[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)

Tue Sep 16 04:23:13 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have experienced this problem many, many times. Seems that I am not
the only one! I agree that we need to do something about it.
(complaining/persuading to Cloudflare etc.) and without JS all the
captchas are buggy and useless.

On 16/09/14 07:45, Joe Btfsplk wrote:
> 
> On 9/15/2014 4:16 PM, Mike Perry wrote:
>> Öyvind Saether:
>>>> These captchas recently started appearing (more often) on all
>>>> kinds of sites.   By far the most common name that pops up
>>>> associated with this security is "Cloudfare," but also some
>>>> others. Aside from being forced to allow scripts in NoScript
>>>> from Cloudfare for the captcha to work (or which ever one it
>>>> is), it also seems to require allowing scripts from...
>>>> Google.com.
>>> I too have noticed the Cloudflare annoyance on a wide variety
>>> of sites lately (not sure if more sites use Cloudflare or if
>>> Cloudfare has begun asking for a captcha in more cases).
>> It has also proven to be buggy: I've gotten infinite captcha
>> loops, no captchas, and broken no-JS support (even though 
>> ReCaptcha does support no-JS operation). I've also experienced
>> repeated captchas even if I'm logged into a given site, and the
>> captcha prompting has also caused me to lose web application
>> state, form submissions, and authentication status on more than
>> one occasion.
> So far, other than more & more sites are in the "information
> gathering business," I can't imagine that most sites where I've
> seen Cloudfare captchas would be anti-Tor. Unless, information
> gathering has now become too profitable to let it slide by.  Since
> they don't get much info from Tor users, perhaps they just make the
> process irritatingly difficult. Perhaps outside forces (read:  3
> letter agencies) are putting pressure on some sites to discourage
> TBB use.
> 
> Yes, I've experienced most of the problems you mention.  Like (but
> not limited to), after I've done the captcha & successfully gained
> site access, sometimes (not always?) it'll ask me to repeat the
> captcha process. That seems to often happen when changing pages (on
> the same base domain of the site).   Even with 1st party cookies
> enabled. But it asking to repeat the captcha could also be from
> TBB's IP address changing??  Not sure.
> 
> Like oyvinds, usually as soon as I see the Cloudfare captcha page,
> I just close the tab & move on.  And that's what I'll continue to
> do. If the sites using this have that much problem w/ spam, I do
> feel for them, but I also wish them luck in not driving most users
> away. I suspect they (or 3rd parties) are getting more out of it
> than just preventing spam / bots.
> 
> I don't care if the site or captcha process is broken or not.
> Aside from seeming to also require GOOGLE (which is enough to make
> me leave immediately), the process is too time consuming & doesn't
> work consistently - even when 1st arriving at the site & necessary
> js is enabled for required parties. Sometime the captcha image is
> truly unreadable.  Sometimes refreshing the image results in
> equally unreadable ones.  Sum total:  Far too much hassle, even if
> it worked.
>> 
>> I think the next step here is to try to gather a list of
>> cloudflare customers we suspect to be Tor friendly, and have them
>> politely request that their Tor users not be discriminated in
>> this way, and failing that, publicly leave Cloudflare for a
>> competing ISP. I think pushback from actual CloudFlare customers
>> will carry far more weight here than pushback from the Tor
>> Project or the EFF. It also makes zero sense for CloudFlare to
>> serve Tor users captchas at all if their customers are the ones
>> paying the hosting bills and are happy to serve Tor users.
>> 
>> For my part, I've noticed that nearly all of the Bitcoin web 
>> infrastructure is hosted on Cloudflare. Surely some of those
>> people might be willing to speak up for us.
>> 
>> Has anyone else noticed Cloudflare captchas on sites that they
>> would otherwise expect to be run by Tor-friendly entities?
>> 
>> 
>> 
> 

- -- 
- --Daniel Roskams
0x6A0E156E (pgp)
keyserver: `keyserver.ubuntu.com`
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUF7sxAAoJEA3q/nZqDhVuBXgQAMB6fADa2d30jcqqZkkdebU4
cMG88c6miC399iwqPZ3ItcfHpO1gt1P3vpN0/lYHvloKPzpvQAUAvDqg3x9Zpndi
nD5q5UW3aHuhjCXTBRZ1Yi+d/4ffLufNOdJdajMb6XEByCn4744Hbt6Bx1qaIaSU
aoqnZIjyCh06/0TtKt/KXVft21Nr2mX2fnG/lba0VOGCOboTBQE0ihzBhSetppPn
Lbr/CixWLPBbXqDUk7adjCq/d0m+8vDeqAbAYnjth7T4iTJrdj19E8iwT7um/bhk
HmhdC4UeCcMN0h7YGjXasTmLGuThMettEzR/+p/fnCe8P9XSwGNehdzJsJRwxBm9
/8N9dYFHN4jN+/Eb8AOJP3K9gqmIyshqXfWIY33EEXNHu7OkXr9m/+M4+2zWcWw+
SjyhvMRE0hskOjiW4OnBQd//IRJzNV2Xo2j6ZTsbA4rQ8xqOrFpXNn/vIfya/TFY
m7x0at4yoaZwalA4ksH6Wg9PrWTSc9f5u9wWjDKD2bukr1zsY8lV3Dx52RcZTSWS
xL4X9s9YwQHCIC7ktSDBzUk9xYrltIkBknAlPtfoSEsy8CFNXbaDBAEG45X5v9jG
GxMTfmPdn6wLS9sv1BYbn3IZZ4jAP6IqZDKFLxd1z26JfVHf93biQuNAe+cfjHq7
lcwx1m0ZqgiZmujQbA2B
=TAig
-----END PGP SIGNATURE-----