Re: [tor-talk] do Cloudfare captchas ever work?
On Sat, 2015-06-20 at 13:35 +0200, Lars Luthman wrote: With Javascript on you usually get easier captchas that often let you through when you get them right. With Javascript off you get the captchas that look like the names of Lovecraftian deities distorted through non-Euclidean geometries that are difficult even for us humans to solve, and even when you definitely solve them you aren't allowed through but just get presented with another captcha, and another, and another, ad infinitum. Switching to different exits helps, but you often have to switch 10 - 20 times in a row before you hit an exit relay that Cloudflare in their benevolent wisdom has deemed good enough to be allowed to view the web. And even then you usually just get a few minutes before the gate is slammed shut and you're back with the captchas. Replying to my own lamentation here - has anyone else noticed that it seems to have got a lot better in the last week? The captchas are still impenetrable without Javascript but most of the time it's enough to switch circuits one or two times to get one without captchas, and you stay captcha-free for much longer. --ll signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Mon, Jun 22, 2015 at 8:15 PM, Joe Btfsplk joebtfs...@gmx.com wrote: mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. http://www.zdnet.com/article/inside-indias-captcha-solving-economy/ Replace poor Indians with Tor users. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Tue, Jun 23, 2015 at 2:38 PM, Joe Btfsplk joebtfs...@gmx.com wrote: OK, but how is that a business for an exit relay? Business implies profit or gaining some benefit. You're saying that some exit relay operator would form business partnerships with sites, to provide captcha services? Wouldn't that be detectable to the Tor Project - or not? Does it make sense that an operator would limit their captcha service (for sale), to sites - only if site users / customers came thru the few relays they control? Not much of a market. Isn't that like Cloudfare only offering their services to a few sites out of the entire web? The website are not part of the game at all. It's much simpler. Spammers would like to solve CAPTCHAs. They submit them to the hypothetical CAPTCHA solving service, with micropayment, and receive the solution. Outsourcing through the Tor network would make it possible in real time. It's just a thought experiment. Ever since we've been subjected to this nuissance I've had the opinion that services like Cloudflare (not to pick on them) that centralize the web are harmful. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On 6/23/2015 4:04 AM, kleft wrote: mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. It's useful for automated downloads eg with an uploaded.to free-accounts. (This is the only website I remember right now, but there are many other services require the user to enter captchas to get some content.) OK, but how is that a business for an exit relay? Business implies profit or gaining some benefit. You're saying that some exit relay operator would form business partnerships with sites, to provide captcha services? Wouldn't that be detectable to the Tor Project - or not? Does it make sense that an operator would limit their captcha service (for sale), to sites - only if site users / customers came thru the few relays they control? Not much of a market. Isn't that like Cloudfare only offering their services to a few sites out of the entire web? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Mon, Jun 22, 2015 at 06:53:23PM -0400, Mansour Moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. If one doesn't use TLS that is a valid claim. Since the captcha image delivery should originate from google with https in most cases, you only need to redirect the cloudflare redirect, and since cloudflare promotes and encourages TLS itself, it depends soley on the tor user or the site participating in the cf-cdn using HSTS and CSP. If you don't use TLS you may run into problems I mentioned earlier with the privoxy filters and you are wide open to many scary injection and XSS attacks. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
You're saying that some exit relay operator would form business partnerships with sites, to provide captcha services? I think the suggestion is they'd provide captcha _solving_ services. If you know where to look, you can find 'businesses' that provide just those services - workers (or users) sat solving captcha after captcha so that your scripts can go about their business unimpeded once you're able to automatically solve the captchas you're presented with. On Tue, Jun 23, 2015 at 7:38 PM, Joe Btfsplk joebtfs...@gmx.com wrote: On 6/23/2015 4:04 AM, kleft wrote: mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. It's useful for automated downloads eg with an uploaded.to free-accounts. (This is the only website I remember right now, but there are many other services require the user to enter captchas to get some content.) OK, but how is that a business for an exit relay? Business implies profit or gaining some benefit. You're saying that some exit relay operator would form business partnerships with sites, to provide captcha services? Wouldn't that be detectable to the Tor Project - or not? Does it make sense that an operator would limit their captcha service (for sale), to sites - only if site users / customers came thru the few relays they control? Not much of a market. Isn't that like Cloudfare only offering their services to a few sites out of the entire web? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- Ben Tasker https://www.bentasker.co.uk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote: Is that actually true? (they can track you over various exits) Is that what the design document says? Tor can't protect you, if your browser emits cookies or information about cached content back to an entity that operates global scale cdn or services: Lets make it easy: You are you (joe) and there is google (gog) and cloudflare (clo): You are ordering pizza via tor-exit1 (tex1) and watch some cats while eating that pizza on tor-exit2 (tex2). In your first session, you request content, a picture of said pizza from a cdn (clo) and with that request comes caching information and cookies from (clo) along with that picture. (clo) knows you now as an entity, you are emitting cookies back to (clo) with every use of his cdn. Lets assume the pizza service uses a website analytics service from (gog) under the premise of customer statisfaction: Your browser, requests 1x1pixel from that service, with that pixel comes another cookie, you are now knowm to (gog) as an pizza eating entity too. Every time you visit another site using (gog) analytics, you are the same pizza eating entity. Its time to go to the loo, and the pizza is delivered. The tor-client did his awesome job and has build new circuits, (joe) is know using (tex2). So, whats better than pizza? Pizza and cats: (joe) requests a embedded catmovie from some catmovie site, bad for him the catmovie is delivered via (clo) cdn, the browser adds the cookie to the request and (clo) adds that information to the record they startet about you earlier. Unfortunately catmovies uses the (gog) analytics service too (because its free, so who would mind), and (gog) gets their cookie back from earlier. Sorry to say, I am under the impression, you have watched to much VPN advertising, if it comes to your browser, your ip is no longer of interest. You really should get rid of that misconception that you are a ip address or somebody uses ip address to track people, since the inception of tor and vpn networks thats plain stupid. If you don't like to third parties from knowing that you are into the cat thing, the right thing to do would to use your browser to order pizza and using TBB to watch cats - that works. But, many Tor Browser users seem to question allowing all scripts by default - including 3rd party. That example works with plain http or https, were https is recommended while using tor. There was no active content involved. On the _latter point_, I'm not as technically advanced as many on this list, to fully understand ALL subtleties in the design document. It gets nasty and scary with active content involved, tor is only a network, it can hide your ip, but thats not always the solution. On the _latter point_, I'm not as technically advanced as many on this list, to fully understand ALL subtleties in the design document. If one only has one tool, lets say a hammer, one tends to see every problem as nail, thats what you are doing. Please consider which parts of your personal habits and needs you like to expose in which way. So order pizza with your whatever browser and do the lewd cats thing with TBB. I know, not very convenient, but privacy or anonymity aren't avaliable in a convenient way anymore. Your ip has nothing to do with that anymore. That said, it isn't impossible. I still try to convice site owners to respect visitors and not exclude, track or sell their anonymity or privacy for some funky graphs. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Tue, Jun 23, 2015 at 11:04:37AM +0200, kleft wrote: Boards with illegal content like crimenetwork.biz are using cloudflare too. Thats, why cloudflare should offer them, to distribute their content via a HS via their cdn, and that would be fun for all involved parties. Since a cdn is always part-authorative for their customers content, it is the most interesting thing they could do. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
