I fully get the pain of a "bothersome captcha" but as a website operator (who's sites are behind cloudflare), there is a balancing operation. How much of the traffic out of Tor is legitimate, and how much is spammers, attackers and other script kiddies? For me, the answer is "very little legitimate".
A better request for Cloudflare websites would be to put the CAPTCHA's just on actions that need protection. Reading a blog entry? Don't need to test. Writing a comment? CAPTCHA them to the break of dawn.
As a website operator too I don't see spammers, attackers and script kiddies from tor network with valid user agents (tor browser or mainstream up to date browsers). The worst I see in that traffic is very few people trying to post/upload something anonymously, but mostly it's just people trying to access a few pages anonymously. Bots and scrappers for some reason use fake user agents in tor network and just get 403s, but the amount of that is so tiny compared to the rest of the bots, that's it's not even worth mentioning. Tor network is sort of self-limiting in this regard, because it's too slow and too obvious for such use, it's only viable for casual browsing.
Cloudflare proved that it's both unwilling and unable to solve the problem.
If I _wanted_ to use a bot on your site, despite the captcha trying to prevent it... and you exempted tor users from the captcha... why _wouldn't_ I use tor to get around it?
I'm not sure when you last tried Tor, but it's not that slow these days. I first tried Tor several years ago, and it was so slow I couldn't understand how anyone could bear to use it - but I tried it again recently, and (to my surprise) for general browsing at least, it didn't seem to add any noticeable lag.
I wonder if Tor has finally reached critical mass and is ready for more widespread use?
Not only do I use Tor a lot and find it mostly OK, but I use OrBot to encrypt traffic from other apps on my phone and most of the time I don't notice any overhead.
Almost always. It's gotten better with the rise of password managers that generate random passwords, but otherwise, passwords are usually shared across many websites and usually less than 16 characters.
> I just can't imagine any legitimate Tor user checking that checkbox
Legitimate Tor users will click it for the same reason a large fraction of users in general will click it--it's stopping them from getting where they want to be, and they believe clicking it enable them to move on, and they believe that reading it won't speed up that process.
It's just to them more "stupid stuff the site wants me to agree to that I don't need to bother with because (1) if it is asking me to agree to some rules I don't care because I'm really nice and would never do anything they could object to anyway, and (2) if it is making me give permission to use my data or track me it doesn't matter because (I'm already tracked everywhere else | I've got ad blocking and privacy add-ons installed)".
Good point! Since my suggestion actually would not stop trolls (abusive users) anyway (they would just click it so they could then abuse the site), how about blocking all Tor traffic with this message:
"
Why we are blocking Tor users
You appear not to support dictatorship and or want to live under a dictatorship. As the operator of this site, I don't believe in freedom of speech or expression on any subject, even banal everyday subjects. For all subjects, I oppose freedom of the press, freedom of speech, and the right to read anonymously or express anonymous opinions, regardless of content. If I could, I would repeal the fourth amendment ('[t]he right of the people to be secure in their persons, houses, papers, and effects'). Come back when you are ready to be tracked by your government."
Fair compromise? It sends the message across while blocking all Tor users.
Yes, the other poster has pointed out that some legitimate Tor users might click "agree" just to be able to use the page, without really agreeing with it.
so in my sibling comment I suggested that all Tor users could be blocked, while making it clear that the operator does not support their rights.
Definitely in line with your statement, I ran a forum for years. At one point I found an iptables script that blocked all known Tor endpoints. What happened was, trolls posting gore and porn to a child oriented forum (which had persisted for 2-3 years) immediately and totally stopped. People in these threads point out that "criminals can use a VPN", but in practice it never happened to us. I never once heard from anyone that a legitimate user was impacted.
It's not about whether your personal use of VPN is legitimate. It's a numbers game. For any successful site that deals in user generated content, moderation is hard and relentless work.
If they observe that a high fraction of visitors from AWS / VPN / Tor exit IPs are attackers, they will add countermeasures.
Then in deploying those countermeasures, they should know they're creating (sometimes significant) friction in the experience those legitimate users, who have legitimate reasons for using those tools, have of their site.
