CloudFlare working on a Tor Browser extension that can filter human traffic from automated and malicious bots

Oct 3, 2016 12:50 GMT  ·  By

Despite routing a whopping 10 percent of all Internet traffic, CloudFlare is more likely known for its annoying CAPTCHAs that most of the times delay Tor users for minutes before letting them access a website.

The TOR Project hasn't been shy about pointing the finger at CloudFlare in a public manner. Back in February, Tor Project members accused CloudFlare of intentionally sabotaging Tor traffic via its CAPTCHAs and using special cookies to track Tor users across the Web.

CloudFlare responded a month later by denouncing all accusations. The company said that only IP addresses with a bad reputation see the CAPTCHAs, which are a self-defense measure for the sites CloudFlare is hired to protect.

The company said that 94 percent of all Tor traffic is malicious, and most likely used for automated attacks, and that's why regular Tor users see the CAPTCHAs. CloudFlare was adamant that they had nothing against the Tor Project, or its users.

CloudFlare working on a Tor Browser extension

Since actions speak louder than words, CloudFlare is now researching a new system to protect its clients from malicious Tor traffic, but without bombarding Tor users with endless CAPTCHAs.

Called the "Challenge Bypass Specification," the document was published on GitHub two weeks ago.

According to this specification, CloudFlare is working on a Tor Browser extension that generates one-time authentication tokens, called nonces.

Whenever a Tor user would access a CloudFlare-protected site, they'd have to solve one initial CAPTCHA. After that, the browser would supply authentication tokens to the CloudFlare firewall, and the user would not be required to deal with any more CAPTCHAs.

Since malicious traffic is automated with various CLI-tools, attackers wouldn't be able to provide these tokens, and the firewall would do its job, as intended.

Other edge providers can also deploy the extension to filter Tor traffic

Currently, the draft specification uses a modification of the RSA encryption algorithm to generate "blind signatures" that can be used as nonces.

CloudFlare also explains that this system is not specifically tailored to its network. The entire system is modular and other edge providers can deploy it to handle Tor traffic in the same way.

Furthermore, the initial one-time CAPTCHA is not mandatory, and each edge provider could implement its own system to authenticate human users, and then deploy the nonces for subsequent authentication operations.