Lose the onion tears, Tor fanboys: CloudFlare may consider binning CAPTCHAs, says CEO

Tor users crying over CloudFlare's CAPTCHAs will soon be able to put away their onions, rather than their .onions, the company has suggested.

CloudFlare CEO Matthew Prince told The Register he would love to create a no-more-tears system allowing the anonymizing network's legitimate users to access CloudFlare-hosted websites without being hit by buggy Turing tests – while also protecting his customers' sites from abuse.

Tor, which allows individuals to use the internet anonymously without spaffing personally identifying information to servers, is highly prized by privacy activists. It unfortunately also provides miscreants with a valuable layer of protection from the authorities, with their use of Tor allegedly accounting for more than 90 per cent of the network's traffic.

While definitive figures on the degree to which the network is used abusively are unavailable, its supporters have complained that CloudFlare – which provides CDN and/or DNS services for over a million websites – has allowed those customers to implement CAPTCHAs which are purposefully designed to hamper Tor users' anonymous access to the web.

CloudFlare has always denied this. An FAQ on its support site states that the company “does not actively block visitors who use the Tor network.” It adds, however, that “due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation.”

As such, CloudFlare's basic protection level – which is set by customers – issues “CAPTCHA-based challenges to visitors whose IP address has a high threat score.”

Prince told The Register: “You have to acknowledge the complaints that Tor users have. It's made browsing the internet much more difficult for Tor users, and we hate that.”

The CEO is not alone in hating it. A bug tracker ticket opened yesterday by one of the Tor project's most well-known evangelists, Jacob Appelbaum, alleged that companies such as CloudFlare “are effectively now Global Active Adversaries.”

CloudFlare, according to Appelbaum, “actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and frankly, they run untrusted code in millions of browsers on the web for questionable security gains.”

Comments in the Tor Project's trac page, however, show that Appelbaum is not alone in his criticism. Vituperative members of the Tor community declared their dislike of CloudFlare in the thread, saying that it gathers metrics which "count as a kind of surveillance that is seemingly linked with a PRISM provider," as Appelbaum described CloudFlare's use of Google's CAPTCHAs.

Prince denied this to The Register, saying: “If you sat at CloudFlare and listened to how much we're supportive of communities like Tor internally, it's hard to make that same claim.”

The CEO also disagreed with another of Appelbaum's allegations – that the company isn't interested in engaging in a dialogue with the Tor project – though he stressed his respect for Appelbaum himself, whom he regards as “a very smart guy.”

“Our customers are website owners,” Prince added, “and if you survey them ask what they think about Tor, they would rather just block it in most cases. The reason why is because an enormous amount of abuse comes via Tor.”

According to Prince, third-party figures have suggested than more than 90 per cent of Tor traffic – in voluminous terms – “is, in some way, per se abusive, and I don't mean that in terms of visiting distasteful sites, that's not our business, but is traffic that is actively trying to hurt the websites it is visiting.”

CloudFlare's CTO responded to Appelbaum's “Global Active Adversary” claim, criticising it for being an “inflammatory introduction” before clarifying that CloudFlare is "not adversarial to TOR as an entity, we are trying to deal with abuse that uses the TOR network.”

Malicious traffic arriving via a Tor exit node is indistinguishable from legitimate traffic, as those using the Tor Browser Bundle share the exact same user agent and IP range. The alternative to a CAPTCHA providing a small Turing test to visitors to distinguish humans from email-address-scraping bots.

Concurring with Prince's comments about engaging with the Tor Project, the CTO asserted that the company has had “multiple contacts with people working on Tor through events like Real World Crypto and have been trying to come up with a solution that will protect web sites from malicious use of Tor while protecting the anonymity of Tor users (such as myself).”

Prince also told El Reg that his company offered "six or seven" of its 125 engineers to work with the Tor project. Among the active Tor users at the company are the CTO, and Ryan Lackey, known for previously founding the Sultanate of Kinakuta-like Sealand-based HavenCo and joining CloudFlare when his company, CryptoSeal, was acquired in 2014, as well as “at least 20 others.”

"About a month ago, I blacklisted every single IP address that was used in the CloudFlare office network, so our own team had to pass the CAPTCHAs too, so we had to feel the same pain, and it is a pain in the ass," added Prince.

There have been bugs in the CAPTCHA system too, Prince added, forcing Tor users to have to pass the CAPTCHA more than once per site. "We just see a tonne of abuse coming from those IP addresses," said Prince, "and our system says it's statistically probable that this is abusive."

CloudFlare is working on making things easier, however. The CEO told us that, "for first time, we're allowing our customers to apply their own rules to Tor exit nodes."

The company will soon allow customers to whitelist Tor exit nodes. "What I worry about," said Prince, "was that I could not think of a philosophically justifiable reason to allow the whitelisting Tor exit nodes and not the blacklising of Tor exit nodes. We are just allowing customers to whitelist them, but I think a majority of site owners would rather blacklist them."

I was at a hosting conference recently and somebody stood up and said, “I want to ask you something specifically about Tor” and somebody from the EFF stood up and said it was my question too. And then the person asked “When will you allow us to block Tor entirely?” and the EFF guy was like “Wow, I never appreciated how much malicious stuff the average website owner sees coming off of the network.”

The Tor Project does not explicitly accept that it facilitates additional abuse. Its Abuse FAQ repeatedly states variations on the theme of: "So yes, criminals could in theory use Tor, but they already have better options, and it seems unlikely that taking Tor away from the world will stop them from doing their bad things. At the same time, Tor and other privacy measures can fight identity theft, physical crimes like stalking, and so on."

Prince agreed with the principle that Tor was a legitimate service and said that the company has "tried to feel the pain of those users too. We're trying to be as empathetic as possible to those challenges. But our customers are saying something else."

"If there's a technical way to do it, we're interested," said Prince, regarding a means of enabling the legitimate use of Tor while protecting customers. He suggested moving "the proof-of-work problem to their side" might help.

“I'd love to be able to work with the Tor community to come up with one solution,” added Prince.

Potential solutions are being debated by the Tor community on the trac page. ®

Disclosure

The Register is a CloudFlare customer. Our security settings require CAPTCHAs be completed by those coming from “possibly malicious IP ranges” for the reasons stated above. While we apologise for any inconvenience this causes, it remains a useful security mechanism.