Well-intentioned or not, the UX sucks, and I generally bail and don't come back if I experience a second Captcha in a session. Find a better solution, or accept that you're driving away eyeballs/revenue.
As mentioned, this is a numbers game. Usually when this is deployed the cost of fighting the attackers exceeds any income the legitimate users via VPN or Tor respectively could provide.
> Find a better solution, or accept that you're driving away eyeballs/revenue.
Let's approach this from another angle for a moment - a hypothetical provider with no numbers/revenue; zero, zip.
Where should they start? Do they start by chasing every possible user out there and risk a wave of spam, etc? No, right now - the Cloudflare approach is looking rather attractive despite Cloudflare not needing to advertise these security features far and wide (unlike some VPN providers) because we're talking so much about it.
In the time that this debate will end, the buttons will be clicked, site(s) will be launched and working without problem for the majority of users it will be targeted at. For nearly everyone, this appears to be a much better solution than those that have plagued various online forums and services for years.
So who is going to find a "better" solution? Probably almost nobody. As the other commenter says, it's a numbers game. And that's just business.
It would be cool if you could set a header to Cloudflare when a user is logged in, perhaps with that user's ID. That could then trigger significantly decreased security.
1. You can use it purely as a CDN, turning security to "essentially off" and only having to deal with the website certificate being sni.cloudflaressl.com
2. Only on the enterprise plan. On Pro/Business you can only "challenge" (captcha) or JS/browser Challenge countries, not outright block them.
3. Even with all the other cool and useful features, DDOS mitigation is still one of the most valuable offerings possible.
Tor bandwidth and TTFB used to be universally very bad for me, no matter what I was doing.
Some time around ~2 years ago, though, the particular use-case of using Tor to (anonymously) access public-Internet websites got a lot better—both in bandwidth and TTFB.
Access to Tor hidden services is still slow, though.
Which makes me wonder: is the Tor network itself unilaterally faster now, and it's actually just the particular Tor hidden services which are all coincidentally bandwidth-starved?
Comparing apples to apples, DuckDuckGo's hidden-service gateway (https://3g2upl4pq6kufc4m.onion/) still seems a lot worse-off than their clear-net website (https://duckduckgo.com/). And I would bet that they would scale their Tor gateway if they could. So maybe this is a limitation in how Tor handles routing to hidden services? Does a .onion have to route to one physical Tor node, rather than being capable of load-balancing among many?
I assume you mean exit traffic. Exit traffic is anything connecting to the open internet, whereas hidden services never leaves the Tor network.
For exit traffic I don't believe there is a metric for average user speed. But, I just ran a 3 speed tests using different circuits and was getting 500-800KB/s download speeds on average.
You can see that for a 5MiB file average download time is around 12 seconds [0], which is around 425KiB/s, the main problem with Tor is latency, downloading a 50KiB file takes around 1 to 2 seconds.
Try using it. Very slow. No matter where you are. I understand that some people have no choice other than to use it. so I stopped using it to leave whatever bandwidth there is in the exit nodes to them
It wouldn't be surprising if hidden services had a lot better performance. Running a guard node is a lot less risky than an exit, so there's probably a lot more capacity available for traffic staying inside the network.
That makes a lot more sense, regarding in-Tor bandwidth.
I've also had quite a few projects in which I'm trying to normalize Tor usage. My biggest one thus to date is a Tor-ified IoT network that uses your own resources instead of nebulous "cloud" providers.
Long story short, there's a lot of promise to a .onion address, given it acts like a telephone number. Change IPs? Who cares. You retain your "number" no matter where you move :) It's also a lot less scary when talking to people about this, and how Tor is awesome in many areas.
Yes, Tor hidden services are neat technology, using them for IoT is a clever idea. Authenticated, not really scannable and you avoid the typical issue of going out to someone pre-determined to get connectivity from the outside.
You can see that for a 5MiB file, hidden services perform 2-3 times slower, I would put most of the blame on data having to travel through more hops when using hidden services.