Hey there, (TL;dr) Anyway, funny is pirates are using cloudflare too... Please explain? Boards with illegal content like crimenetwork.biz are using cloudflare too. You can't really access sites with cloudflare's security-settings switched to very secure if you don't enable JavaScript. I better don't think about what Scripts they will run. mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. It's useful for automated downloads eg with an uploaded.to free-accounts. (This is the only website I remember right now, but there are many other services require the user to enter captchas to get some content.) -- Best Wishes Kleft I disapprove of what you say, but I will defend to the death your right to say it Evelyn Beatrice Hall (as seen on @mrphs) On Jun 23, 2015, at 2:15 AM, Joe Btfsplk joebtfs...@gmx.com wrote: Thanks for the helpful replies. On 6/22/2015 9:36 AM, Çağıl P. Şesto wrote: A cdn like clouldflare can track you very easy over various exits, tor currently has 1115 relays that are exits, its possible to mark all of them malicious on a blacklist-providers sensor in 15-30 minutes. Is that actually true? (they can track you over various exits) Is that what the design document says? https://www.torproject.org/projects/torbrowser/design/#privacy But, many Tor Browser users seem to question allowing all scripts by default - including 3rd party. For browser / computer security, as much as anything. As I understand (roughly paraphrasing), the thinking on allowing JS is, - many sites won't work fully (or at all) without JS. Certainly, captchas won't. - if all users have JS enabled, no one stands out. - Tor Browser design protects against privacy (possibly anonymity) issues like cross domain tracking. On the _latter point_, I'm not as technically advanced as many on this list, to fully understand ALL subtleties in the design document. Anyway, funny is pirates are using cloudflare too... Please explain? mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Tue, Jun 23, 2015 at 06:58:57PM -0500, Joe Btfsplk wrote: Thanks Çağıl, You are welcome. On certain points you made (it seems), it's absolutely trivial for Cloudfare or any entity operating on a large number of sites, to track Tor / TBB users - across domains - on every site visited, that the tracking entity also monitors? My Example should illustrate, that the amount of privacy or anonymity you get out of tor, when using a browser depends much more on you as on the software (TBB) or the anonymizing network and you should take that into account. How you operate your browser matters. That assumes and / or implies several things (in Tor Browser). 1. You allow cookies AND 3rd party cookies, on many / most sites visited. On a network layer, the cdn may be completly transpartent to your browser, only difference are headers in the response, depending on the cdn. So, the site you requesting from is a proxy on, or that cdn and no different entity. This behavior is often not taken into account. 2. You rarely clear those cookies. Depending on setting, cookies may stay arbitrary amounts of time, depending on cookie orignator and your browser settings. I prefer to nomalize them all into session cookies, they expire when I close the browser. 3. You never clear browser cache, except at shutdown. That, or even worse settings are often the default. Like cookies, cached content can, depending on your browsers history or chache settings stay arbitrary amounts of time, esp. with TBB and many open tabs over long periods of time, for example. 4. You rarely, if ever, use the TBB new identity feature, during a single session. The new identiy feature is awesome, and my observation that humans should use it more often before watching cats and not deem it inconvenient. 5. TBB allows other non-cookie tracking methods (beacons, what ever) to be set AND allows them to be read *across all domains visited.* On #4, did I misunderstand the TBB design document, and misunderstand the discussion that Mike Perry (I believe) had on this list, about cross domain tracking not being allowed? As said earlier, I can't tell specifics/interna about TBB, and I am not aware of said discussion. It depends also on plugins like Noscript and their configuration and so on, the usage of TLS and so on. My example uses a default browser and tor thats what I use at the moment. 