[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] CloudFlare one site, multiple domains problem



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Delton Barnes wrote:
> Hello,
> 
> There is a forum website I frequent in Tor Browser that uses two 
> CloudFlare domains. One (say "example.com") is the main website,
> and the other (say "example.org") provides static content such as
> images and JavaScript.
> 
> A CloudFlare CAPTCHA is almost always presented when accessing 
> example.com. After completing it, example.com loads fine, but all 
> requests to example.org get a 403 response (as observed in Network
> tab of Developer Toolbar). The result is the forum is unusable.
> Strangely, if I manually enter any of the individual example.org
> URLs that received a 403 response in the same tab, they load fine
> (200 response).
> 
> Has anyone encountered this problem? If so, is there a good
> workaround? Usually I switch Tor circuits until I get one that does
> not block example.org.

I have encountered this problem regularly, e.g. with HackerOne. The
problem is that CloudFlare does not recognize the common session
across the distinct domains, assumes that the requests to example.org
are different to those from example.com, and returns a CAPTCHA. But
you can't solve a CAPTCHA for an image URL loaded inside a page >_>

If you were actually requesting example.org, you would see the CAPTCHA
page. But because the Tor Browser Bundle uses a new circuit per domain
name (in the tab's URL bar), you can't just open example.org in a new
tab, solve the CAPTCHA, and then reload example.com, because the
example.org CAPTCHA is associated with a different Tor circuit.

I have notified the websites I have had this problem with, as well as
CloudFlare, but until they provide some way for server operators to
"link" domains together, so a request from an IP to example.com (that
has had a CAPTCHA solved) followed by a request from that IP to
example.org is recognized as the same session, then there isn't much
that can be done.

A possible workaround would be for Tor Browser to include an option
that allows users to "open all CAPTCHAs on this page". It could look
for all unique domains within a page, and open a tab (or pop-up
window) for each through the same circuit. That would allow users to
authenticate that site's Tor circuit with CloudFlare for all domains
the site uses. But this would probably need to be repeated each time
the circuit changes (like the CAPTCHAs already need to be).

str4d

> 
> Unfortunately I cannot share the website as doing so could identify
> me. Also, I have been unsuccessful getting the administrator to
> whitelist Tor (e.g., by using recently publicized GitHub script).
> 
> Thanks, Delton
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVZlhXAAoJEBO17ljAn7PgTa4P/RJ80Lx85RJULHdKAxPQFA/2
3pvb5OGb9dTx1dJ52ot+RIWojLRje1iZYwcotaubj5K9Oqo4unzPXpq2ZrdPRxV3
R4F3u21OPR1T9IStnhTguCHKVhwqjpsdBjpBQ+RR/t6isv5c62LHQgWS11qHx15v
kfbpvlaqJAN+YLze/QQ22IO1N9onERaXphA/nDyL8F2dxz32m6lvvxp1IXH7ywOt
ZEv1PwqJATHOkTMOzCJ6+pNSdxb6rHCSS2Ss02WEGs6GGmyrm3eRQHao9bZNv+E0
AkH6AbLqric7S5ttfTGkvUwnChaBwmFXvVEqzH4E1I2k4oKZVyJU0mAo4cnrYqcA
Sm3tXoKPWFKT6/si0+KaUrq8MAS6gzvhTjWo+lr/uc3k9XFr9KHOxCZKgKf9jfrh
ck5mv8EHMuAhWJzBwBjxn5CePCLOA1JMpy9i+iOImFfkiG47ddmjS0TDhMVdInzx
flkRJBTidK1FGWckDfWceG6g6yv00MJhWL6Euyq/EyCLuxwZPyLZWwjXeRvTZHc5
yN8e5rPDYyic6gX+FzGMpXTg2f4DiCdIEcADvGS0Dp8o9UGkYZ2mCWC9cVcTfOGc
hjswwdsgyVfyAup2W3Io8EsxBeZVjC28pVBChM41VNYkd4l8NYywYjBb+Zm1p7F3
XgadM3gdgFbjZWcYz1k9
=rHi4
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk