Connect with us

Hi, what are you looking for?


Identity & Access

Tor, CloudFlare Spar Over Malicious Traffic

Internet Firms Clash Over Malicious Traffic and Access

Tor Urges Sites to Switch CDNs After CloudFlare Says Most Traffic Is Malicious

Internet Firms Clash Over Malicious Traffic and Access

Tor Urges Sites to Switch CDNs After CloudFlare Says Most Traffic Is Malicious

Content delivery network (CDN) CloudFlare says it’s working on making it easier for Tor users to access the websites it protects, but it’s not an easy task. In the meantime, the Tor Project has advised website owners to either whitelist access over Tor or switch to a Tor-friendly service provider.

CloudFlare CEO Matthew Prince published a blog post on Wednesday detailing the “trouble with Tor.” After many individuals who use the Tor network to protect their identity complained that they are having a hard time accessing important websites due to CAPTCHAs and other restrictions, Prince attempted to provide an explanation and outline the steps being taken by his company to address the issue.

According to Prince, 94 percent of requests that CloudFlare sees across the Tor network are “per se malicious,” including vulnerability scanning, spam, ad click fraud, and content scraping. This results in very high threat scores being assigned to the IP addresses of Tor exit nodes, which in turn results in Tor users having to complete numerous CAPTCHAs before they can access websites.Tor vs CloudFlare

CloudFlare has recently started allowing customers to specify how they want to handle traffic coming from Tor by treating Tor exit nodes as a “country” of their own. Website owners can whitelist all Tor traffic, use CAPTCHAs to verify if a user is human, block all traffic, or use a JavaScript challenge that checks the user’s browser before redirecting them to the requested site.

On the long term, CloudFlare believes there are two viable methods that can be used to distinguish automated, malicious traffic from legitimate traffic coming from Tor. One solution would be for CloudFlare customers to create a .onion version of their website, which would only be accessible via Tor. Facebook launched such a website in November 2014 to make it easier for Tor users to access the social media platform.

Another solution proposed by some members of the CloudFlare team is to get the Tor Browser to make the distinction between human and automated traffic.

“The Tor browser could allow users to do a sort of proof-of-work problem and then send a cryptographically secure but anonymous token to services like CloudFlare in order to verify that the request is not coming from an automated system,” Prince explained.

Advertisement. Scroll to continue reading.

“CloudFlare is working to reduce the impact of CAPTCHAs on Tor users without in any way compromising their anonymity and without exposing our customers to additional risk. Over the coming weeks and months we will roll out changes designed to make the lives of legitimate Tor Browser users easier while keeping our customers safe,” Prince said.

Tor Project publishes CloudFlare fact sheet

After CloudFlare published its blog post, the Tor Project released a fact sheet detailing CloudFlare’s impact on Tor users. The organization behind the anonymity network says CloudFlare prevents users from reaching important websites, including the ones of Amnesty International, online activist network Avaaz, Q&A community website Stack Exchange, Planned Parenthood, and various major news sites.

These websites are often inaccessible from both the desktop and mobile versions of the Tor Browser. The Project has pointed out that the Web is often accessed from Android phones in developing countries, and many users have complained that there is a growing number of websites they cannot access due to CloudFlare.

On one hand, the problematic CAPTCHAs might get users to access websites via unsafe browsers that can reveal their location, which can represent a serious risk for human rights activists and other groups for which anonymity is crucial. On the other hand, new users might believe they are not using Tor correctly, which could lead to them abandoning Tor altogether.

“CloudFlare’s CAPTCHA system results in de facto censorship, since Tor users either cannot access a site or are deterred from using a site because of the obstacles presented by the CAPTCHAs. Tor users have complained that they can circumvent China’s Great FireWall, but not CloudFlare,” the Tor Project said.

The Tor Project says it’s displeased with the fact that CloudFlare hasn’t taken proper steps to address the problem, despite knowing about it since at least 2013. The anonymity network has advised companies that want to support Tor user access to their websites to either whitelist access over Tor, or switch to a content delivery provider that supports Tor.

While CloudFlare claims 94 percent of the Tor traffic it sees is malicious, the Tor Project has argued that the abuse is actually likely coming from a “tiny fraction of the millions of daily Tor users.”

“When a connection to a website travels over Tor, it will exit the network via one of the thousand exit relays set up by volunteers all over the world. The largest exit nodes transport more than 70,000 connections at a given moment. If a small number of these connections contains what CloudFlare qualifies as ‘malicious traffic’ (spam, typically), CloudFlare will consider any subsequent connection as ‘malicious’,” the Tor Project said. “Because exit relays are picked (usually at random) by the Tor client, a single bad guy could have all relays qualified as transporting ‘malicious traffic’.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.