Hacker News new | past | comments | ask | show | jobs | submit login

You misunderstand the problem. The issue is that CloudFlare is treating Tor traffic like any other traffic. What you want is special treatment for Tor above and beyond the whitelisting feature CloudFlare already offers to site owners.



> CloudFlare is treating Tor traffic like any other traffic

I don't see this in any practical fashion. I can visit a CloudFlare hosted site from the regular internet for hours (even scrape automatically) with no problems; the first time I hit the same site through Tor, it gets a double or triple capchca.

Perhaps it should be a blacklist instead of a whitelist. Defaults matter.


Of course you can visit it for hours, because you are most likely one of very few people who are accessing the CloudFlare netrwork from that IP. If you were to go through a public VPN, then the chance of captcha will also go up. The issue is that with higher traffic out of a single IP, there is a much higher likelihood of malicious activity.

A blacklist would do nothing to solve this, since the fundamental problem is the way Tor and VPNs work, by aggregating traffic into exit nodes at specific IPs.

Edit: And upon further thought, it most likely is a blacklist. A bunch of malicious requests go out from one IP, so that IP is blocked. Because it's an exit node, it also blocks a bunch of other legitimate people.


> A blacklist would do nothing to solve this

I mean blacklist "Tor" to give them capchcas, instead of having to whitelist them to not give them capchcas.


Eh. No thanks. "Default deny" is the only sane security default.


> I don't see this in any practical fashion.

You don't?

> I can visit a CloudFlare hosted site from the regular internet for hours (even scrape automatically) with no problems

Ah but this is not the same. Try doing so from an IP which is also sending malicious traffic, and you will see the same issue.


Technically, no, it's not the same thing. But, for a user, it is the same thing. Ultimately, it's the user's experience that matters, not the technical details.

Much like I don't care which bus gets me from point A to point B, or if I'm the only the one on the bus or not... it's the experience of the trip between points that matters.


If you don't care which bus gets you from point A to point B, then stay off of the bus that all of the malicious packets are riding...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: