Re: IETF web site behind CloudFlare

Martin,

On Sep 17, 2014, at 8:18 AM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
> Singling out TOR users and persuading them to enable Javascript adds
> a different aspect, however.  
I would be quite surprised to learn that TOR users were being singled out.

At least in the past (and I’ve no reason to suspect it has changed), CloudFlare 
collects data on the sources of attacks of various kinds, e.g., zombies 
involved D(D)oS attacks, attempts (typically automated) to use known 
vulnerabilities like SQL injection, etc. If a connection attempt is made to a 
CloudFlare customer from a source IP address used in an attack, that connection 
is thrown over to a CAPTCHA.

As such, I suspect the reason TOR users get hit with the CAPTCHA is because the 
TOR exit node that appears to CLoudFlare’s system as the source IP address 
_was_ used in an attack attempt of some kind.  TOR users are not being singled 
out, they’re just using an infrastructure that happens to be used by script 
kiddies and others to attack other sites and suffering the consequences. I 
believe the exact same thing happens to folks who have the misfortune of being 
behind CGN.

> So there likely is a desire within those agencies to condition
> TOR users to enable Javascript,
Given the proliferation of Javascript on the web, “those agencies” don’t have 
to do _anything_.

> and the current CloudFlare
> behaviour is not necessarily a genuine idea, but may have been
> inspired/suggested/coerced from outside.
Sorry, this last bit strikes me as tinfoil hat territory.

Regards,
-drc
(who worked for CloudFlare 3 years ago but no longer works there)

signature.asc
Description: Message signed with OpenPGP using GPGMail