The Trouble with CloudFlare

Tor has acknowledged their &quot;botnet problem&quot; since at least 2013:<p><a href="https:&#x2F;&#x2F;research.torproject.org&#x2F;techreports&#x2F;botnet-tr-2013-11-20.pdf" rel="nofollow">https:&#x2F;&#x2F;research.torproject.org&#x2F;techreports&#x2F;botnet-tr-2013-1...</a><p>That same paper walks through the challenges of dealing with it and doesn&#x27;t find any satisfactory solutions.<p>As I wrote in our post on the topic, there&#x27;s a trade off between security, anonymity, and convenience. CloudFlare provides security to our customers. We believe in the importance of anonymously accessing the Internet. Unfortunately, that means we have to sacrifice some convenience. If you haven&#x27;t read it, I encourage you to see the post I wrote on the topic:<p><a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;the-trouble-with-tor&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;the-trouble-with-tor&#x2F;</a><p>The two long-term solutions we proposed — blinded tokens or CloudFlare supporting .onion addresses — we believe could reduce the inconvenience, but they&#x27;ll require help from the Tor developers. While public posts like this are discouraging in terms of coming up with a better solution, I&#x27;m encouraged by private conversations we&#x27;ve had with Tor developers who acknowledge this is a hard problem and want to find solutions.

Maybe I&#x27;m a cranky, old-school network operator, but this is a very cut and dry problem. Tor runs a network that is rife with abuse and fraud. Tor needs to clean up and police its network. If it doesn&#x27;t, it will be put on blacklists and customers will take active measures to block traffic from it.<p>This is no different than a network or AS that is spammer friendly, botnet friendly, carder friendly, etc. All of those networks eventually end up on blacklists or Spamhaus lists and their efficacy goes down. Eventually, the network dies out and the criminals move somewhere else. Yes, it&#x27;s a game of whack-a-mole, but it&#x27;s proven to work well.<p>I know Tor doesn&#x27;t want to be in the network regulation business, but they need to be if they want their product to thrive. Otherwise, good bye Tor.

I think Cloudflare&#x27;s blog post was incredibly nuanced, well thoughtout and (dare I say) pro-Tor. They implemented a way for their users to whitelist Tor traffic (bypassing all Captcha&#x27;s), without allowing their users to blacklist Tor traffic.<p>This response seems a bit of a childish knee-jerk reaction from the Tor project, which could&#x27;ve been worded more maturely.

I [I&#x27;m CloudFlare&#x27;s CTO] have been engaging with the Tor folks through their Trac interface here for about 6 weeks: <a href="https:&#x2F;&#x2F;trac.torproject.org&#x2F;projects&#x2F;tor&#x2F;ticket&#x2F;18361" rel="nofollow">https:&#x2F;&#x2F;trac.torproject.org&#x2F;projects&#x2F;tor&#x2F;ticket&#x2F;18361</a> and been very open about CloudFlare is addressing this.<p>My plan is to continue to do so through that ticket as I&#x27;ve made various commitments there (some of which, like whitelisting, we&#x27;ve already rolled out). It&#x27;s worth reading the entire ticket to get a sense of the conversation. We are in no way finished improving the situation.

That&#x27;s just flawed reasoning all around. I can&#x27;t even find any e-commerce-specific data in their sources.<p>&gt; A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the &quot;conversion rate&quot; of Tor IP addresses clicking on ads and performing commercial activity was &quot;virtually equal&quot; to that of non-Tor IP addresses).<p>Actual data from the report:<p><pre><code> • Comparison of Tor and non-Tor Traffic: Of legitimate requests, non-Tor IPs accounted for 99.96 percent of requests, while Tor exit nodes accounted for 0.04 percent Of malicious requests, non-Tor IPs accounted for 98.74 percent of requests, while Tor exit nodes accounted for 1.26 percent • Tor exit nodes were far more likely to contain malicious requests: 1:11,500 non-Tor IPs contained malicious requests 1:380 Tor exit nodes contained malicious requests • However, traffic from Tor exit nodes yielded a conversion rate virtually equal to non-Tor IPs: Conversion rate for non-Tor IPs was 1:834 Conversion rate for Tor exit nodes was 1:895 </code></pre> Source: slide 7 of the report they link in the article – <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;TcstnWD.jpg" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;TcstnWD.jpg</a>

I don&#x27;t know what the solution is here.<p>One of my sites enjoys a ridiculous number of fraudsters trying to make purchases, many - but very much not all - from the tor network.<p>The easy solution is to punish everyone and ban tor exit nodes from access, and woo, a significant reduction in my fraud rate.<p>The way I justify this to myself is that the site only accepts payment via PayPal and&#x2F;or credit cards, and paying with those in itself gives up a good amount of privacy.<p>For sites that don&#x27;t make a profit and have to use unpaid time to clean up the mess from some tor nodes, I really don&#x27;t know what the solution is.<p>It definitely sucks for legitimate users.<p>Edit: one more difficulty is that I don&#x27;t know if I was targeted by one or two lazy-yet-determined fraudsters who only use tor, and so make tor look worse than it is with their repeated attempts. No idea even where to begin with that one.

I feel like Tor is burying their head in the sand here.<p>I think Tor is great, but I don&#x27;t find it at all surprising or unlikely that 94% of <i>traffic</i> (not users) is malicious (spam, vulnerability scanning, scraping, etc) because it&#x27;s likely that malicious traffic is automated while legitimate traffic is not.<p>That said, I&#x27;d also like to hear more about CloudFlare&#x27;s methodology.

Exchanged comments with Cloudflare&#x27;s CEO on the topic and in my opinion it appears that they simply don&#x27;t understand that their view of the situation is skewed.<p>Here&#x27;s hoping that given they truly do appear to care about TOR users that they&#x27;ll revisit the situation and find a better solution.<p>Here&#x27;s a link to Cloudflare&#x27;s blog post an the related comments on HN:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11388560" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11388560</a>

&gt; 5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the &quot;conversion rate&quot; of Tor IP addresses clicking on ads and performing commercial activity was &quot;virtually equal&quot; to that of non-Tor IP addresses).<p>This point seems rather odd. I&#x27;m not following the connection between a large percentage of Tor requests being malicious and the fact that Tor users have almost the same conversion rate. Malicious requests are coming from botnets and&#x2F;or fraudsters. They&#x27;re, for the most part, not in the subset of Tor users which click ads or do anything else that would be tracked as part of a site&#x27;s conversion rate. What&#x27;s funny about this is that the linked report even confirms that requests from exit nodes are far more likely to be malicious:<p><pre><code> Tor exit nodes were far more likely to contain malicious requests: • 1:11,500 non-Tor IPs contained malicious requests • 1:380 Tor exit nodes contained malicious requests </code></pre> I&#x27;m a huge supporter of Tor and have been running a relay node for years, but it seems their stance on this topic is quite fundamentalist and they chose to ignore any arguments or facts that they don&#x27;t like while basically grasping at straws in their counterarguments.<p>It&#x27;s okay to be concerned about CloudFlare having such a huge market share. They&#x27;re a <i>huge</i> target for nation states and others alike. Global passive¹ adversaries are a problem for things like Tor, and they might very well be forced to become one at some point. It&#x27;s essential to have more competition in this area, and that&#x27;s a fair argument to make. However, with regards to how they&#x27;re handling Tor, I don&#x27;t think there&#x27;s anything wrong with what they&#x27;re doing, and the explanations presented in their blog post seemed sound to me.<p>¹ Or, rather, possibly an active adversary too?

Original Cloudflare blog post that this is a response to: <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;the-trouble-with-tor&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;the-trouble-with-tor&#x2F;</a>

This is a tough situation. I don&#x27;t know about 94% of TOR traffic being fraudulent but I&#x27;m sure it&#x27;s high. But I&#x27;m one of the legit users that gets taken out by blacklisting. I use a VPN service pretty regularly and it makes accessing my Cloudflare account and sites using it incredibly annoying.

The really questionable thing CloudFlare seems to be doing is that they captcha traffic depending on the overall reputation of only the source IP rather than whether the source IP is attacking that specific site or even whether the site is under attack.<p>What they should do instead is this:<p>1. If the server is not overloaded, do not captcha any traffic at all<p>2. If the server starts being overloaded, only captcha traffic from IPs that have been detected as attacking THAT specific site<p>3. If the server is still overwhelmed, only then switch to captchaing all IPs with &quot;bad reputation&quot;<p>Most websites are probably almost never under attack, so this would make encountering CloudFlare captcha extremely rare in the wild while still providing DDOS protection.<p>They could even only do this for Tor exit nodes and other IPs that are known to be used by lots of people.<p>If a site is being DDOSsed a lot and the slower start up of this technique is a problem, then they can revert for those sites to the current behavior of using reputation.