6. A multi site tracker (CDN, Google, NSA) can read TBB all cached content. Or, perhaps only the cached content that they set in TBB (but across all domains)? It is not a multi site tracker, its an entity or organization that runs a huge network of hosts, that delivers either content for said organisation or content of behalf of their customers (a cdn). It can't read content in your cache, it is your browser, that sends information about the state of your cookies file and your filesystem cache back to said entities, with every request you may send to them. Depending hugely on the way, how you utilize TBB. If everything you say is true (if I understand), then any major tracker can know most of the sites you've been to exactly what you did at each one (because of the cross domain tracking that TBB allows - by design)? They *only* thing they don't know (yet) may be your real IPa? It dependes soley on your browser, and the ability of said entities to access certain apis (functionalty in your browser) that may or may not be available at the moment you request data from them. media.peerconnection is disabled in TBB, which is great and they patch OCSP and PKIX code too, which I consider awesome. It sounds like you're not just saying there are *some* possible ways for cross origin tracking, but that much of the Tor Browser design document regarding this has no validity? I didn't say that, I don't doubt the TBB Devs doing a great job. I think you can't get more privacy than from TBB, but you have to understand how it works, to let it protect you. Sect. 4.5 Cross-Origin Identifier Unlinkability https://www.torproject.org/projects/torbrowser/design/#identifier-linkability subsection of 4.5, Identifier Unlinkability Defenses in the Tor Browser, that says, Here is the list that we have discovered and dealt with to date: It says (isolated) using the URL bar domain. if a cdn, is in part or fully authorative for said URL bar domain, than identifiers may be linkable. If in doubt, request a new identity via tor button. 4.7. Long-Term Unlinkability via New Identity button https://www.torproject.org/projects/torbrowser/design/#new-identity This is great, and if you use it between ordering pizza and watching lewd cats, all is well. You should read https://www.torproject.org/projects/torbrowser/design/#adversary and https://www.torproject.org/projects/torbrowser/design/#deprecate and take that information into consideration. My hourly consulting fee should be donated to the tor-project.org. TYVM :) -- tor-talk mailing list -
Re: [tor-talk] do Cloudfare captchas ever work?
Thanks Çağıl, I'll have to ponder some of your comments. On other points, some highly advanced users may have to jump in comment. On certain points you made (it seems), it's absolutely trivial for Cloudfare or any entity operating on a large number of sites, to track Tor / TBB users - across domains - on every site visited, that the tracking entity also monitors? That assumes and / or implies several things (in Tor Browser). 1. You allow cookies AND 3rd party cookies, on many / most sites visited. 2. You rarely clear those cookies. 3. You never clear browser cache, except at shutdown. 4. You rarely, if ever, use the TBB new identity feature, during a single session. 5. TBB allows other non-cookie tracking methods (beacons, what ever) to be set AND allows them to be read *across all domains visited.* On #4, did I misunderstand the TBB design document, and misunderstand the discussion that Mike Perry (I believe) had on this list, about cross domain tracking not being allowed? 6. A multi site tracker (CDN, Google, NSA) can read TBB all cached content. Or, perhaps only the cached content that they set in TBB (but across all domains)? If everything you say is true (if I understand), then any major tracker can know most of the sites you've been to exactly what you did at each one (because of the cross domain tracking that TBB allows - by design)? They *only* thing they don't know (yet) may be your real IPa? It sounds like you're not just saying there are *some* possible ways for cross origin tracking, but that much of the Tor Browser design document regarding this has no validity? Sect. 4.5 Cross-Origin Identifier Unlinkability https://www.torproject.org/projects/torbrowser/design/#identifier-linkability subsection of 4.5, Identifier Unlinkability Defenses in the Tor Browser, that says, Here is the list that we have discovered and dealt with to date: Sect 4.6 Cross-Origin Fingerprinting Unlinkability https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability 4.7. Long-Term Unlinkability via New Identity button https://www.torproject.org/projects/torbrowser/design/#new-identity On 6/23/2015 3:41 PM, Çağıl P. Şesto wrote: On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote: Is that actually true? (they can track you over various exits) Is that what the design document says? Tor can't protect you, if your browser emits cookies or information about cached content back to an entity that operates global scale cdn or services: Lets make it easy: You are you (joe) and there is google (gog) and cloudflare (clo): You are ordering pizza via tor-exit1 (tex1) and watch some cats while eating that pizza on tor-exit2 (tex2). In your first session, you request content, a picture of said pizza from a cdn (clo) and with that request comes caching information and cookies from (clo) along