Martin,
On Sep 17, 2014, at 8:18 AM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
Singling out TOR users and persuading them to enable Javascript adds
a different aspect, however.
I would be quite surprised to learn that TOR users were being singled out.
At least in the past (and I’ve no reason to suspect it has changed), CloudFlare
collects data on the sources of attacks of various kinds, e.g., zombies
involved D(D)oS attacks, attempts (typically automated) to use known
vulnerabilities like SQL injection, etc. If a connection attempt is made to a
CloudFlare customer from a source IP address used in an attack, that connection
is thrown over to a CAPTCHA.
As such, I suspect the reason TOR users get hit with the CAPTCHA is because the
TOR exit node that appears to CLoudFlare’s system as the source IP address
_was_ used in an attack attempt of some kind. TOR users are not being singled
out, they’re just using an infrastructure that happens to be used by script
kiddies and others to attack other sites and suffering the consequences. I
believe the exact same thing happens to folks who have the misfortune of being
behind CGN.
So there likely is a desire within those agencies to condition
TOR users to enable Javascript,
Given the proliferation of Javascript on the web, “those agencies” don’t have
to do _anything_.
and the current CloudFlare
behaviour is not necessarily a genuine idea, but may have been
inspired/suggested/coerced from outside.
Sorry, this last bit strikes me as tinfoil hat territory.
Regards,
-drc
(who worked for CloudFlare 3 years ago but no longer works there)
signature.asc
Description: Message signed with OpenPGP using GPGMail