On Cloudflare’s “The Trouble with Tor”

Last week, Cloudflare published an article headlined with “The Trouble with Tor”. The whole post was caused by protesters who complained about Cloudflare’s strict Tor policy.

The default setting for user’s sites is to ‘block’ Tor traffic and ask people to solve a Google Captcha. While this is not blocking access to a site in a traditional way for most people, it is indeed a complete block for many people using Tor. And that is because many people are not able to solve the Captcha. Me for example. I use the Firefox Strict Tracking protection (powered by the awesome Disconnect tracking list). That lists Google’s CDN data as tracking resource (because they do track people), preventing the Captcha to load completely. And if you use the Tor browser with that setting, all Cloudflare sites are suddenly not accessible anymore.

Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.

When I read this statement, I immediately thought if that number can be true. It just seemed too high, mainly because I personally know a couple of Tor users (funnily, they’re not people working in tech, they just want their privacy ensured), using the network as their primary Internet access point to research things.

Slide showing research results on malicious vs. non-malicious Tor traffic: The conversion rates of both are the same, leading to the result that about 50% of the traffic is legal, non-malicious traffic

Soon after, the Tor project published a blog post with questions to Cloudflare regarding that numbers. And in that, they link to an Akamai (a competitor to Cloudflare) research [pptx-file] which measured that at least about 50% of Tor traffic is not malicious but valid traffic. If that would be true, it would mean that Cloudflare blocks traffic for 49% of users to prevent 49% of malicious traffic. Is that a valid trade-off? I doubt. I think Cloudflare could deal much better with that amount of malicious traffic than they do now. At least, Akamai says, that overall malicious traffic rates on Tor network are not higher than on normal HTTP/S networks. And if Akamai would be doing a bad job at filtering out malicious traffic, I don’t think they’d have so many big customers today. There is always a better solution than blocking specific networks.

Do you know that you can easily find out customers of the free Cloudflare plan? Visit one site using it, and look at the certificate. It contains many more customer domains as they all share one certificate. And while this is not per-se wrong and Cloudflare even says so when you sign up, since Let’s Encrypt is usable now, they could provide a free, unique certificate even for their free customers.

Read more about this topic in my articles here:

Written on as Note