On 3/16/2016 5:49 PM, Stephen Farrell wrote:
Mike,
On 16/03/16 20:49, Michael StJohns wrote:
Fair enough - so you're asking me to take it on faith that there is a
real problem and that it effects sufficient numbers of folks that the
IETF should spend *its* money and effort to fix?
Did you miss the mail upthread where it was pointed out that
removing the restriction is a simple checkbox which I assume
costs no more money than we're giving CF already?
I didn't miss that. Did you miss that turning it off may allow
malicious traffic? That malicious traffic may have a cost? Or that
this isn't targeted specifically against TOR, but against any site with
a sufficiently bad reputation? Or that many TOR sites have a bad
reputation? My guess is that you didn't miss any of this, but I
repeated it just in case.
That said, I think your next paragraph is a reasonable way forward. But
that I do think there will be a cost to turn it off because someone will
have to monitor and evaluate (and possibly remediate) if there is a
problem.
To be clear, are you arguing for turning off Captcha in in
circumstances? Or just giving TOR a pass? Can we leave it on for
anything that requires an IETF login?
If we allow Tor access and that turns out to be a source of
problems, then I do think we ought re-evaluate, but I don't
think there's any cost here to the IETF to turn off the
restriction.
And to clarify another thing: this is not only about the captcha,
in testing today using TBB sometimes one gets access, sometimes
one gets a captcha and sometimes access is denied with no captca.
It seems to depend on the exit node IP.
As I understand it, CF scores IP addresses based on reported "badness".
If you're on TOR and you pick (or have picked for you) an exit router
that's got a high badness score, then you get a Captcha at the IETF (and
other CF sites). My understanding is that if you come from non Tor
sites with high badness scores you will also get a Captcha. The
specific problem( for us)/benefit(for the TOR users) is that you can't
differentiate from the good TOR connections (if any) vs the bad TOR
connections coming from the same tor exit router. Captcha is there to
try and establish there is some sort of human behind the connection and
to provide some protection against automated attacks.
What's interesting about your comment is that there is enough
differentiation in TOR output that different nodes score differently at
CF. It suggests to me that TOR may not be cleaning up it's fingerprints
as well as it would like.
Later, Mike
Cheers,
S.