-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Griffin Boyce wrote: > Virgil Griffith wrote: >> For unrelated reasons I'm meeting with Cloudflare. Can someone >> enlighten me on the current state of the captcha situation? >> Presuming they are unwilling to completely drop the captcha, what >> would be a step in the right direction? >> >> The last I heard from Cloudflare is: >> https://support.cloudflare.com/hc/en-us/articles/203306930-Does-Cloud Flare-block-Tor- >> >> >> >> What is a step they can take right now for improving Tor user experience ? >> -V > > A main issue is that the captcha simply loops instead of allowing > access to the website. This is intermittent, so not sure if this > is because they are trying to fix the issue, or if the issue > happens more often on sites that have a lot of traffic (and all the > traffic can be assumed to come from different sources). This is a > pretty basic issue, which they know exists, and I hear endless > complaints about. If you hit the captcha-loop, you're likely not > to be able to access the website at all. > > Another is increasing the size of the user-defined whitelists. > Right now, the list only allows 200 IPs, which is insufficient if > a highly-technical user wants to manually whitelist Tor exits. > This actually kept me personally from being a user -- that > $200+/month instead goes to Amazon and Azure because I don't want > Tor users penalized when they come to my sites.
A third is the cross-domain problem. Even if the user answers a CAPTCHA for a site, if the site uses another domain for static content, that content never loads. Specifically, the static content requests themselves return a separate CAPTCHA. Since these can never be answered in that tab, the real content can never be fetched. The user can't e.g. open an image URL in a new tab and solve the CAPTCHA there, because TBB by default opens a new circuit, so CloudFlare sees it as a separate "session". At best, the site looks rubbish. At worst, it can make the site unusable (if it requires JS). Ideally, CloudFlare should be more intelligent about cross-domain content. Site admins should be able to list expected cross-links between their CloudFlare-controlled domains. If a request comes in on spamalot.com and shortly after multiple requests come in on slstatic.com, it should mark those as the same session, somehow (whether by adding a query parameter or header to the static requests, or being more intelligent on the server side). str4d > > best, Griffin > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWD7QHAAoJEBO17ljAn7PgT2AP/RUq9VGiYXBJUoVhXzmAr3V4 oE4QD8UNgJXykwIGWC6TABaNcg2bZKqZU362K94z1uTUMFWl6NJNk6M27ARkRtWz lGLtlAThXMUU63X5HEj6jP7Tzw5k5u7S0vqpOTJc7lbisVsDNg0UDoMc4HzNg0cR kKKaOPPha4eqVLHBWW/90Grqp+++6k5WO0oHYQZXBoX00ne+gDCulxPPzd6fmcSf evJaqllSpbFHY5QsjM+HTWKwVeta7y4+oOJWWriG5KsYDn9RX8flnKcOprO28gKX Rqk/tVSNtATDw7BUuvlEOe2air5a96oRaH5SsyNQnb5ImKXilOHJkPEz1v2Ys2i9 ezewNcRvUXwfZVBmpRvol52TaALc3KVfFi/fs+tKZfZuwD8tGu2WTRBCCriOSrLE 0SSdUhPz4SrsH3j6/gDuiWOPb+ZqCiwZiWBH1AxRpsickJdtNobDDNtnSAOBkBj+ 3zVHhvClV2SOzvFJAk3hp/6OWADztVylgCHksQwvz5887Bkymba0PH1kakgc8TXV BKQSq173XnDCGTzzapVndKRDcqFAkPXFAHnii4Y9pMV+TBpE3dZZi0+RVdr6tofo IFtnhmpiFuFN430wPT2zJbrCAIZCTbC/SAyTlpQVQgy2uyDACA1Hha+l2GwAYXlJ dSAKN8qaKS74n9BWLpLS =IxrR -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