94% of all traffic on the internet is malicious. It all depends on your definitions. A legitimate, human, user makes a handful of connections per minute. Someone running a scanner attempts thousands per second. So if we measure attempted connections then Tor and everything is horrible. But that true for actual bandwidth.
The old question: is a simple ping considered an attack? I still here people talking of how their websites are attacked thousands of times every day. Pings and other simple scans are not what I would call actual attacks.
Run a firewall on a server. Count every ping/scan as an attempted hack. Say you have 1000 legitimate users in a give day. You will probably see 1000 pings, scans, and other general junk per hour. (This is hard to do in places like cloudflare that filter much of this junk traffic before it hits their customers.)
I'm seeing the CAPTCHA a lot with the Brave Browser Tor Tab. You might want to reach out to the developers to make their Tor Tab be treated the same as the Tor Browser Bundle.
That's what I thought. However, using Tor browser in Whonix, I've recently faced Google CAPTCHAs that require scripting to pass. For both account creation and login.
In future, I'll report CAPTCHAs with Tor browser to Cloudflare. But I can imagine that other CDNs use Google CAPTCHAs, so I'll check for that first.
Yeah tails was so broken with CloudFare I had to give up on it. Many sites showed the annoying captcha and, if you got past that, still refused to show content because it was presumably served from a separate domain. If you looked at source and copied the urls to the images and tried to open them directly you got another CloudFare captcha.
I couldn't see it in the list of extensions there. I saw a ticket filed that said that there are various arguments against including it, one of them being that it's not the responsibility of the user to install some extension in order to get unblocked, it's the responsibility of the provider to not block users.
I get the appeal, and I get it's a PITA. But, if the referenced CloudFlare support document is to be believed, then you'll be putting yourself at additional risk by whitelisting, or otherwise "turning down" the security related settings for Tor users.
Let's pretend for the minute the support article is accurate, and let's pretend CloudFlare's security checks are useful. (I don't have any opinions/knowledge myself if there are true/false, so let's assume they are true - as most CF customers will).
Why should I turn off the security CloudFlare is providing me? The appeal doesn't give me anything I can use to justify turning this off. Given the percentage of tor users vs not-tor users, I can't really call the "it bothers Tor users" statement justification for turning this off.
I know it shouldn't be needed, I know anonymous browsing should be taken for granted, however - reality is - it's not. For an appeal like this to succeed, or even make a measurable dent, you'll need more.
I do hope you find more, anonymous browsing should be the norm, not the exception - but I don't believe this appeal will make a dent.
Those Google captchas are horrible. Often they do not let one of through despite giving seemingly correct answers. One is prompted with captcha after captcha after captcha. They not only require cookies, but JavaScript turned on and are a real affront to the whole idea of a usable, open web. On tor, I just give up. There is nothing I want to see on the internet badly enough that I'm willing to spend ten to fifteen minutes (this is not an exaggeration) trying to guess what I'm supposed to click on. I do blame cloud flare, ignorant website creators, but most of all Google. Out of the many atrocious products they have created, nothing is more infuriating and frustrating than these stupid captchas. They are not logical and quite often simply unsolvable. I support the creation of bots that can guess (because that's what the process is, there's no solving these) these even if it comes with all the downsides of having such bots roam freely on the internet. I hope the ai of the future is able to deal with such nonsense to the point where Google gives up on this atrocious technology. I'd rather have spam and ddos attacks than this.
At some point, Google started doing really aggressive increases in their captcha difficulty based on IP trust or even outright refusing to let people try and solve them at all. Since there's going to be a large overlap between IPs that Cloudflare force through the captcha and IPs that Google distrust, this means that anyone trying to access the internet through a network that Cloudflare has put on their evil list will probably find the whole web completely unusable. Of course, any employees testing the captcha feature will go though the easy path and not see the problem...
Captcha's are very overused. I cancelled my PlayStation Vue service because the website
kept bugging me with the worst of the worst Google captchas every couple days or so (not using Tor). Unreal that anyone thinks those are a good idea just to log into a service someone is paying for.
