Having to solve captchas to access this site

Discuss and help improve OpenMW's infrastructure: Website, Forums, issue tracker and everything having to do with keeping the lights on with OpenMW.
Post Reply
K0kt409P
Posts: 148
Joined: 06 Aug 2013, 09:14

Having to solve captchas to access this site

Post by K0kt409P »

Ever since openmw.org started using cloudflare a couple of weeks ago, I have had to solve a captcha every time a visit. Sometimes I have to solve several captchas per hour to keep reading the site. This is because I browse via the Tor network, since I value my anonymity online. As a Tor user the cloudflare captcha page is a rather familiar and unwelcome sight. I was deeply saddened when I saw that it had infected openmw.

Now, I would like to know whether this treatment of Tor users is intentional, or if there is any chance you could turn it off?
User avatar
lgromanowski
Site Admin
Posts: 1193
Joined: 05 Aug 2011, 22:21
Location: Wroclaw, Poland
Contact:

Re: Having to solve captchas to access this site

Post by lgromanowski »

Hi,
such treatment of Tor users isn't intentional - I don't care if someone is using Tor (or other kind of onion-routing network) or not, but as far I know CloudFlare (we're using CF CDN because from time to time we had so many visitors from reddit or slashdot that the servers can't handle them without CDN) has some checks for suspicious IPs and send them captcha for verification (At this moment I have medium security level enabled).
K0kt409P
Posts: 148
Joined: 06 Aug 2013, 09:14

Re: Having to solve captchas to access this site

Post by K0kt409P »

Have you had issues with malicious traffic from Tor? If not, would you consider turning the security level down a notch?
User avatar
Ace (SWE)
Posts: 887
Joined: 15 Aug 2011, 14:56

Re: Having to solve captchas to access this site

Post by Ace (SWE) »

I would assume that CloudFlare doesn't give any specific security setting for Tor, but rather sees Tor IPs as suspicious since they can have wildly differing data being sent between one moment and the next. Not to mention sessions suddenly changing IP, and not just once either.

Such actions would probably seem extremely suspicious, since such things normally mean the IP in question has been infected and used in a botnet or similar. Not things CloudFlare would want to let onto pages without further checks.

Maybe Tor could try to work with CloudFlare concerning possible whitelists of Tor nodes?
User avatar
psi29a
Posts: 5357
Joined: 29 Sep 2011, 10:13
Location: Belgium
Gitlab profile: https://gitlab.com/psi29a/
Contact:

Re: Having to solve captchas to access this site

Post by psi29a »

Ace (SWE) wrote:Maybe Tor could try to work with CloudFlare concerning possible whitelists of Tor nodes?
That's not going to end well. There is still too much 'evil' coming out of Tor's exit-nodes to be whitelisted. Many spambots operate over Tor... I know. While I like Tor and do use it, I just consider it the "price of admission" when dealing with CF's and other CDN's filters.
User avatar
jvoisin
Posts: 303
Joined: 11 Aug 2011, 18:47
Contact:

Re: Having to solve captchas to access this site

Post by jvoisin »

That's not going to end well. There is still too much 'evil' coming out of Tor's exit-nodes to be whitelisted. Many spambots operate over Tor... I know. While I like Tor and do use it, I just consider it the "price of admission" when dealing with CF's and other CDN's filters.
I don't think that many spambots are operating over Tor, since almost every exit-node is blocking the port 25. Also, I'm quite curious about your "There is still too much 'evil' coming out of Tor's exit-nodes" statement: do you have some sources?
User avatar
psi29a
Posts: 5357
Joined: 29 Sep 2011, 10:13
Location: Belgium
Gitlab profile: https://gitlab.com/psi29a/
Contact:

Re: Having to solve captchas to access this site

Post by psi29a »

Sources? Yes, me.

Blocking port 25 only solves the SMTP side of spamming, there are other ways to go about it such as forum and blog spam. I've been on both sides of this: as an forum admin for 10 years @ http://www.evil-genius.us, longer for www.mindwerks.net, a user of CF for some projects and as a bot (not spam) programmer using Tor. I've also had the pleasure of hosting an exit-node and sniffing all the traffic that comes out of there... some things you just want to un-see. ;)

It is incredibly easy to use Tor (effectively is another question altogether), so from my point of view... solving captchas every 5 minutes is the "price of admission".

From CF's side of things, it is it pretty cut-and-dry: they get reports from people using specific IPs or ranges of IPs and as a result get ranked higher for possible abuse. This could be because of any number of reasons, however the fact that it happens more often than not with Tor users would suggest that users of Tor are causing the up-tick in captchas and other security measures. No one is blaming Tor, just the bad eggs using Tor which is making life hard for the rest.
Post Reply