with that picture. (clo) knows you now as an entity, you are emitting cookies back to (clo) with every use of his cdn. Lets assume the pizza service uses a website analytics service from (gog) under the premise of customer statisfaction: Your browser, requests 1x1pixel from that service, with that pixel comes another cookie, you are now knowm to (gog) as an pizza eating entity too. Every time you visit another site using (gog) analytics, you are the same pizza eating entity. Its time to go to the loo, and the pizza is delivered. The tor-client did his awesome job and has build new circuits, (joe) is know using (tex2). So, whats better than pizza? Pizza and cats: (joe) requests a embedded catmovie from some catmovie site, bad for him the catmovie is delivered via (clo) cdn, the browser adds the cookie to the request and (clo) adds that information to the record they startet about you earlier. Unfortunately catmovies uses the (gog) analytics service too (because its free, so who would mind), and (gog) gets their cookie back from earlier. Sorry to say, I am under the impression, you have watched to much VPN advertising, if it comes to your browser, your ip is no longer of interest. You really should get rid of that misconception that you are a ip address or somebody uses ip address to track people, since the inception of tor and vpn networks thats plain stupid. If you don't like to third parties from knowing that you are into the cat thing, the right thing to do would to use your browser to order pizza and using TBB to watch cats - that works. But, many Tor Browser users seem to question allowing all scripts by default - including 3rd party. That example works with plain http or https, were https is recommended while using tor. There was no active content involved. On the _latter point_, I'm not as technically advanced as many on this list, to fully understand ALL subtleties in the design document. It gets nasty and scary with active content involved, tor is only a network, it can hide your ip, but thats not always the solution. On the _latter point_, I'm
Re: [tor-talk] do Cloudfare captchas ever work?
Thanks for the helpful replies. On 6/22/2015 9:36 AM, Çağıl P. Şesto wrote: A cdn like clouldflare can track you very easy over various exits, tor currently has 1115 relays that are exits, its possible to mark all of them malicious on a blacklist-providers sensor in 15-30 minutes. Is that actually true? (they can track you over various exits) Is that what the design document says? https://www.torproject.org/projects/torbrowser/design/#privacy But, many Tor Browser users seem to question allowing all scripts by default - including 3rd party. For browser / computer security, as much as anything. As I understand (roughly paraphrasing), the thinking on allowing JS is, - many sites won't work fully (or at all) without JS. Certainly, captchas won't. - if all users have JS enabled, no one stands out. - Tor Browser design protects against privacy (possibly anonymity) issues like cross domain tracking. On the _latter point_, I'm not as technically advanced as many on this list, to fully understand ALL subtleties in the design document. Anyway, funny is pirates are using cloudflare too... Please explain? mansour moufid wrote: Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. Mansour, to what end would they run a captcha solving business? If they were, I don't understand how they'd benefit. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
If these are the pirates you seek, I much prefer their hidden service, no captchas to be found: http://uj3wazyk5u4hnvtk.onion 22. Jun 2015 14:36 by secp...@abwesend.de: Anyway, funny is pirates are using cloudflare too, I consider them busy until they solve that problem. :) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
Sometimes I wonder if it's really Cloudflare, or some bad exit node running a CAPTCHA solving business. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Sat, Jun 20, 2015 at 09:30:11PM -0500, Joe Btfsplk wrote: Just to clarify (to all that replied) - I have JS enabled. At least, when trying to get captchas to work. Then, I'm using Tor Browser's default settings for NoScript. My observations and conclusions: - two captchas, both unreadable : the tarpit for robots, you usally don't get other captchas until you turn js on. - two captchas, one readable, one unreadble : the original captcha approach as seen in recaptcha (it is considered broken since 2010). - one captcha (usally parts of google streetview): they consider you human, you usually need javascript to get those (easy to ocr). in a well behaved European country. I wouldn't count on that. Other times when Cloudfare didn't work, I didn't always think to check, to see if there's any pattern to Cloudfare not working specific exit relay countries. I don't think it helps