I think the number of times a captcha is presented is directly correlated with the risk associated with the IP address. But you're right, very annoying indeed.
blog.torproject.org uses an invalid security certificate.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.
Who said anything about failure or difficulty? Neither the complexity of captchas nor my ability to successfully navigate them has changed appreciably.
I'm not a Tor user but from IP blocks of ISP with low reputation, the Cloudflare Captcha irritated me too much. Now I'll close the website if I see one and looking for Google cache or archive.
The Tor Project is invaluable in countries like Russia, where the gov. can block literally millions of IPs just to get rid of one pesky messaging app.
Now that I think about it, people using it should probably donate more to the project. Although this very same gov. can always see it as "supporting the terrorists".
Furthermore, as an expat living in Russia at the moment, it is quite surprising to one day be in an EU country and able to access any wide variety of sites, and the next day get a friendly message from Роскомнадзор telling me this website has been blocked for my protection or some other non-sense.
I'm not involved in politics enough for it to be something very dangerous for me -- it's just non-sense things I want to see that I cannot because of silly regulators wanting to look important. But at the same time, trying to browse around via Tor to bypass these restrictions make it impossible at times to access information that Роскомнадзор has decided Russians shouldn't be allowed to access.
For those wondering, "Роскомнадзор" is Russia's "Censorship Agency", Roskomnadzor[1]. If you are wondering, why is there a Censorship Agency in a country whose Constitution explicitly bans censorship[2], well... Let's just say it's not the first time in our history. Probably not the last.
To be fair, a lot of times I feel that it's more Hanlon's Razor than active censorship. There still is a lot of Old World Russia running the show in Russia, and stuff you could pull off when the entire populous was farmers just doesn't really work now, and Russians are not afraid to call their leaders out on it. The problem is that there still is an overwhelming sense of apathy in the population, though this is steadily changing as more and more people become active politically, even if for now there isn't an immediate effect.
But a lot of things that agencies like Роскомнадзор do are simply because it made someone a quick buck somewhere down the line. Many of my friends/colleagues work for businesses run by old men who are more interested in 10,000 rubles now than 100,000 rubles in a week. The decisions that Роскомнадзор and other government entities makes rarely have much more of a thought process beyond a simple "well, we wanted X". When the Telegram ban came into effect and folks outside of Russia were flabbergasted by Russia's choice to just block major parts of AWS, people came up with the most outrageous of theories as to what was happening. The simple and more accurate truth was probably that whoever made the decision at Роскомнадзор to do the blocks neither thought about the implications of such a decision nor had the technical knowledge to really understand it, and those underneath this person likely didn't have the will or inspiration to care, hence why the block is so trivial to bypass (like all the other blocks)
Like with many countries, a lot of old political methodology has to die off before Russia can really step forward, and while that is happening, it's why projects like Tor are essential for providing unmitigated access, whether it is a malicious block (Telegram) or a senseless one. That so many US companies just have a straight up IP block on all things Russia doesn't help to advance the situation past this stage at all.
Any society wants some level of censorship, and tends to want it strongly enough to override any Constitution or similar document that says they should have it. Once the system is in place for the kinds of censorship that the majority of society wants, it becomes far easier for someone to expand it. Censorship is so nice when you are in power getting what you want censored that people don't consider what happens when the powers that be no longer represent their interest.
I've got enough problems on my sites from Tor that I simply block T1 (Cloudflare's "country" code for Tor users) on their settings. Blocking whole countries used to be a Enterprise only feature, but now it's available to Pro users.
Somehow a crazy person decided that I was cheating on Google's SERP using "hacked routers" (?) and started to make random queries to my "/search" endpoint, dozens of "POST newsletter/add" with fake emails per second, and other really lame attempts to get on my nerve and cause downtime.
Someone gets banned from bad behavior, they create a new account. So you IP ban them. Then they switch over to Tor and keep making new accounts from anonymized IPs and start disrupting the forum by spamming it with slurs. The only solution is to ban Tor.
