Martin, On Sep 17, 2014, at 8:18 AM, Martin Rex <mrex@xxxxxxx> wrote: > Singling out TOR users and persuading them to enable Javascript adds > a different aspect, however. I would be quite surprised to learn that TOR users were being singled out. At least in the past (and I’ve no reason to suspect it has changed), CloudFlare collects data on the sources of attacks of various kinds, e.g., zombies involved D(D)oS attacks, attempts (typically automated) to use known vulnerabilities like SQL injection, etc. If a connection attempt is made to a CloudFlare customer from a source IP address used in an attack, that connection is thrown over to a CAPTCHA. As such, I suspect the reason TOR users get hit with the CAPTCHA is because the TOR exit node that appears to CLoudFlare’s system as the source IP address _was_ used in an attack attempt of some kind. TOR users are not being singled out, they’re just using an infrastructure that happens to be used by script kiddies and others to attack other sites and suffering the consequences. I believe the exact same thing happens to folks who have the misfortune of being behind CGN. > So there likely is a desire within those agencies to condition > TOR users to enable Javascript, Given the proliferation of Javascript on the web, “those agencies” don’t have to do _anything_. > and the current CloudFlare > behaviour is not necessarily a genuine idea, but may have been > inspired/suggested/coerced from outside. Sorry, this last bit strikes me as tinfoil hat territory. Regards, -drc (who worked for CloudFlare 3 years ago but no longer works there)
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail