Hi, I like your idea but have some criticism to make regarding what you consider users of the Tor network.
> That way a normal web client, normally browsing a website, would not be > impacted from end-user experience, but any automated system (the ones causing > problems to Cloudflare) Why can't people separate Tor from Tor Browser in their minds? Tor is a network transport. Not all Tor users are lusers sitting behind Tor Browser, clicking things. For example I have a system-wide Tor daemon, and I use it for a variety of different non-interactive things, like news reader updates, automatic source code fetches, web-api-related requests, and other cronjobs. I am not the only one. Shitflare also affects completely reasonable automatic non-interactive uses like that. In fact the Great Firewall of Shitflare completely fucks every hope of composability of their clients' web sites. > would get hit by a huge increase in the > computational resources required to make such massive attacks. > >[snip] > > At that stage Cloudflare, instead of using a Captcha, could also > implement an independent Javascript Proof of Work system, No. Javascript in the browsers is shit. Shit for security, shit for privacy. I consider requiring Javascript for fundamental functionality an affront. > to be applied at Application Level and run on Tor Browser, Ditto about Tor vs. Tor Browser. Though a neutral _protocol_ (a remote API) to request and submit the PoW could be workable. >[snip] > > Maybe it's a bad idea, but the key to be addressed is imho: > - reducing the automated attacks from Tor netwok by increasing it's > costs while leaving intact the end-user experience on Tor Browser Ditto, Tor != Tor Browser. Cheers. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