I find Cloudflare&#x27;s argument analogous to that of cash - i&#x27;m sure some huge percentage of all illegal transactions are with cash, but that does not mean the solution is to ban cash...though some would probably disagree

I find the 94% figure believable (for requests, not source IP addresses), Tor is after all the obvious choice for low bandwidth DoS attacks and unwanted scraping (i.e. a few individuals will generate a large percentage of Tor-routed requests at any time).<p>The real issue with CF for me isn&#x27;t the hassle with captchas, but the fact that CloudFlare can track users across all its sites, generate profiles and even read unencrypted traffic. It&#x27;s a privacy hazard by design that makes Tor particularly attractive. But as long as Tor is used only by a small minority, it will be treated this way.

I would expect most of the malicious traffic coming out of Tor isn&#x27;t using Tor browser. I wonder what the attack numbers look like for Tor browser vs not Tor browser. Cloudflare has client side checks already, which could be extended to check whether the browser is Tor browser, and if so, don&#x27;t block it.

I understand what CloudFlare is saying but I still think that the benefits of allowing legitimate TOR users access websites freely (without cumbersome captchas) outweighs the troubles malicious users might cause. Public computers such as in Libraries are also often used to do reprehensible things, but still, we understand the benefits of having them.<p>It is also worrying that CloudFlare has this much power. One of the greatest things about the internet is the openness of the platform and the non existence of gate keepers.<p>Also, here is an annotated version of the TOR paper for those who want to read more about it <a href="http:&#x2F;&#x2F;fermatslibrary.com&#x2F;s&#x2F;tor-the-second-generation-onion-router" rel="nofollow">http:&#x2F;&#x2F;fermatslibrary.com&#x2F;s&#x2F;tor-the-second-generation-onion-...</a>

Payments originating from TOR IP addresses absolutely are more likely to be fraudulent. Anyone running an online business could tell you that.

&gt; Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs<p>Is it really a loop or are users just failing to solve the CAPTCHAs? A loop would be obnoxious: Just tell the user they are blocked; giving them more than 2 or infinite CAPTCHAs is a passive aggressive way to communicate.

This is a terrible reply, it&#x27;s basically say&#x27;s &quot;It&#x27;s all your fault, we&#x27;re all good over here.&quot;<p>They then either because they legitimately can&#x27;t understand the problem, which would be scary, or because they&#x27;re being stubborn fail to address the suggestions by cloudflare to address the issues.

The trouble with Clouflare is that they receive disproportionate amount of attention on Hackernews. Sometimes HN feels like an extension of their marketing machine. I&#x27;m not so sure they every single blog post of their needs to be an item on HN. Anyway that&#x27;s my .02 cents.

I have a question that I&#x27;m hoping will spur some discussion and maybe I can learn some stuff.<p>&quot;Is anonymity in Tor incompatible with low-latency?&quot;<p>I ask this having read this: <a href="http:&#x2F;&#x2F;freehaven.net&#x2F;anonbib&#x2F;cache&#x2F;pets13-flow-fingerprints.pdf" rel="nofollow">http:&#x2F;&#x2F;freehaven.net&#x2F;anonbib&#x2F;cache&#x2F;pets13-flow-fingerprints....</a><p>I suspect that countermeasures to defeat deanonimization all have a negative impact on latency(e.g. inserting extra packets, pausing between sends).<p>If the answer to my question is yes, then maybe the best thing the Tor project can do is abandon its push for low latency, and instead focus on anonymity. If Tor we&#x27;re a much higher latency network attackers would probably find it less interesting.

To me personally all of this just seems like fluff. I can&#x27;t be the only one that feels this way.<p>I don&#x27;t want to &#x27;prove I&#x27;m a human&#x27; to view your crappy site. I&#x27;ll go and look at the other bits of the Internet instead.<p>As an individual browsing, the only contact I have with CloudFlare is a bouncer telling me &#x27;no shoes no entry&#x27;.<p>Your entire company to me feels like a pointless gatekeeper because of these shenanigans (on and off of Tor).<p>To be perfectly clear - CloudFlare, as a brand, is tainted to me, and I expect to many others.<p>Fundamentally I don&#x27;t think CloudFlare cares because their customers are not the viewers of websites - and if the viewers of websites come to think of CloudFlare as toxic - it still doesn&#x27;t matter to them directly.

That post doesn&#x27;t really offer any solutions.<p>It would be interesting to find out how CF came to the 94% figure but a lot of the other claims made are not countered and presumably valid.<p>I doubt CF&#x27;s (paying) customers are particularly saddened by Tor users being inconvenienced.

