back to article Lose the onion tears, Tor fanboys: CloudFlare may consider binning CAPTCHAs, says CEO

Tor users crying over CloudFlare's CAPTCHAs will soon be able to put away their onions, rather than their .onions, the company has suggested. CloudFlare CEO Matthew Prince told The Register he would love to create a no-more-tears system allowing the anonymizing network's legitimate users to access CloudFlare-hosted websites …

  1. Tsurotu

    If only...

    ... there was some way of identifying users of a website and filtering malicious traff... oh.

    1. Shart Tank

      Re: If only...

      RFC 3514 would solve this easily for Cloudflare. Just filter all the evil packets.

      | To solve this problem, we define a security flag, known as the "evil" bit,

      | in the IPv4 [RFC791] header. Benign packets have this bit set to 0;

      | those that are used for an attack will have the bit set to 1

      1. Prst. V.Jeltz Silver badge

        Re: If only...

        " It unfortunately also provides miscreants with a valuable layer of protection from the authorities, with their use of Tor allegedly accounting for more than 90 per cent of the network's traffic."

        Clearly whats need is a list of legitimate TOR users that could be kept by a responsible party , lets say the US government, that the tor users could authenticate against. This would prevent it being used by miscreants.

    2. mi1400

      Re: If only...

      "90 per cent of Tor traffic – in voluminous terms – “is, in some way, per se abusive, and I don't mean that in terms of visiting distasteful sites, that's not our business, but is traffic that is actively trying to hurt the websites it is visiting.”"

      These new bread of MBA pass out bastard CEOs ... i guess what? republicans have started teaching Marketing and MBA in these universities !?!... Obviously the website being hurt is on the basis they are not able to identify the visitor and hence target its ads personalized for his region. If that is hurting then that website and his admins should go foook themselves, eat shit, rejoice and thank heavens! if they cant make their code advanced or spend on research and just cry fowl in very "voluminous"ly broad and "voluminous"ly vague terms...

  2. Anonymous Coward
    Anonymous Coward

    make it nearly impossible to browse to certain websites

    very accurate description

    However, how indeed, do you filter out "malicious" from the innocent onion sheep, without identifying the latter?

    And then, what exactly is "malicious"? Arguably, soon enough, "malicious" could be, easily, "those unwilling to be identified, tracked and advertised to, as they maliciously hurt our revenue".

  3. Grikath Silver badge

    walk the walk....

    get tarred with the same brush..

    Of course, the screaming ninnies could turn down their Paranoïdar a bit and simply not use TOR when approaching perfectly ordinary websites. It's not as if visiting El Reg or others of such nature will get you on the Five Eyes Illuminati Lizardmen hitlist of d00m.

    1. John Lilburne Silver badge

      Re: walk the walk....

      I've been flooded by spam and crap from some locations. Don't really care whether they are Tor exit nodes, proxy servers, or just IP locations where the owners don't give a shit what their users are doing. I block them. If the same IP range appears multiple times then I block the entire range. If multiple blocked ranges are owned ISP by the same ISP then I'll block every IP address allocated to that ISP.

      I don't give a shit whether they have legitimate users their fuckwit abusing users get the place blacklisted.

  4. Anonymous Coward
    Anonymous Coward

    "It remains a useful security mechanism"

    It remains useless security theatre


    1. Ole Juul Silver badge

      I am interested in exactly what kind of abuse comes through Tor connections. For some reason they never say.

  5. My-Handle

    Though this might be unpopular...

    I think I'm on CloudFlare's side on this one. I read through some of the comments on the trac page linked to in the article, and an awful lot of the comments from Tor's side seemed to resort to childish sarcasm, nay-saying, petty correction and name-calling. CF's CTO seems to be trying to engage in a meaningful way, but it can be very hard to have a meaningful discussion with someone who just responds with something like "yeah, right" and "do any of us believe this?". Perhaps it's just one or two mouthy sods on the forum that have spoiled my experience of it.

    I did notice that the user ioerror did seem to be engaging with some possible technical solutions, even if he/she did get sidetracked with debating the nature of censorship on occasion, and whether CF was guilty of it or not.

    Tor does sound like a very useful tool that I would definitely think about using, especially if the Google / Microsoft / NSA data slurping issues get any worse. But the fact that some of it's developers behave in this way, coupled with the likelihood that the network carries a lot of dubious traffic, do tend to influence me against it.

    1. allthecoolshortnamesweretaken Silver badge

      Re: Though this might be unpopular...

      "I read through some of the comments on the trac page linked to in the article, and an awful lot of the comments from Tor's side seemed to resort to childish sarcasm, nay-saying, petty correction and name-calling."

      Just out of interest: on a scale from 0 to El Reg, how does the comments "from Tor's side" score?

  6. Anonymous Coward
    Anonymous Coward

    VPNs too

    It's not just affecting TOR. I use a well-known and regarded internet VPN provider and, depending on which of their servers I end up coming from, I regularly get the cloudflare CAPTCHA. The most annoying bit is that I get it at least once for every single site I visit, sometimes several times a day per site.

    1. Jack of Shadows Silver badge

      Re: VPNs too

      Doesn't seem to matter as to the size of the VPN provider. I get the idea but multiple proofs per session for a logged on user is beyond the call of duty.