much to change exit nodes, you may need to clear your filesystem cache and cookies too (or not). Someone who abuses exitrelays just tries one after another until he succeeds. Could be worth to automate TBB and check. Most services which try to detect abuse automatically use blacklists and/or signatures/fingerprints. If you like to understand captchas better see: https://www.google.com/recaptcha/intro/index.html There are some papers from 2005 and 2010 were captchas got ocr'd and broken. Adam Langley had some more information on his blog, some of it got lost, somehow. A cdn like clouldflare can track you very easy over various exits, tor currently has 1115 relays that are exits, its possible to mark all of them malicious on a blacklist-providers sensor in 15-30 minutes. You may also see messages like: Your IP address *.25.103.* has been flagged as a scanner. Scanners are not permitted. If you are seeing this message in error, please contact security@*.io. And that says it all: - its not my ip :) - you can't flag an ip :) - I am not a scanner :) - I won't contact them - BTDT :) Even if I would contact them, all I can tell them, its not my ip and their assumptions are all false and their service is prone to false positives. As said earlier, if the site you are visiting is one of a kind, it may be worth your time to talk to them and about cloudflare, usually they are not interested. Reddit gives a good example, how to treat tor-users. CC;DR - Cloudflare captcha, didn't read. Anyway, funny is pirates are using cloudflare too, I consider them busy until they solve that problem. :) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On 06/20/2015 12:31 AM, Andreas Krey wrote: On Fri, 19 Jun 2015 22:38:26 +, Joe Btfsplk wrote: ... Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. If others have even partial success, what's the secret? Out-of-the-box browser. Is Javascript always needed to get the number photo CAPTCHAs? Andreas -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Fri, 2015-06-19 at 22:38 -0500, Joe Btfsplk wrote: Does anyone have any meaningful success rate with Cloudfare captchas in Tor Browser? Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. Not for me - with default TBB settings or even allowing 1st party cookies from the target site. If others have even partial success, what's the secret? Getting a different exit relay/ exit country / exit IPa? That's the only way that ever works for me. Or turning Javascript on, but I don't want to do that for HTTP sites. With Javascript on you usually get easier captchas that often let you through when you get them right. With Javascript off you get the captchas that look like the names of Lovecraftian deities distorted through non-Euclidean geometries that are difficult even for us humans to solve, and even when you definitely solve them you aren't allowed through but just get presented with another captcha, and another, and another, ad infinitum. Switching to different exits helps, but you often have to switch 10 - 20 times in a row before you hit an exit relay that Cloudflare in their benevolent wisdom has deemed good enough to be allowed to view the web. And even then you usually just get a few minutes before the gate is slammed shut and you're back with the captchas. I suspect that the new exit-switching feature in Tor Browser has made it slightly worse by putting more load on the few exits that are allowed through at any given time, making it more likely that Cloudflare will think it's some sort of DoS attack or automated scraper and block it. Cloudflare has essentially broken the web for Tor users. For some reason web proxies like hidemyass.com never seem to be blocked by Cloudflare so one (annoying) solution is to use one of those with Tor Browser. --ll signature.asc Description: This is a digitally signed message part -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Fri, 19 Jun 2015 22:38:26 +, Joe Btfsplk wrote: ... Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. If others have even partial success, what's the secret? Out-of-the-box browser. Andreas -- Totally trivial. Famous last words. From: Linus Torvalds torvalds@*.org Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
On Sat, 20 Jun 2015 06:43:37 -0700, Juan Miguel Navarro Martínez juanmi.3...@gmail.com wrote: El 20/06/2015 a las 10:18, Mirimir escribió: Is Javascript always needed to get the number photo CAPTCHAs? At least for me, it does 100% of the time: No JS: Infinite unreadable CAPTCHA. JS: Either number photo or readable CAPTCHA that work at first try. Same here. Cloudflare...destroying privacy one Tor user at a time Despise that company. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
