Tor can't possibly be the only signal of fraudulent activity though? It may be one that has an easy "solution" however, but one that's easily circumvented (one of the many free VPN services out there).
Signal according to Cloudflare isn't "TOR" but the IP's the are used by TOR exit nodes get banned due to them being shared and abused enough to trigger that IP being tagged as a source of trouble. I personally don't buy this, since I know of IPs they don't block again would get enough abussive traffic to merit the same treatment, but don't get the treatment TOR's IPs get.
Not sure, though given enough dialog on the topic, I believe that a better solution will be found or it'll become clear that Cloudflare is not responding to the issue.
Simple answer would be that the original analysis is flawed, they've forgotten that the wrote a script to block TOR exit IPs; TOR intentionally provides a list of these IPs to the public.
Might be worth noting that TOR users are often the target of National Security Letters, that Cloudflare based on their own report received National Security Letters, and as such, would be unable to say if those letters impacted code on the topic.
What kind of "better solution" do you envision? Right now you seem to be insisting that there must be one, which I must say does not make a very compelling case that one actually exists or is possible.
Given Cloudflare appears to have received National Security Letters, it's possible their is no answers.
That said, based on what I know, the answer is to whitelist the TOR IPs, give TOR users a global session that the user has the option to opt into (likely make sense for TOR publish what the impact of this is and Cloudflare to link to it in from that page) and always let users know a global session is set in case the user believe that using TOR they reset the session; resetting it via Cloudflare would be meaningless. General gist though is humans are not bots, don't behave as bots, and Cloudflare treats ever request as the same from an IP, which is a poor way to block bots.
> That said, based on what I know, the answer is to whitelist the TOR IPs
That's an option CloudFlare is offering to their customers now.
> give TOR users a global session that the user has the option to opt into (likely make sense for TOR publish what the impact of this is and Cloudflare to link to it in from that page) and always let users know a global session is set in case the user believe that using TOR they reset the session
Has this been researched or suggested by the Tor project at all? I think it's fairly dangerous to suggest CloudFlare starts offering something like this before it has been vetted.