  7. Anonymous Coward
    Anonymous Coward

    Another forum I use recently switched to Cloudflare DNS, then promptly turned off the captchas after complaints from a few ToR users living under abusive governments. If Cloudflare can't come up with a passive abuse-filtering system they should just give up.

    I note that a lot of Cloudflare's big paying customers are in the advertising industry. They love to track users as much as possible, and generally lack the technical resources to run secure and scalable servers, so they rely on Cloudflare's caching/filtering infrastructure. So basically Cloudflare is in the same position as Google was 10 years ago. They say they want to do the right thing, but they get all their money from doing the wrong thing.

    1. Sebby

      Even more remarkable when you consider that CloudFlare was born out of work done on Project Honey Pot, a completely voluntary service which helped webmasters in the coordinated catching of spammers and related infrastructure. Then the CEO got his MBA.

      Apparently, business really is more important than ethics.

  8. Someone

    Everyman or woman

    Some of the CAPTCHAs are unanswerable because they don’t contain any of the item you’ve been asked to select. However, almost every time you can get through to a site by answering one or two CAPTCHAs. I’ve learnt the hard way that the answer you need to give is not necessarily a good one. For a single image containing road signs, for example, I would want to select the squares with road signs in the distance, the backs of road signs and any square even slightly impinged by a sign. This isn’t the answer that’s going to get you through. Just like the word-based CAPTCHAs before, it seems your answer is going to be compared with those given by others, so your answer must be what someone with an average IQ is going to give – an everyman or woman. Choose only those squares with road signs face on to the camera that are a third or more filled by a sign. For every deviant answer you give, you’ll be made to answer two or more extra CAPTCHAs. Hence, you can easily end up with a sequence of ten or more. Appelbaum is probably suffering here because he is “a very smart guy.”

    The word-based CAPTCHA worked more consistently because it relied on common knowledge – something that was taught to you. At least CloudFlare or Google have dropped requests like “select all the salads” or “select all the soups.” What is a salad or soup is going to vary from culture to culture, and even within the same culture can cause long arguments.

    The problem with El Reg is that the images are hosted on a completely different domain, This means that even when you solve the CAPTCHA for the main Register site,, the image server can’t see your CloudFlare cookie and you’re left with a text-only page, and wondering if Ars Technica has an article covering the same story. Please, please, please change the domain name of to

    1. Anonymous Coward
      Anonymous Coward

      Re: Everyman or woman

      A similar example of a meta-meta-game where you have to play what you think is the average strategy, rather than the best strategy.

  9. ofergayer

    Lack of security measures is no excuse

    Nobody is forcing them to use outdated "IP blacklisting" based "security".

    If they lack the kind of technology to filter out bad traffic without just displaying CAPTCHAs all over the place, it's their own lame fault.

    El-Reg is more than welcomed to check better solutions.

    Disclosure: I work for Imperva Incapsula.

  10. Sam Adams

    "According to Prince, third-party figures have suggested than more than 90 per cent of Tor traffic – in voluminous terms – “is, in some way, per se abusive, and I don't mean that in terms of visiting distasteful sites, that's not our business, but is traffic that is actively trying to hurt the websites it is visiting.”

    Matthew Prince is either incredibly ignorant (unlikely) or a bald faced liar. His allegations are unsupportable and he lacks any credibility. Here's why I say this: An even much bigger problem than Cloudflare's indiscriminate blacklisting of all TOR users is their indiscriminate blacklisting of anyone who uses a shared IP address, such as VPN subscribers. Is Prince now going to argue that 90% of the millions of VPN subscribers around the world are using VPN services for "abusive" purposes? I seriously doubt he'd be willing to go that far, especially when it can be so easily shown that the vast majority of VPN customers subscribe to such services only because of concerns for privacy and security, such as to prevent being hacked (especially when traveling and using public hotspots), and to prevent government snooping.

    Worries over a tiny percentage of VPN subscribers using VPN for abusive purposes is poor justification for Cloudflare to blacklist all VPN users, and the trend shows that is clearly what they've been doing in recent months, and it's getting worse everyday. Cloudflare is using a sledgehammer-sized solution to kill a mosquito-sized problem. In so doing they only demonstrate their own technological incompetence and ineptitude.

  11. Cynic_999 Silver badge

    @Sam Adams - I think the answer will be with Prince's definition of "abusive", which could well be as all-encompassing as the NSPCC's definition of the word when claiming that 90% of children have been abused. If failing to allow javascript is deemed to be an abuse of the website, for example, then I could well believe the figure.

  12. Anonymous Coward
    Anonymous Coward

    If the CAPTCHAs are a useful security measure, I can accept that. I just think they need to implement it a bit better. I suggest the following modest goals, CAPTCHAs should:

    1. Actually be solvable by a human being.

    2. Not require scripts when the site it's protecting doesn't.

    3. Set a cookie granting access to that site for at least 8 hours.

    As an aside, I actually think the people behind CloudFlare are pretty cool. I like that they'll protect any website, whether they agree with the content or not, and even if they catch some flak about it. But I do find it vaguely worrisome how completely pervasive they are nowadays.

  13. SoloSK71

    Apparently not wanting to be tracked

    is now malicious, as I work with a large group of IT people, about 12 or so of us use Tor and go the web sites, so the 90% malicious number is bollocks

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019