TL;DR: If you can, consider not using that services/sites find alternatives and promote them. On Sat, Jun 20, 2015 at 03:43:37PM +0200, Juan Miguel Navarro Martínez wrote: El 20/06/2015 a las 10:18, Mirimir escribió: Is Javascript always needed to get the number photo CAPTCHAs? At least for me, it does 100% of the time: No JS: Infinite unreadable CAPTCHA. JS: Either number photo or readable CAPTCHA that work at first try. I like to confirm that, and I like to add, that to get those captchas you are doing at least two requests not related to the site you are visiting, one is to g**gle.com (for the captcha) and one to ajax.clo*dflare.com. So you need Javascript and additional sites whitelisted in noscript or your other favorite blocking tool. If cl*udflare is involved, you may requesting data from them too. If javascript stays enabled, your session (until cookies expire or your filesystem cache is cleared) is very trackable by either g**gle (analytics i.e.) and/or cl*udflare (their cdn), as long as sites you visit use at least one of their many services like g**gle analytics or cl*udflare cdn. In terms of cdns, turning javascript off isn't enough (see E-tags and Cache-Control like Modified-since). One reason may be that the captcha process isn't working anymore. Sopisticated adversaries break those captchas, thats the reason you get so many of them. The idea of proving you are human is insane, imho you are proving you are no bot and worth tracking when you solve the easy captchas, and doing google a favor doing OCR for their whatever-services. Consider charging them for that. :) If cl*udflare would care, the process would be, solve that captcha provided by cl*udflare or use their Darknet CDN and visit the site under the following onion adress. Because their customers care about tor users etc. But they are busy in terms of legal compliance, certainty. :) There are many other options - and in my experiance most cl*udflare customers don't know or don't understand that. cl*udflare is cheap (in implementation and price) and solves these problems for their customers, they consider us site-effects. Anyway, many popular sites that have content and community using cl*udflare, project.h*neyblock or simliar blacklists. They are easy to implement and keep the trolls and trouble at bay. I've tried to reason with some sites to keep the site at least read only or offer a hiddenservice, most to no avail. Often, if it comes to offer a hiddenservice someone insists that tor isn't safe enough. :) Seems like most software hasn't such elaborate and fine grained acls, it seems. Site operators are frustrated and won't give tor users an inch. If you understand that, you have solved half of the equation. Their assumption is, that one identifies users by ip, and by using tor you become indistinguishable from the bad bots and possible adversaries, so you are not allowed to participate or denied usage. Btw, that is proof enough, that tor is working very well for most of my thread models which involve malicous or clueless siteoperators, users that may compromise my privacy or anonymity. I like to elaborate about the presumption of innocence, that is reversed on tor-users: If you use tor you are presumed an adversary or bot by those entities and have to jump through their hoops to proof you are a good person (worth tracking). It is usually not enough to whitelist two sites, you may need various other cdns for liraries, g**gly fonts and apis and what not to let these programs render the data in a way you can receive them (you can't simply view them anymore). This sounds like bad news, but the www is so diverse, finding a replacement site is in most cases a matter of breaking with some habits - usually one can migrate members to the newfound site too. Some food for thought, since you usally provide valuable personal information to those entities or sites, do you really think their security, which based on the assumption earlier, is good enough to protect your data? In my experiance it isn't, if so, they wouldn't need such desperate measures and tolerate such a high rate of false positives when it comes to tor-users. Personlly, I find it amusing, that webdevelopers still believe I accidently turend off javascript or I am not understanding my client well enough, and need to be reminded to turn it on again. :) Or try this reasonsing: Do you like to do business with, receive information, data, content from or participate in a community provied or hosted by an entity that considers you, or tor users in general bad persons or adversaries while itself waives any responsibility for your data, your privacy, your anonymity? Yes, ! Feel free to remind them, that tor users, in most cases aren't adversaries, they are using tor to circumvent censorship, blocking or insisting on some form of privacy or anonymity. It is we, who have to use such desperate measures to protect our privacy or anonymity. They
Re: [tor-talk] do Cloudfare captchas ever work?
