[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Accessing Cloudflare sites on TBB



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Griffin Boyce wrote:
> Virgil Griffith wrote:
>> For unrelated reasons I'm meeting with Cloudflare.  Can someone
>> enlighten me on the current state of the captcha situation?
>> Presuming they are unwilling to completely drop the captcha, what
>> would be a step in the right direction?
>> 
>> The last I heard from Cloudflare is: 
>> https://support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloud
Flare-block-Tor-
>>
>>
>>
>> 
What is a step they can take right now for improving Tor user experience
?
>> -V
> 
> A main issue is that the captcha simply loops instead of allowing 
> access to the website.  This is intermittent, so not sure if this
> is because they are trying to fix the issue, or if the issue
> happens more often on sites that have a lot of traffic (and all the
> traffic can be assumed to come from different sources).  This is a
> pretty basic issue, which they know exists, and I hear endless
> complaints about.  If you hit the captcha-loop, you're likely not
> to be able to access the website at all.
> 
> Another is increasing the size of the user-defined whitelists.
> Right now, the list only allows 200 IPs, which is insufficient if
> a highly-technical user wants to manually whitelist Tor exits.
> This actually kept me personally from being a user -- that
> $200+/month instead goes to Amazon and Azure because I don't want
> Tor users penalized when they come to my sites.

A third is the cross-domain problem. Even if the user answers a
CAPTCHA for a site, if the site uses another domain for static
content, that content never loads. Specifically, the static content
requests themselves return a separate CAPTCHA. Since these can never
be answered in that tab, the real content can never be fetched. The
user can't e.g. open an image URL in a new tab and solve the CAPTCHA
there, because TBB by default opens a new circuit, so CloudFlare sees
it as a separate "session".

At best, the site looks rubbish. At worst, it can make the site
unusable (if it requires JS).

Ideally, CloudFlare should be more intelligent about cross-domain
content. Site admins should be able to list expected cross-links
between their CloudFlare-controlled domains. If a request comes in on
spamalot.com and shortly after multiple requests come in on
slstatic.com, it should mark those as the same session, somehow
(whether by adding a query parameter or header to the static requests,
or being more intelligent on the server side).

str4d

> 
> best, Griffin
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWD7QHAAoJEBO17ljAn7PgT2AP/RUq9VGiYXBJUoVhXzmAr3V4
oE4QD8UNgJXykwIGWC6TABaNcg2bZKqZU362K94z1uTUMFWl6NJNk6M27ARkRtWz
lGLtlAThXMUU63X5HEj6jP7Tzw5k5u7S0vqpOTJc7lbisVsDNg0UDoMc4HzNg0cR
kKKaOPPha4eqVLHBWW/90Grqp+++6k5WO0oHYQZXBoX00ne+gDCulxPPzd6fmcSf
evJaqllSpbFHY5QsjM+HTWKwVeta7y4+oOJWWriG5KsYDn9RX8flnKcOprO28gKX
Rqk/tVSNtATDw7BUuvlEOe2air5a96oRaH5SsyNQnb5ImKXilOHJkPEz1v2Ys2i9
ezewNcRvUXwfZVBmpRvol52TaALc3KVfFi/fs+tKZfZuwD8tGu2WTRBCCriOSrLE
0SSdUhPz4SrsH3j6/gDuiWOPb+ZqCiwZiWBH1AxRpsickJdtNobDDNtnSAOBkBj+
3zVHhvClV2SOzvFJAk3hp/6OWADztVylgCHksQwvz5887Bkymba0PH1kakgc8TXV
BKQSq173XnDCGTzzapVndKRDcqFAkPXFAHnii4Y9pMV+TBpE3dZZi0+RVdr6tofo
IFtnhmpiFuFN430wPT2zJbrCAIZCTbC/SAyTlpQVQgy2uyDACA1Hha+l2GwAYXlJ
dSAKN8qaKS74n9BWLpLS
=IxrR
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk