CloudFlare Looking Into New System That Removes CAPTCHAs for Tor Users

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Despite routing a whopping 10 percent of all Internet traffic, CloudFlare is more likely known for its annoying CAPTCHAs that most of the times delay Tor users for minutes before letting them access a website.

The Tor Project hasn't been shy about pointing the finger at CloudFlare in a public manner. Back in February, Tor Project members accused FloudFlare of intentionally sabotaging Tor traffic via its CAPTCHAs and using special cookies to track Tor users across the Web.

CloudFlare responded a month later by denouncing all accusations. The company said that only IP addresses with a bad reputation see the CAPTCHAs, which are a self-defense measure, for the sites CloudFlare is hired to protect.

The company said that 94 percent of all Tor traffic is malicious, and most likely used for automated attacks, hence the reason why regular Tor users see the CAPTCHAs. CloudFlare was adamant that they had nothing against the Tor Project, or its users.

CloudFlare working on a Tor Browser extension
Since actions speak louder than words, CloudFlare is now researching a new system to protect its clients from malicious Tor traffic, but without bombarding Tor users with endless CAPTCHAs.
Called the "Challenge Bypass Specification," the document has been published on GitHub two weeks ago.

According to this specification, CloudFlare is working on a Tor Browser extension that generates one-time authentication tokens, called nonces.

Whenever a Tor user would access a CloudFlare-protected site, he'd have to solve one initial CAPTCHA. After that, his browser would supply authentication tokens to the CloudFlare firewall, and the user would not be required to deal with anymore CAPTCHAs.

Since malicious traffic is automated with various CLI-tools, attackers wouldn't be able to provide these tokens, and the firewall would do its job, as intended.

Other edge providers can also deploy the extension to filter Tor traffic
Currently, the draft specification uses a modification of the RSA encryption algorithm to generate "blind signatures" that can be used as nonces.

CloudFlare also explains that this system is not specifically tailored to its network. The entire system is modular and other edge providers can deploy it to handle Tor traffic in the same way.

Furthermore, the initial one-time CAPTCHA is not mandatory, and each edge provider could implement its own system to authenticate human users, and then deploy the nonces for subsequent authentication operations.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top