[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)

Mon Sep 15 23:45:18 UTC 2014

On 9/15/2014 4:16 PM, Mike Perry wrote:
> Öyvind Saether:
>>> These captchas recently started appearing (more often) on all kinds
>>> of sites.   By far the most common name that pops up associated with
>>> this security is "Cloudfare," but also some others.
>>> Aside from being forced to allow scripts in NoScript from Cloudfare
>>> for the captcha to work (or which ever one it is), it also seems to
>>> require allowing scripts from... Google.com.
>> I too have noticed the Cloudflare annoyance on a wide variety of sites
>> lately (not sure if more sites use Cloudflare or if Cloudfare has begun
>> asking for a captcha in more cases).
> It has also proven to be buggy: I've gotten infinite
> captcha loops, no captchas, and broken no-JS support (even though
> ReCaptcha does support no-JS operation). I've also experienced repeated
> captchas even if I'm logged into a given site, and the captcha prompting
> has also caused me to lose web application state, form submissions, and
> authentication status on more than one occasion.
So far, other than more & more sites are in the "information gathering 
business," I can't imagine that most sites where I've seen Cloudfare 
captchas would be anti-Tor.
Unless, information gathering has now become too profitable to let it 
slide by.  Since they don't get much info from Tor users, perhaps they 
just make the process irritatingly difficult.
Perhaps outside forces (read:  3 letter agencies) are putting pressure 
on some sites to discourage TBB use.

Yes, I've experienced most of the problems you mention.  Like (but not 
limited to), after I've done the captcha & successfully gained site 
access, sometimes (not always?) it'll ask me to repeat the captcha process.
That seems to often happen when changing pages (on the same base domain 
of the site).   Even with 1st party cookies enabled.
But it asking to repeat the captcha could also be from TBB's IP address 
changing??  Not sure.

Like oyvinds, usually as soon as I see the Cloudfare captcha page, I 
just close the tab & move on.  And that's what I'll continue to do.
If the sites using this have that much problem w/ spam, I do feel for 
them, but I also wish them luck in not driving most users away.
I suspect they (or 3rd parties) are getting more out of it than just 
preventing spam / bots.

I don't care if the site or captcha process is broken or not.  Aside 
from seeming to also require GOOGLE (which is enough to make me leave 
immediately), the process is too time consuming & doesn't work 
consistently - even when 1st arriving at the site & necessary js is 
enabled for required parties.
Sometime the captcha image is truly unreadable.  Sometimes refreshing 
the image results in equally unreadable ones.  Sum total:  Far too much 
hassle, even if it worked.
>
> I think the next step here is to try to gather a list of cloudflare
> customers we suspect to be Tor friendly, and have them politely request
> that their Tor users not be discriminated in this way, and failing that,
> publicly leave Cloudflare for a competing ISP. I think pushback
> from actual CloudFlare customers will carry far more weight here than
> pushback from the Tor Project or the EFF. It also makes zero sense for
> CloudFlare to serve Tor users captchas at all if their customers are the
> ones paying the hosting bills and are happy to serve Tor users.
>
> For my part, I've noticed that nearly all of the Bitcoin web
> infrastructure is hosted on Cloudflare. Surely some of those people
> might be willing to speak up for us.
>
> Has anyone else noticed Cloudflare captchas on sites that they would
> otherwise expect to be run by Tor-friendly entities?
>
>
>