ spam, I do
> feel for them, but I also wish them luck in not driving most users
> away. I suspect they (or 3rd parties) are getting more out of it
> than just preventing spam / bots.
> =

> I don't care if the site or captcha process is broken or not.
> Aside from seeming to also require GOOGLE (which is enough to make
> me leave immediately), the process is too time consuming & doesn't
> work consistently - even when 1st arriving at the site & necessary
> js is enabled for required parties. Sometime the captcha image is
> truly unreadable.  Sometimes refreshing the image results in
> equally unreadable ones.  Sum total:  Far too much hassle, even if
> it worked.
>> =

>> I think the next step here is to try to gather a list of
>> cloudflare customers we suspect to be Tor friendly, and have them
>> politely request that their Tor users not be discriminated in
>> this way, and failing that, publicly leave Cloudflare for a
>> competing ISP. I think pushback from actual CloudFlare customers
>> will carry far more weight here than pushback from the Tor
>> Project or the EFF. It also makes zero sense for CloudFlare to
>> serve Tor users captchas at all if their customers are the ones
>> paying the hosting bills and are happy to serve Tor users.
>> =

>> For my part, I've noticed that nearly all of the Bitcoin web =

>> infrastructure is hosted on Cloudflare. Surely some of those
>> people might be willing to speak up for us.
>> =

>> Has anyone else noticed Cloudflare captchas on sites that they
>> would otherwise expect to be run by Tor-friendly entities?
>> =

>> =

>> =

> =


- -- =

- --Daniel Roskams
0x6A0E156E (pgp)
keyserver: `keyserver.ubuntu.com`
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUF7sxAAoJEA3q/nZqDhVuBXgQAMB6fADa2d30jcqqZkkdebU4
cMG88c6miC399iwqPZ3ItcfHpO1gt1P3vpN0/lYHvloKPzpvQAUAvDqg3x9Zpndi
nD5q5UW3aHuhjCXTBRZ1Yi+d/4ffLufNOdJdajMb6XEByCn4744Hbt6Bx1qaIaSU
aoqnZIjyCh06/0TtKt/KXVft21Nr2mX2fnG/lba0VOGCOboTBQE0ihzBhSetppPn
Lbr/CixWLPBbXqDUk7adjCq/d0m+8vDeqAbAYnjth7T4iTJrdj19E8iwT7um/bhk
HmhdC4UeCcMN0h7YGjXasTmLGuThMettEzR/+p/fnCe8P9XSwGNehdzJsJRwxBm9
/8N9dYFHN4jN+/Eb8AOJP3K9gqmIyshqXfWIY33EEXNHu7OkXr9m/+M4+2zWcWw+
SjyhvMRE0hskOjiW4OnBQd//IRJzNV2Xo2j6ZTsbA4rQ8xqOrFpXNn/vIfya/TFY
m7x0at4yoaZwalA4ksH6Wg9PrWTSc9f5u9wWjDKD2bukr1zsY8lV3Dx52RcZTSWS
xL4X9s9YwQHCIC7ktSDBzUk9xYrltIkBknAlPtfoSEsy8CFNXbaDBAEG45X5v9jG
GxMTfmPdn6wLS9sv1BYbn3IZZ4jAP6IqZDKFLxd1z26JfVHf93biQuNAe+cfjHq7
lcwx1m0ZqgiZmujQbA2B
=3DTAig
-----END PGP SIGNATURE-----
-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

