Not long ago, the content delivery provider CloudFlare claimed that a whopping 94 percent of the requests it gets from people using the Tor anonymizing network are malicious. It needs strict, Tor-specific security measures (such as demanding that visitors see CAPTCHAs) to protect its website customers against attacks, the company says. Well, the Tor team isn’t having any of it — it’s accusingCloudFlare of both mischaracterizing Tor users and blocking innocents in the name of overzealous security.
To begin with, the Tor group wants evidence. It’s asking CloudFlare how it got to that 94 percent figure, and doesn’t explain how its internet address reputation system (which gauges the trustworthiness of a given connection) works. The project also doesn’t buy CloudFlare’s argument that it’s being relatively gentle. Many Tor users get stuck in CAPTCHA loops or failures, and it’s very difficult to get off of the naughty list once you’re on it. If CloudFlare decides that a Tor connection’s internet address is shady, it frequently doesn’t lift this effective ban — many honest people are locked out, and it creates lots of false positives that give the Tor service a bad name.
At last check, the Tor project was waiting on answers before things went any further. However, CloudFlare has already said that a compromise is possible, such as a stricter cryptographic hashing algorithm (which would help CloudFlare whitelist Tor traffic) and asking users to perform a proof-of-work test to prove that they’re humans. The two outfits don’t have to be at odds, in other words — it may just be a case of finding common ground.