CloudFlare wants Tor to change or risk roadblocks

TheWindBringeth · Mar 31, 2016

https://thestack.com/security/2016/03/31/cloudflare-wants-tor-to-change-or-risk-roadblocks/

Content delivery network provider CloudFlare has asked to work with the Tor Project to implement solutions that will allow users of the anonymity-providing web browser to avoid blocks, CAPTCHAs and a growing list of other impediments which seem to be signalling a war between Tor users and regular network traffic.
Click to expand...

CloudFlare co-founder Matthew Prince writes that 94% of the requests that CloudFlare logs across the Tor network are ‘per se malicious’.
...
The offer of compromise comes in the wake of a heated comments-section debate in the last five weeks in an already inflammatory post at the Tor Project entitled ‘Issues with corporate censorship and mass surveillance’.
Click to expand...

CloudFlare have proposed a considerable number of solutions to the CAPTCHA blockades, but all of them require the degrading either of the Tor service (such as full 160-bit SSL hashes, likely to slow the service to a crawl) or the anonymity it provides (such as a plug-in that makes special communication to CloudFlare in cases where a CAPTCHA might otherwise be encountered.
Click to expand...

Palancar · Mar 31, 2016

Well I can vouch for seeing a good number of captcha's daily. They are not fun, but degrading security to eliminate them is not the way to go either.

mirimir · Mar 31, 2016

There are good arguments in that ticket for serving CAPTCHAs more selectively. Also, as I understand it, CloudFlare will be giving its customers more flexibility in choosing how to handle Tor users.

TheWindBringeth · Oct 1, 2016

https://motherboard.vice.com/read/tor-captchas

a new repository on CloudFlare’s Github page shows that the company is developing an alternative method for anonymous users to access sites without having to repeatedly solve annoying CAPTCHA puzzles
Click to expand...

As Brave developer Yan Xu points out, the spec is based around the concept of “blind signatures,” originally proposed in 1983 by cryptographer David Chaum.
Click to expand...

“In essence, the protocol allows a user to solve a single CAPTCHA and in return learn a specified number of tokens that are blindly signed that can be used for redemption instead of witnessing CAPTCHA challenges in the future,” the CloudFlare authors write. “By issuing a number of tokens per CAPTCHA solution that is suitable for ordinary browsing but too low for attacks, we maintain similar protective guarantees to those of CloudFlare's current system. We also leave the door open to an elevated threat response that does not offer to accept bypass tokens.”
Click to expand...

https://github.com/cloudflare/challenge-bypass-specification
https://github.com/cloudflare/chall...on/blob/master/captcha-bypass-formal-spec.txt

mirimir · Oct 2, 2016

That seems reasonable. As long as those signatures are truly unlinkable. Which seems like a lot to accept on trust. I mean, how would someone demonstrate that they are linkable, or not?

Log in or Sign up

CloudFlare wants Tor to change or risk roadblocks

TheWindBringeth Registered Member

Palancar Registered Member

mirimir Registered Member

TheWindBringeth Registered Member

mirimir Registered Member

Log in or Sign up

CloudFlare wants Tor to change or risk roadblocks

TheWindBringeth Registered Member

Palancar Registered Member

mirimir Registered Member

TheWindBringeth Registered Member

mirimir Registered Member

Useful Searches