Criminals will just hire a botnet, as we can see from all incoming spam email and forum bots, etc. For the rest of us who desire to be anonymous online, there is Tor. Whatever people can do over Tor, they can also do without Tor. You're probably never going to find them anyway, even if you would sue in the first place.
This whole tor vs clearnet distinction is way overblown. Sure people will do more crap if they're anonymous, but if you block Tor criminals will just use something else.
Not true for me. All the (email) spam, brute forcing and web vulnerability scans I'm getting on my servers come from normal IP addresses. It's very rare that anyone uses a Tor IP address.
Botnets are too unreliable. They're only any good for coordinating DoS attacks and spamming, the sorts of attacks that don't require persistence of infrastructure.
Tor is a common CnC and exfiltration vector. Nothing good will ever originate from a pseudoanonymous network developed for spycraft. We have enough problems with it that we shoot it on sight.
The bigger problem is becoming abuse of cheap VPS and seedbox services (and anon VPNs) to launch attacks. $5 gets you a non-attributable box managed by an overseas entity with a gigabit link and an IP strategically located near your target to thwart geoip-based blocking. With that price point and features, why fuck around with botnets or Tor?
All the author had to do with this "appeal" was present the text to be read. Instead they put it on gitlab behind javascript. Literally nothing renders without JS enabled, and even with it enabled in browsers more than a year or two old it's just spins forever: no text.
Text is easy guys. Here's my appeal: stop hiding all content behind javascript. It's not required and because if it I am unable to read the author's appeal.
That's also not a trick you need to memorize or something - if you load a markdown page on Gitlab without Javascript, it won't render, but you can still click on the button to view it raw, and that button is clearly labeled with semantic HTML that will be accessible to any web browser that can handle a link tag. You do need to be able to handle HTTPS encryption, but that's another debate - most raw text documents are also going to be served over HTTPS anyway.
And of course, from the Javascript side of things, the vast majority of Gitlab's front-end is open source and all of their Javascript is served from their own servers without any third-party trackers or ads. So no worries on that front.
I get that people get annoyed about aggressive and unnecessary useage of Javascript and some choose for ethical reasons not to run proprietary code. I am all for accommodating you. But Gitlab does accommodate you. There has to be at least a little bit of effort put in on both sides here. Otherwise sites are just going to throw up their hands and say, "well nothing pleases these people, why should we bother?"
Gitlab does a great job of accommodating people who want access to raw text while also accommodating people who want to be able to do basic layout. And the approach of sites like this have significantly encouraged devs to use markdown more - if this was a static site, or something exported out from Org-mode, or even just a rendered Markdown file, you wouldn't have access to the original raw text version.
The only reason you have access to the raw text is because the uploader chose to serve the raw text and then handle rendering clientside instead of serverside. If you want to be able to read more content in Markdown form, Gitlab is your friend, not your enemy.
Have you operated a website that gets lots of scammers? I've been responsible for the security on several major e-commerce web applications. Often, you have to make compromising choices, we found that the vast majority of requests over Tor were not converting, in fact I don't think a single visitor via Tor had bought a product (iirc, but I'd have to check to be certain). That combined with the number of fuzzing/strange requests from users via Tor was just too high to consider them to be meaningful traffic. We blocked Tor users outright and it resulted in no change in revenue and a more straight forward security landscape.
i've often had more luck passing these captchas randomly selecting 4 boxes from the grid than trying to answer it intelligently. for example it often asks to select a sign -- does the signpost count? only 50% of the time... similarly, it might ask to select cars. does a bus count? there is no consistency, presumably because the training data is ambiguous. does it deter spam? yes, of course. so would a 404.
of course the real consequence of the above is that tor/incognito users are essentially being excluded from increasing parts of the web. it's hard to think it isn't intentional either (ie privacy is becoming illegal)
The reality of systems like Tor is that they're going to be heavily abused by bad actors. Part of the whole point of using Cloudflare is to reduce your vulnerability to attacks from those bad actors, so I don't see how it's a good idea to whitelist that traffic indiscriminately.
I feel for the legitimate users of Tor who are annoyed by captchas all day, but unless someone has a foolproof way to filter out good Tor users from malicious Tor users, I think that's just the price you pay.
