Exitmap module to count CloudFlare CAPTCHAs

I wrote an exitmap module [0] that can tell us how many exit relays see a CloudFlare CAPTCHA when connecting to a given site. First, I ran the module for coreos.com because it uses CloudFlare, but the owner configured it to whitelist Tor. Indeed, only one out of 864 exit relays saw a CAPTCHA: <https://atlas.torproject.org/#details/7DD29A65C370B86B5BE706EA3B1417745714C8AF> Next, I ran the module for cloudflare.com, which does not seem to whitelist Tor. 638 (75%) exit relays saw a CAPTCHA and 211 (25%) didn't. [0] <https://gitweb.torproject.org/user/phw/exitmap.git/tree/src/modules/cloudflared.py> Cheers, Philipp

On 21 Mar 2016, at 04:00, Philipp Winter <phw@nymity.ch> wrote:
I wrote an exitmap module [0] that can tell us how many exit relays see a CloudFlare CAPTCHA when connecting to a given site.
First, I ran the module for coreos.com because it uses CloudFlare, but the owner configured it to whitelist Tor. Indeed, only one out of 864 exit relays saw a CAPTCHA: <https://atlas.torproject.org/#details/7DD29A65C370B86B5BE706EA3B1417745714C8AF>
Next, I ran the module for cloudflare.com, which does not seem to whitelist Tor. 638 (75%) exit relays saw a CAPTCHA and 211 (25%) didn't.
This looks great! Do we know if CloudFlare's blocking depend on the remote website, or the website's CloudFlare settings? Or does CloudFlare treat each Exit Relay the same regardless of which website it's accessing? Their introductory marketing / documentation would seem to indicate it's global: "Once CloudFlare identifies that there is a new attack, CloudFlare starts to block the attack for both the particular website and the entire community." [0] Can the ExitMap module also record how many sites show CloudFlare's "JavaScript Challenge" [1] ? http://www.zdziarski.com <http://www.zdziarski.com/> (yes, only HTTP, ugh) uses their JavaScript challenge. And their "Totally Block Tor" [1] option? (only available to enterprise (paying?) customers) I don't know of a CloudFlare website that blocks Tor entirely. Thanks Tim [0]: https://www.cloudflare.com/features-security/ <https://www.cloudflare.com/features-security/> (URL likely unavailable from some Tor Exits.) [1]: https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-b... <https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-> (URL likely unavailable from some Tor Exits.) Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

On 3/20/16, Tim Wilson-Brown - teor <teor2345@gmail.com> wrote:
On 21 Mar 2016, at 04:00, Philipp Winter <phw@nymity.ch> wrote:
Next, I ran the module for cloudflare.com, which does not seem to whitelist Tor. 638 (75%) exit relays saw a CAPTCHA and 211 (25%) didn't.
This roughly match my own deprecated tools, globally.
Do we know if CloudFlare's blocking depend on the remote website, or the website's CloudFlare settings? Or does CloudFlare treat each Exit Relay the same regardless of which website it's accessing? Can the ExitMap module also record how many sites show CloudFlare's "JavaScript Challenge" [1] ? And their "Totally Block Tor" [1] option? (only available to enterprise (paying?) customers)
All these questions could be added to the module.
I don't know of a CloudFlare website that blocks Tor entirely.
Probably not possible thankfully because some exit IP's aren't readily passively / immediately identifiable as such. Censorship as policy is not winning proposition.

On 21 Mar 2016, at 08:51, grarpamp <grarpamp@gmail.com> wrote:
I don't know of a CloudFlare website that blocks Tor entirely.
Probably not possible thankfully because some exit IP's aren't readily passively / immediately identifiable as such. Censorship as policy is not winning proposition.
I meant "a website using CloudFlare that has the "Block" option selected for Tor". Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
participants (3)
-
grarpamp
-
Philipp Winter
-
Tim Wilson-Brown - teor