On 06/20/2015 12:31 AM, Andreas Krey wrote: The last weeks I was usually getting the number photo captchas, and they work. Last week there were more of the hard two word captchas, but even these usually work - sometimes I just reload the page and then I often get a number captcha. Thanks. Yes, I've gotten the house numbers (4 digits) - many times. They're very legible, but still don't work (TB 4.5.1 / 4.5.2 - Windows). When I enter them, Cloudfare doesn't give any message, just a new captcha image. Sometimes, it shows another 4 digits - still clear. Then another another. After a few times, it may switch to the letters on an acid trip. Even when I can read all the letters, it still doesn't take. After the 1st attempt or 2, it also may change the instructions to a non English language. I assume based on exit relay location. In Firefox, I can usually get similar looking captchas to work - especially if it's not from Cloudfare. Which out of the box browser do you mean? I've tried clean installs of TB before w/ default settings. Don't remember having any better luck w/ Cloudfare. To get it to work, are you allowing 1st and / or 3rd party cookies - for both the target site whatever the URL is for the Cloudfare captcha page? I wonder if the OS makes a difference to Cloudfare? On 6/20/2015 3:18 AM, Mirimir wrote: Is Javascript always needed to get the number photo CAPTCHAs? I think it may be (or used to be so). IIRC, in Firefox, if NoScript wasn't set to allow all scripts (possibly 1st 3rd party), sometimes I couldn't see all elements on the captcha page. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] do Cloudfare captchas ever work?
Just to clarify (to all that replied) - I have JS enabled. At least, when trying to get captchas to work. Then, I'm using Tor Browser's default settings for NoScript. I just tried a couple of sites w/ Cloudfare. Today, it worked, but not on the 1st try - even with legible house numbers. But today I also checked the exit relay country, when it worked. It was in a well behaved European country. Other times when Cloudfare didn't work, I didn't always think to check, to see if there's any pattern to Cloudfare not working specific exit relay countries. FYI - for others, when using _vanilla Firefox_ AdBlock Plus (or similar), Cloudfare doesn't like it. Even if NoScript is set to allow all scripts. Maybe because of blocking ads, but also maybe because ABP blocks some scripts. Depending on the target site, some of those may be 3rd party scripts (for CDNs, or) that Cloudfare requires to be allowed, before they'll allow the captcha to work. On 6/20/2015 6:35 AM, Lars Luthman wrote: On Fri, 2015-06-19 at 22:38 -0500, Joe Btfsplk wrote: Does anyone have any meaningful success rate with Cloudfare captchas in Tor Browser? Using default browser installation settings? I so rarely have success, that I immediately close tabs for sites presenting Cloudfare. Even when the puzzle is clearly legible (rarely), it still doesn't work. Not for me - with default TBB settings or even allowing 1st party cookies from the target site. If others have even partial success, what's the secret? Getting a different exit relay/ exit country / exit IPa? That's the only way that ever works for me. Or turning Javascript on, but I don't want to do that for HTTP sites. With Javascript on you usually get easier captchas that often let you through when you get them right. With Javascript off you get the captchas that look like the names of Lovecraftian deities distorted through non-Euclidean geometries that are difficult even for us humans to solve, and even when you definitely solve them you aren't allowed through but just get presented with another captcha, and another, and another, ad infinitum. Switching to different exits helps, but you often have to switch 10 - 20 times in a row before you hit an exit relay that Cloudflare in their benevolent wisdom has deemed good enough to be allowed to view the web. And even then you usually just get a few minutes before the gate is slammed shut and you're back with the captchas. I suspect that the new exit-switching feature in Tor Browser has made it slightly worse by putting more load on the few exits that are allowed through at any given time, making it more likely that Cloudflare will think it's some sort of DoS attack or automated scraper and block it. Cloudflare has essentially broken the web for Tor users. For some reason web proxies like hidemyass.com never seem to be blocked by Cloudflare so one (annoying) solution is to use one of those with Tor Browser. --ll -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
