[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)

Tue Sep 16 16:20:53 UTC 2014

On 9/16/2014 12:13 AM, isis wrote:
> +1 However, I don't know of a competitor to Cloudflare who privides 
> *free* (as in beer) (D)DoS-protection via reverse webproxies, not to 
> mention all the other bells and whistles which Cloudflare offers. 
> It'll be hard to make the argument to switch for user-privacy reasons, 
> given the seeming lack of marketed alternatives. Can anyone recommend 
> a comparable alternative to Cloudflare?
I know nothing about Cloudfare's "business model."  But, the old saying, 
"There's no such thing as a free lunch," is still true. Unless they're a 
philanthropic org., that gets all funding from donations & grants, they 
are making money somehow.  Leaving the most likely explanation for them 
providing a "free" service (similar to):  *Cloudfare makes money from 
user data on the site(s).*

They may / may not be able to get enough data from Tor users to make it 
worthwhile.  Thus, possibly the captchas for TBB, that often don't work, 
or requiring Tor users to repeat captchas, on the same site during SAME 
session.  Even when JS & cookies are enabled.

Cloudfare's captcha process could be buggy - accounting for some of the 
issues, but
(1)  They still can't operate w/o generating income.  They're not Santa 
Clause;
(2) Captchas don't seem to be presented to Firefox users (definitely not 
EVERY time, as with TBB).
(3) They're also requiring that scripts be allowed from Google.com. And 
Google is NOT a philanthropic organization.
(4) A fact that must be accepted is, a lot of people & malicious 
"groups" do use TBB for spamming & all sorts of undesirable things.  
Which sites must protect themselves against.
(5) Comments from Cloudfare's Nick Sullivan (or heads of any company or 
LEA) are basically worthless.  These people get paid to lie to protect 
their organization's interest.  They all *regularly lie* at 
Congressional hearings & in courts of law.  That's a fact. Sometimes 
they're caught telling bald faced lies, but usually nothing happens to 
them.

Now, if Cloudfare *changes* how their captchas work & stop requiring JS 
/ cookies from them & Google, that will actually mean something.  Until 
then, it's just a lot of hot air.
> I have considered starting an outreach effort to speak to the maintainers of
> some of these sites, with the idea that I might gather sympathy from certain
> communities who use Cloudflare.
>
> For example, as you mentioned, the Bitcoin community, which I have personally
> noticed while having discussions with some of the core bitcoin developers, who
> pointed me to various bits of Bitcoin documentation... which I was
> frustratingly unable to access due to an infinite CAPTCHA loop from
> Cloudflare. The core Bitcoin developers, from my experience, are all extremely
> well-informed about Tor and related privacy and security issues. I would guess
> that they are likely using Cloudflare primarily as a mechanism to decrease the
> attack surface of their sites, and probably are already aware (or would be
> upset to learn) that Cloudflare sometimes prevents Tor users from accessing
> the content entirely.
>
>
>> Has anyone else noticed Cloudflare captchas on sites that they would
>> otherwise expect to be run by Tor-friendly entities?
>>
> Here's the beginnings of your list. Others should feel free to amend.
>
> Possibly-Tor-sympathetic sites which use Cloudflare:
> ----------------------------------------------------
>   * [The Bitcoin Wiki](https://en.bitcoin.it)
>   * [Open Tech Fund](https://www.opentechfund.org/)
>
>
>
>