I've been trying to use the Tor browser lately and so far it's been a mostly futile endeavor. Between these captchas (which take 1-2 minutes to solve) and other automated "bot" detection, most of the web is unusable. You might be able view it, but good luck interacting with it in any way. That's when you run into the "Sorry, something about your activity seems fishy" messages.
This also blocks me from scraping which in my case means you're not going to get traffic from my aggregator. I could work around it but honestly there is enough great stuff out there not behind cloudflare so it's not a priority.
From a network abuse perspective, any individual ipv4 /32 that is a TOR exit point is an immense source of abuse, spam, shit, automated password attempts, etc.
The analogy still works: Let's say the vending machine companies became fed up with being robbed all the time by people using face masks and as soon as somebody walked up wearing a face mask the vending machine would recognize this and turn into a locked down candy safe.
Maybe to get around this the vending machine could ask for an identity card to confirm this person was safe.
In the same way, could Cloudflare (or anybody else) cookie people who were deemed safe? Sure. But then that sort of defeats the purpose of Tor.
From the perspective of somebody operating these systems: they are either damned if they do, damned if they don't. Given the relatively small number of people using Tor, I think what has been done here is perfectly reasonable.
It's even worse: Tor protects only the source IP address, while leaving personally identifiable information like login, email, credit card numbers, browser configuration, screen resolution etc untouched.
An analogy? Being required to show you passport to use a vending machine.
For people who are unaware, there is a cryptographic solution to this. Cloudflare worked with crypto researchers to create a way for Tor users to anonymously verify that they're not a bot. It's called Privacy Pass and it solves this problem: https://blog.cloudflare.com/cloudflare-supports-privacy-pass...
The main problem with whitelisting Tor is that you open the door to abuse.
Cloudflare is working on a new solution to this problem that allows us to differentiate between abusive visitors and legitimate users without de-anonymizing them.
If you’re a Cloudflare user and want to sign up for this feature, email onion-beta@cloudflare.com for details.
Why would a company that values their users' privacy have Cloudflare man-in-the-middle their traffic in the first place?
Cloudflare decrypts the traffic, which in many cases includes personally identifiable information like names, email addresses, transactions, etc. It's hard to imagine something more anti-privacy than allowing a third-party access to all of your users' data.
Tor users should take those CAPTCHAs as a sign that they're visiting a web site that they can't use while maintaining their privacy.
What hosting is acceptable for your privacy wishes? Given that "a contracted party sees plaintext" is apparently the issue, the following clearly are not ok:
a) any SaaS
b) any of the cloud providers when their load-balancing offerings are used in HTTP mode (e.g. Amazon ELB)
c) any traditional "shared" hosting company
Are VPSes trustworthy enough, or does it have to be dedicated hardware? Dedicated hardware under direct control of the company only? And how many companies run those, vs setups falling under a-c) above?
I see people make comments like this all the time when it is about Cloudflare, but somehow very seldom if it's about Amazon AWS, Shopify, ..., despite the same caveats applying to those, and it being widely accepted that third-party processing is fine if for a clear purpose and under proper contracts.
Yes, options A, B, and C are technologies that shouldn't be used where user privacy is highly valued. They violate the fundamental concept of end-to-end encryption.
In practice, a rented VPS or dedicated server that terminates its own TLS connections can be considered very private. It's not impossible for the hosting company to acquire the private key but it would require real effort, business risk, and potential liability.
Even if you're not worried about rogue employees, you have to worry about mistakes like the infamous "Cloudbleed" bug that leaked private user traffic.
So avoid using more than 75% of the web? You may be right in that these websites value your privacy less than other things but it certainly doesn't seem like a viable solution for most users. What's the day to day usage look like when you take your privacy this seriously? I'm not well versed with what tools you would use currently to achieve privacy.
It's a trade-off. If you trust Cloudflare it adds additional protection against bad guys. If you don't trust them don't use them. Same with Amazon or any other place where you can rent server room.
Using Cloudflare gives control for control over which part of their site can use shared cache and which is direct link.
If you don't trust anyone, run your own servers and don't hire sysadmins.
People you hire can be vetted, fired, sued, and even imprisoned for violating your users' privacy. Blindly handing over your users' data to a third-party includes none of these protections. You're simply abdicating responsibility.
But you must have them on site 24/7 to be able to respond as fast as Couldfare to any new security issues. You must pay them a lots of money because they must be expert level. You also need to have 24/7 security around your servers and all the backups and redundancy.
Very few businesses have customer information that is wroth the paranoia and investment to doing everything inhouse.
There is a disconnect here: I've read so many technical articles from cloudflare about neat problems they solve while at the same time they just boldly say fuck you to net neutrality and aggressively try to get people on board with the tracking internet that their corporate partners desire so strongly. I get the sense these aren't the same groups of people at the company itself.
I've been browsing anonymously with tor and other services for about five years now and the web just gets more and more hostile every day. So many pages, apps, services, etc just flat out don't work anymore even if you solely have a VPN running.
Not to throw cloudflare under the bus, Google and Apple have have created way more issues for me with their hostility to anyone who evades tracking.
That's not what "net neutrality" means: Cloudflare is a service the site operators choose to pay for.
An example of actually saying fuck you to net neutrality would be your ISP announcing that access to "premium web sites" will be slowed to 10kb/s unless you pay an additional fee.
Eh, I really doubt that it's designed to punish people who aren't tracking. Tracking makes users much more valuable, but the average legitimate user who isn't being tracked is still probably net positive value, so it wouldn't make sense to just block them outright.
I think the problem is that a very high percentage of malicious behavior online comes from Tor, certain IP ranges, VPNs, scrapers that don't run Javascript, etc, etc. You can't get rid of all of those malicious actors, but you can probably block the vast majority of them by taking the actions you're complaining about here, and I suspect that it doesn't actually cost you that much. You get some cranky nerds and some legit users who are using Tor and VPNs who won't be able to use your site, but they're a tiny minority.
Cranky nerd here. I've tried to use Tor to access websites for legitimate purposes and found much of the web has become unusable recently.
But perhaps you need a motivating example, since you don't think there's any value in supporting Tor! I'll give you some.
- Security researcher wishes to contact an organization about a security hole in their site or product, but doesn't know if they'll be sued, so they want to protect their identity. (source: this is me; have met other people doing this)
- Pedophile (who doesn't want to be one) seeking therapy options that don't involve a high risk of being incarcerated or killed. (source: read an article about this)
- Teenager in a repressive environment trying to access LGBTQ resources; parents have a netfilter on, or maybe have snoopware on the router. (source: several acquaintances)
- Chinese citizen trying to find a different view of history (source: pretty freaking common, although Great Firewall makes it tricky)
These are people who don't have other, good options. And you'll need to be able to withstand the sizeable quantities of malicious traffic that don't come through Tor, so it's not like you really win anything. It's worth not blocking Tor.
But perhaps you need a motivating example, since you don't think there's any value in supporting Tor!
I never said that.
I do think that the onus is on you to explain to whatever company you're railing against here why its in their best interest to welcome Tor traffic, particularly if it will make them more vulnerable. And sorry, to me you're not doing a good job of making that case. These examples seem like edge cases for the vast majority of websites. If I was blocking Tor (I'm not), I wouldn't reconsider my position from these scenarios. The cost is simply too high for too little benefit to too few people, probably none of which are my target audience.
And just to be clear, I truly understand the value of Tor and similar projects, and I hope we get more of them and they're more widely supported. But they come with real downsides too, so it's not surprising to me that many businesses and governments aren't going to out of their way to support them. That's the price you pay.
You need to provide fiscal value or convince the operations team of legitimate companies to not treat Tor as a bad apple. It may not be right but money is the only motivating example that matters to companies.
A better request for Cloudflare websites would be to put the CAPTCHA's just on actions that need protection. Reading a blog entry? Don't need to test. Writing a comment? CAPTCHA them to the break of dawn.