CloudFlare looks for ways to justify doing less. First ANY queries, then &quot;free&quot; HTTPS stopping at the first CloudFlare hop, and now the stuff with Tor. I don&#x27;t trust CloudFlare <i>at all</i>, because they say they&#x27;re holding a torch for the good of humanity, when actually, they&#x27;re just making &quot;cut costs&quot; business decisions. If you want to do something becuase it costs less, I understand, then do that. But don&#x27;t sit there and try to tell me that you&#x27;re somehow doing it to make the world a better place. That, to me, is super scummy.

The main problem with CloudFlare is how dumb their &quot;protection&quot; is.<p>It doesn&#x27;t make sense at all to block Tor users from just accessing read-only content, like CloudFlare does today. Forms&#x2F;login pages&#x2F;comment boxes etc should be protected of course, and most people wouldn&#x27;t have anything against solving a captcha for logging in, but preventing people from just reading stuff anonymously&#x2F;securely is borderline evil from a user experience point of view.<p>However it&#x27;s obviously much easier from an engineering standpoint though to just block people outright.

I think CloudFlare&#x27;s security measures are insane. I use a VPN and I can tell which sites use CloudFlare because I consistently get a Error 520, where it claims the browser and CloudFlare are working, but the website is not responding. Yet I turn of the VPN and magically it works fine. That&#x27;s dishonest. At least own that you are the one blocking my visit.<p>I&#x27;m also developing with Dwolla&#x27;s API, and CloudFlare blocks all HTTP requests from my local IP, so I can&#x27;t develop locally. Thanks CloudFlare.

Someone with more knowledge of these thing, let me know:<p>Why does Tor not &quot;charge&quot; per request? i.e. Using some decentralized currency, to pay for requests.<p>1. Make it cheep enough such that users don&#x27;t care, however, financially disincentives spammers&#x2F;malicious users.<p>2. It would continue to be anonymous. - cycle through wallets - all transactions would also be proxied.<p>3. It would incentivize proxying and exit nodes (exit nodes would effectively collect a bunch of virtual money to be resold to clients for USD).

Services like CloudFlare are responsible for more and more of the DNS. When they are poor net citizens, they are poor net citizens at a massive scale. Heuristics that end up being equivalent to &quot;Tor users are guilty until proven innocent&quot; can&#x27;t become the default mode of the Internet. As customers, Tor users, and just people who have a stake in the Internet as a shared resource, we need to demand that they try harder than that.

Anonymity (&quot;privacy&quot;) and security are conflicting requirements. Tor users take a legit stance, and would be served an equally legit CAPTCHA (if lucky).

How about this solution: (yes, it&#x27;s only 5% serious)<p>From every publically available internet do something that appears malicious until cloudflare&#x27;s servers annoy everyone. At that point they&#x27;ll be forced to find a new solution.<p>This only occurred to be because I get their captchas on public wifi in Starbucks and other public wifi in Japan

I&#x27;m getting<p>&quot;Attackers might be trying to steal your information from blog.torproject.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID&quot;<p>When trying to visit this blog post.

CloudFlare uses a flawed algorithm that penalizes developing countries and anyone who uses 1 IP address for many users. And that means that it censors Tor users and impedes human rights.

I dislike CloudFare adoption. More and more I come to sites and need to wait 5 seconds, caused by their DDoS protection. Such things make the less more and more aweful.

The GET solution seems too lightly waved off considering that 90% of Tor requests will be nearly identical to those from trusted IP addresses.

The trouble with cloudflare, the lawyers of the internet. Making money on other peoples problems but not really solving anything.

Maybe I either missed this or forgot, but what percentage of overall internet traffic handled by Cloudflare is deemed malicious?

We are free speech advocates, and yet we had to make a cron that downloads and adds Tor IPs to an ipset, due to botnets.

&gt;the site only accepts payment via PayPal &gt;and&#x2F;or credit cards, and paying with those in &gt;itself gives up a good amount of privacy.<p>I think both methods areactually not private and have proven not te be private at all

lol, CloudFlare vs Tor (hope its not disappointing like BvS)

Cleary cloudflare&#x27;s customers prefer this behavior, it&#x27;s their website, they are free to block tor traffic if they like.

&gt;the site only accepts payment via PayPal &gt;and&#x2F;or credit cards, and paying with those in &gt;itself gives up a good amount of privacy.<p>i think both methods have proven not to be private at all.