CloudFlare explains how it deals with Tor traffic

Mar 31, 2016 10:30 GMT  ·  By

After being accused of intentionally sabotaging Tor traffic last month, CloudFlare has come forward with an official statement in which it explains why the company does what it does.

Regular TOR users are well aware of CloudFlare's practice of showing CAPTCHAs to users who are accessing the websites of their clients using a Tor exit node IP.

According to CloudFlare, this measure was implemented after it constantly saw Tor IPs being abused for suspicious activity.

CloudFlare shows CAPTCHAs to Tor users because it has to

"Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious," CloudFlare wrote yesterday. "That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers."

This includes a large amount of comment spam, requests from vulnerability scanners, ad click fraud, content scraping, and login scanning.

On the matter of surveillance, also raised by members of the Tor Project, CloudFlare has denied that it tracks Tor users across its infrastructure, saying that they actually do the opposite, opting not to implement a super-cookie like system.

Nevertheless, CloudFlare admits that it does track and mark Tor exit node IP addresses and it also assigns them higher threat scores. Because the Tor Browser includes user anti-fingerprinting protection, and because CloudFlare says that it respects the project's goal of providing anonymity to its users, it has no alternative than to show CAPTCHAs to users coming from a Tor-based IP.

The decision is controversial and will likely annoy legitimate Tor users, but to be fair, CloudFlare is a security firm, and all its clients hire its services for this purpose.

Most of CloudFlare's clients would like to ban Tor traffic altogether

In fact, CloudFlare reveals that many of its clients would like to downright ban Tor traffic altogether, and it is only because of CloudFlare that this hasn't happened yet.

The company explains that it intentionally left out options in its customer backend panel that would have allowed its clients to blacklist Tor, and only shows the option to whitelist Tor addresses or show a CAPTCHA field.

The decision was made because the company fears the scandal that would come with blacklisting Tor traffic altogether. CloudFlare understands why Tor was created in the first place and that it's not the Tor Project's fault that cyber-criminals are also using it.

The company has also recently started working with the Tor Project in order to create some sort of client-side solution in the Tor Browser itself, so CloudFlare and other security firms can distinguish legitimate Tor users from automated requests and ban the latter.

Additionally, CloudFlare also wants the Tor Project to start using SHA256 for generating .onion addresses. More of its clients could thus create .onion versions for their legitimate sites, where they could redirect Tor traffic and where CloudFlare wouldn't have to display its CAPTCHAs, which in recent weeks have been failing at an astonishing high rate.