Re: [tor-talk] do Cloudfare captchas ever work?
On 06/20/2015 12:31 AM, Andreas Krey wrote: On Fri, 19 Jun 2015 22:38:26 +, Joe Btfsplk wrote: ... Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. If others have even partial success, what's the secret? Out-of-the-box browser. Is Javascript always needed to get the number photo CAPTCHAs? Andreas -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Fri, 2015-06-19 at 22:38 -0500, Joe Btfsplk wrote: Does anyone have any meaningful success rate with Cloudfare captchas in Tor Browser? Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. Not for me - with default TBB settings or even allowing 1st party cookies from the target site. If others have even partial success, what's the secret? Getting a different exit relay/ exit country / exit IPa? That's the only way that ever works for me. Or turning Javascript on, but I don't want to do that for HTTP sites. With Javascript on you usually get easier captchas that often let you through when you get them right. With Javascript off you get the captchas that look like the names of Lovecraftian deities distorted through non-Euclidean geometries that are difficult even for us humans to solve, and even when you definitely solve them you aren't allowed through but just get presented with another captcha, and another, and another, ad infinitum. Switching to different exits helps, but you often have to switch 10 - 20 times in a row before you hit an exit relay that Cloudflare in their benevolent wisdom has deemed good enough to be allowed to view the web. And even then you usually just get a few minutes before the gate is slammed shut and you're back with the captchas. I suspect that the new exit-switching feature in Tor Browser has made it slightly worse by putting more load on the few exits that are allowed through at any given time, making it more likely that Cloudflare will think it's some sort of DoS attack or automated scraper and block it. Cloudflare has essentially broken the web for Tor users. For some reason web proxies like hidemyass.com never seem to be blocked by Cloudflare so one (annoying) solution is to use one of those with Tor Browser. --ll signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Fri, 19 Jun 2015 22:38:26 +, Joe Btfsplk wrote: ... Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. If others have even partial success, what's the secret? Out-of-the-box browser. Andreas -- Totally trivial. Famous last words. From: Linus Torvalds torvalds@*.org Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Sat, 20 Jun 2015 06:43:37 -0700, Juan Miguel Navarro Martínez juanmi.3...@gmail.com wrote: El 20/06/2015 a las 10:18, Mirimir escribió: Is Javascript always needed to get the number photo CAPTCHAs? At least for me, it does 100% of the time: No JS: Infinite unreadable CAPTCHA. JS: Either number photo or readable CAPTCHA that work at first try. Same here. Cloudflare...destroying privacy one Tor user at a time Despise that company. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
TL;DR: If you can, consider not using that services/sites find alternatives and promote them. On Sat, Jun 20, 2015 at 03:43:37PM +0200, Juan Miguel Navarro Martínez wrote: El 20/06/2015 a las 10:18, Mirimir escribió: Is Javascript always needed to get the number photo CAPTCHAs? At least for me, it does 100% of the time: No JS: Infinite unreadable CAPTCHA. JS: Either number photo or readable CAPTCHA that work at first try. I like to confirm that, and I like to add, that to get those captchas you are doing at least two requests not related to the site you are visiting, one is to g**gle.com (for the captcha) and one to ajax.clo*dflare.com. So you need Javascript and additional sites whitelisted in noscript or your other favorite blocking tool. If cl*udflare is involved, you may requesting data from them too. If javascript stays enabled, your session (until cookies expire or your filesystem cache is cleared) is very trackable by either g**gle (analytics i.e.) and/or cl*udflare (their cdn), as long as sites you visit use at least one of their many services like g**gle analytics or cl*udflare cdn. In terms of cdns, turning javascript off isn't enough (see E-tags and Cache-Control like Modified-since). One reason may be that the captcha process isn't working anymore. Sopisticated adversaries break those captchas, thats the reason you get so many of them. The idea of proving you are human is insane, imho you are proving you are no bot and worth tracking when you solve the easy captchas, and doing google a favor doing OCR for their whatever-services. Consider charging them for that. :) If cl*udflare would care, the process would be, solve that captcha provided by cl*udflare or use their Darknet CDN and visit the site under the following onion adress. Because their customers care about tor users etc. But they are busy in terms of legal compliance, certainty. :) There are many other options - and in my experiance most cl*udflare customers don't know or don't understand that. cl*udflare is cheap (in implementation and price) and solves these problems for their customers, they consider us site-effects. Anyway, many popular sites that have content and community using cl*udflare, project.h*neyblock or simliar blacklists. They are easy to implement and keep the trolls and trouble at bay. I've tried to reason with some sites to keep the site at least read only or offer a hiddenservice, most to no avail. Often, if it comes to offer a hiddenservice someone insists that tor isn't safe enough. :) Seems like most software hasn't such elaborate and fine grained acls, it seems. Site operators are frustrated and won't give tor users an inch. If you understand that, you have solved half of the equation. Their assumption is, that one identifies users by ip, and by using tor you become indistinguishable from the bad bots and possible adversaries, so you are not allowed to participate or denied usage. Btw, that is proof enough, that tor is working very well for most of my thread models which involve malicous or clueless siteoperators, users that may compromise my privacy or anonymity. I like to elaborate about the presumption of innocence, that is reversed on tor-users: If you use tor you are presumed an adversary or bot by those entities and have to jump through their hoops to proof you are a good person (worth tracking). It is usually not enough to whitelist two sites, you may need various other cdns for liraries, g**gly fonts and apis and what not to let these programs render the data in a way you can receive them (you can't simply view them anymore). This sounds like bad news, but the www is so diverse, finding a replacement site is in most cases a matter of breaking with some habits - usually one can migrate members to the newfound site too. Some food for thought, since you usally provide valuable personal information to those entities or sites, do you really think their security, which based on the assumption earlier, is good enough to protect your data? In my experiance it isn't, if so, they wouldn't need such desperate measures and tolerate such a high rate of false positives when it comes to tor-users. Personlly, I find it amusing, that webdevelopers still believe I accidently turend off javascript or I am not understanding my client well enough, and need to be reminded to turn it on again. :) Or try this reasonsing: Do you like to do business with, receive information, data, content from or participate in a community provied or hosted by an entity that considers you, or tor users in general bad persons or adversaries while itself waives any responsibility for your data, your privacy, your anonymity? Yes, ! Feel free to remind them, that tor users, in most cases aren't adversaries, they are using tor to circumvent censorship, blocking or insisting on some form of privacy or anonymity. It is we, who have to use such desperate measures to protect our privacy or anonymity. They
Re: [tor-talk] do Cloudfare captchas ever work?
