[tor-talk] do Cloudfare captchas ever work?
Çağıl P. Şesto
secpost at abwesend.de
Mon Jun 22 14:36:19 UTC 2015
On Sat, Jun 20, 2015 at 09:30:11PM -0500, Joe Btfsplk wrote:
> Just to clarify (to all that replied) - I have JS enabled. At least,
> when trying to get captchas to work.
> Then, I'm using Tor Browser's default settings for NoScript.
My observations and conclusions:
- two captchas, both unreadable : the tarpit for robots, you usally
don't get other captchas until you turn js on.
- two captchas, one readable, one unreadble : the original captcha
approach as seen in recaptcha (it is considered broken since 2010).
- one captcha (usally parts of google streetview): they consider you
> in a "well behaved" European country.
I wouldn't count on that.
> Other times when Cloudfare didn't work, I didn't always think to check,
> to see if there's any pattern to Cloudfare not working & specific exit
> relay countries.
I don't think it helps much to change exit nodes, you may need to clear your
filesystem cache and cookies too (or not). Someone who abuses exitrelays just
tries one after another until he succeeds. Could be worth to automate
TBB and check. Most services which try to detect abuse automatically use
blacklists and/or signatures/fingerprints.
If you like to understand captchas better see:
There are some papers from 2005 and 2010 were captchas got ocr'd and
broken. Adam Langley had some more information on his blog, some of
it got lost, somehow.
A cdn like clouldflare can track you very easy over various exits, tor
currently has 1115 relays that are exits, its possible to mark all of them
"malicious" on a blacklist-providers sensor in 15-30 minutes.
You may also see messages like:
Your IP address *.25.103.* has been flagged as a scanner. Scanners
are not permitted. If you are seeing this message in error, please
And that says it all:
- its not my ip :)
- you can't flag an ip :)
- I am not a scanner :)
- I won't contact them - BTDT :)
Even if I would contact them, all I can tell them, its not my ip and
their assumptions are all false and their service is prone to false
As said earlier, if the site you are visiting is one of a kind, it may
be worth your time to talk to them and about cloudflare, usually they
are not interested.
Reddit gives a good example, how to treat tor-users.
CC;DR - Cloudflare captcha, didn't read.
Anyway, funny is pirates are using cloudflare too, I consider them busy
until they solve that problem. :)
More information about the tor-talk