The CloudFlare and Tor Stalemate Is Harming Users
The Tor Project and CloudFlare have yet to resolve a debate over how best to secure Tor traffic, and users wait in the balance.
Image: Surian Soosay/Flickr
Tor users are angry. Outside an after-party at digital rights conference Rightscon, a handful of protesters held placards mimicking captchas from CloudFlare, a cybersecurity company, that are often presented to Tor users when they try to access some sites.
"One more step, please complete the security check to access the party," one read. These captchas can be infruiatingly difficult to solve, significantly increasing the time it takes a user to actually get onto a website, and if the captchas don't even load, then visitors might not be able to log on at all.
Meanwhile the hashtag #DontBlockTor has gained popularity on Twitter recently, and the Tor Project, the non-profit that maintains the Tor software, has upped its own rhetoric, comparing CloudFlare's products to Chinese web censorship.
CloudFlare uses captchas to protect its clients from malicious or otherwise automated web traffic, and the company says Tor is an outsized source of that traffic. There are several potential technical solutions to this problem, some of which involve a collaborative effort between the Tor Project and CloudFlare, and others that put the onus onto websites themselves, or squarely onto just CloudFlare. But many of these have been dismissed by the Tor Project, according to Matthew Prince, CEO of Cloudflare.
"What keeps happening is angry tweets, and not constructive conversations about how we solve what is a really difficult problem," Prince told Motherboard in a phone call. It's a problem that he thinks needs to be solved collaboratively.
"What we want is for CloudFlare to stop presenting captchas in front of legitimate Tor users," Kate Krauss, a spokesperson for Tor Project, told Motherboard in a phone call. "They have degraded the experience for all Tor users, and it is their job to fix this."
As part of its website security service, CloudFlare assigns a "threat score" to IP addresses that connect to its customers' sites. If the threat score is high enough, CloudFlare may automatically ask anyone connecting to a site from such an IP to complete a captcha.
CloudFlare doesn't necessarily treat traffic from Tor any differently, but Tor exit nodes, the points at which Tor traffic joins the normal web, have built up a pretty bad reputation owing to the high number of malicious requests coming from them, Prince wrote in a March blog post.
That traffic includes comment spam, vulnerability scanners, click fraud, and web scrapers, and according to CloudFlare's figures, 94 percent of Tor traffic it sees is "per se malicious."
Krauss called this figure "propaganda," which discredits Tor users. "If you put out a huge number, under pressure, and you don't back it up, that's propaganda," she said. (CloudFlare has released the tools it used to examine the reputation of Tor nodes.)
The thing is, an IP address doesn't equal one person, and because many different people are likely all using a Tor IP at any one time, users who want to read censored material or just protect their privacy are lumped together with botnets and machines.
This can be highly consequential for, say, activists in countries using the network while on a slow connection that they may have to pay for by the minute in an internet cafe.
"These are catastrophic impediments to using Tor," Krauss said. "We are hearing from our Iranian users that they are giving up on Tor because of this," she added.
Alison Macrina from the Library Freedom Project, which advocates for setting up Tor exit nodes in public libraries, told Motherboard in an email that users are also frustrated that CloudFlare's captchas are only in English.
Prince said CloudFlare has pitched several different potential solutions to the Tor Project, but none of them have been received particularly well.
One is CloudFlare offering its customers the automatic creation of Tor hidden services, which are perhaps less likely to be targeted by automated attacks. Legitimate Tor users could then visit the hidden services, where no captcha would be waiting for them.
"You've effectively separated the legitimate Tor users, from the automated systems," Prince said.
The problem, according to Prince, is that the Tor Project made a poor decision when designing hidden services: addresses are generated with the relatively weak SHA-1 hashing algorithm, and then chopped in half. This makes it easier for an attacker to spoof sites, Prince said.
In order to change this, "we would need the cooperation of the Tor community, and so far that has simply been rejected out of hand as a solution, which is disappointing," Prince added. Mike Perry, lead developer of the Tor Browser, told Motherboard in an email that captchas would still be served to Tor users with this approach. "This wouldn't solve the problem," he wrote.
When asked what technical solutions he would offer in general, Perry didn't provide any of his own, however.
CloudFlare could try to track users in-between Tor sessions, meaning that threat scores for individuals could be calculated. "There are things that we could probably to try to track Tor users and break that anonymity; we choose not to because we think that it's extremely important to preserve," he said.
The proof-of-work of problem—that is, proving that the person connecting to a site is a human and not a bot—could be carried out within the Tor Browser itself, Prince added, with the use of an anonymous, cryptographically secure token. That route would require a lot more work, and again cooperation between multiple parties. Perry said this had been discussed in meetings between Tor Project and CloudFlare, but that mitigating the captchas themselves would be better for Tor users.
Finally, CloudFlare customers could white-list Tor IP addresses. After CloudFlare told customers how to do this, 80 percent white-listed Tor, and 20 percent black-listed, Prince claimed.
"Those numbers have steadily shifted, where today it's flipped," he said. It turns out that CloudFlare customers, when given power to decide whether to allow Tor connections without a captcha aren't interested, and would rather have that restriction themselves.
"More people black-list Tor on CloudFlare than white-list Tor, and that makes me really depressed, to be completely honest," Prince said.
When pressed on this point—that CloudFlare is responding to customer demands that they don't face attacks for the Tor network—Krauss would not directly acknowledge that crime does originate from Tor, but instead said "I think as part of the infrastructure of the internet, Tor is used for all kinds of things."
"The best solutions for Tor users, I believe, lie in drastically reducing the captcha burden"
In Prince's mind, there are three things at play in any potential solution around this problem. Security, as that is what CloudFlare's customers pay the company to provide; anonymity, because that is naturally the purpose of Tor; and convenience, relating to any effects on the user-side for juggling these other two.
On balance, convenience is the one to sacrifice, Prince said.
Ultimately, this is where captchas come in—they present an inconvenience, of varying and sometimes more extreme degrees to users.
But if the Tor Project and CloudFlare can't agree on solutions that would separate the good users from the bad, perhaps then captchas just need to get better.
"The best solutions for Tor users, I believe, lie in drastically reducing the captcha burden," Perry from the Tor Project added.
CloudFlare has made improvements to captchas, and in the last month steps were taken to ensure that a visitor would never be presented with more than one captcha in a row, Prince said.
When it comes to cases where captchas don't load at all, particular in China, Prince said, "That is a problem we are working on with the Google team. One of the potential solutions is that in those regions we would use some other captcha provider."
"We use reCAPTCHA because it is the only CAPTCHA provider that we've found that meets accessibility requirements while being able to keep up with our scale," Prince continued. "We continue to evaluate other solutions but, to date, haven't found
one that meets those requirements," and added that if there were any more specific suggestions on how to do this.
Clearly, these improvements aren't enough for some users, as many are still complaining of annoying captchas in general.
As for what happens now, if the Tor Project really wants legitimate users and malicious traffic to be separated, it seems that some experimentation on proposed and collaborative solutions is necessary. Otherwise, if it's just captchas that need tweaking, it may boil down to CloudFlare's continued improvements.
"I think all the parties involved share some responsibility in working on this," Prince said.