On 06/20/2015 12:31 AM, Andreas Krey wrote: The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. Thanks. Yes, I've gotten the house numbers (4 digits) - many times. They're very legible, but still don't work (TB 4.5.1 / 4.5.2 - Windows). When I enter them, Cloudfare doesn't give any message, just a new captcha image. Sometimes, it shows another 4 digits - still clear. Then another another. After a few times, it may switch to the letters on an acid trip. Even when I can read all the letters, it still doesn't take. After the 1st attempt or 2, it also may change the instructions to a non English language. I assume based on exit relay location. In Firefox, I can usually get similar looking captchas to work - especially if it's not from Cloudfare. Which out of the box browser do you mean? I've tried clean installs of TB before w/ default settings. Don't remember having any better luck w/ Cloudfare. To get it to work, are you allowing 1st and / or 3rd party cookies - for both the target site whatever the URL is for the Cloudfare captcha page? I wonder if the OS makes a difference to Cloudfare? On 6/20/2015 3:18 AM, Mirimir wrote: Is Javascript always needed to get the number photo CAPTCHAs? I think it may be (or used to be so). IIRC, in Firefox, if NoScript wasn't set to allow all scripts (possibly 1st 3rd party), sometimes I couldn't see all elements on the captcha page. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
Just to clarify (to all that replied) - I have JS enabled. At least, when trying to get captchas to work. Then, I'm using Tor Browser's default settings for NoScript. I just tried a couple of sites w/ Cloudfare. Today, it worked, but not on the 1st try - even with legible house numbers. But today I also checked the exit relay country, when it worked. It was in a well behaved European country. Other times when Cloudfare didn't work, I didn't always think to check, to see if there's any pattern to Cloudfare not working specific exit relay countries. FYI - for others, when using _vanilla Firefox_ AdBlock Plus (or similar), Cloudfare doesn't like it. Even if NoScript is set to allow all scripts. Maybe because of blocking ads, but also maybe because ABP blocks some scripts. Depending on the target site, some of those may be 3rd party scripts (for CDNs, or) that Cloudfare requires to be allowed, before they'll allow the captcha to work. On 6/20/2015 6:35 AM, Lars Luthman wrote: On Fri, 2015-06-19 at 22:38 -0500, Joe Btfsplk wrote: Does anyone have any meaningful success rate with Cloudfare captchas in Tor Browser? Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. Not for me - with default TBB settings or even allowing 1st party cookies from the target site. If others have even partial success, what's the secret? Getting a different exit relay/ exit country / exit IPa? That's the only way that ever works for me. Or turning Javascript on, but I don't want to do that for HTTP sites. With Javascript on you usually get easier captchas that often let you through when you get them right. With Javascript off you get the captchas that look like the names of Lovecraftian deities distorted through non-Euclidean geometries that are difficult even for us humans to solve, and even when you definitely solve them you aren't allowed through but just get presented with another captcha, and another, and another, ad infinitum. Switching to different exits helps, but you often have to switch 10 - 20 times in a row before you hit an exit relay that Cloudflare in their benevolent wisdom has deemed good enough to be allowed to view the web. And even then you usually just get a few minutes before the gate is slammed shut and you're back with the captchas. I suspect that the new exit-switching feature in Tor Browser has made it slightly worse by putting more load on the few exits that are allowed through at any given time, making it more likely that Cloudflare will think it's some sort of DoS attack or automated scraper and block it. Cloudflare has essentially broken the web for Tor users. For some reason web proxies like hidemyass.com never seem to be blocked by Cloudflare so one (annoying) solution is to use one of those with Tor Browser. --ll -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Matryoshka: Are TOR holes intentional?
grarpamp: http://shofarnexus.com/Blog-2015-01-13 Under The hole in TOR: If you see a 456 byte message sent from computer A and a moment later the same or similar size message arrive at computer B you could draw an obvious conclusion. But, Tor cells are a fixed-size of 512 bytes: https://www.torproject.org/docs/faq#CellSize Regarding timing attacks: doesn't the natural deviation in latency over the internet, and the size of the tor network, make correlation a bit more difficult (for short-lived connections at least)? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
