But is blocking Tor a decision the site owner has to make, or is it the default and requiring you to set up custom site protection rules if you want to accept Tor traffic?
Explicit, using the special "country code" T1. However, I also noticed that natural blockrates (on my non-CF servers) tends to be higher on Tor exit addresses due to (seemingly) more aggressive hacking attempts - probably the same on CF (the real anonymity of Tor is both a blessing and a curse)
You can explicitly block all TOR nodes, but by default the security settings is set to "Medium" which blocks the majority of them.
I'd also like to know Cloudflare's definition of "malicious traffic". I think the main fears are DDoS attacks (which is a nonexistent threat to the majority of site owners) and scraping email addresses for spam. Which can be addressed by informing site owners to use a contact form widget instead of putting their email on their contact page.
See my corollary comment on some of my non-CF servers and the blocking - Tor does provide important anonymity, and I understand that Cloudflare, which is bigger, can probably absorb it without much damage, but unfortunately Tor exit nodes have a much higher attack and hacking attempts than regular IP addresses. In high-security applications when anonymity is already lost anyway (logging into a bank, for example) it is reasonable, due to the inherent risk, to block Tor exit nodes.
Ironically, Cloudflare's default protections is probably the largest contributor to any radical usage of TOR. It's assumed you've a subversive motive since it's impossible to navigate the open web with it.
Edit: I'm also not sure what "attacks" and "hacking attempts" mean. I'm guessing credential stuffing of admin pages? Brute-forcing the SSH password for root? These also can be prevented in a myriad other ways that doesn't disenfranchise TOR users.
It's quite hard, because it's not just "use known vulnerabilities on this specific address" - you can block it easily, and there are projects (such as CRS: https://github.com/coreruleset/coreruleset) that tries to emulate this. It's more of combined specific attacks, which is amplified because if CloudFlare detected an attempt on a single high-profile site, then that IP address can be propagate to all of Cloudflare-protected "properties" (as they called it). Combine that with how random is an address allocated in Tor (and frequent rotations), and you've got blocks without using an explicit Tor list.
> it's not just "use known vulnerabilities on this specific address"
Ok, so they're not blocking complicated attacks. Just automation of attempts to exploit known vulnerabilities. And then their IP is marked as high risk. Rinse and repeat until the majority of TOR nodes are blocked. Definitely can't see that causing issues for TOR (or VPN) users.
Edit: And to comment on this:
> Funnily, there is silence on Fastly's filter
> Cloudflare is used by 80.6% of all the websites whose reverse proxy service we know. This is 17.4% of all websites.
> In high-security applications when anonymity is already lost anyway
There are countless sites that only serve static contents and yet cannot be accessed over Tor.
Furthermore, many other provide an optional login that could be made to block Tor exit node, but the default settings of cloudflare still block the whole site.
Additionally, "anonymity is already lost anyway" when logging on a banking website is incorrect. Users might want to protect their browsing from untrusted WiFi access points or nosy ISPs or country-level censorship.
> (logging into a bank, for example) it is reasonable, due to the inherent risk, to block Tor exit nodes.
How many attackers have the skills, experience and knowledge to successfully break into a bank and yet don't know how to anonymously rent a VPS or use a botnet or a compromised host or a starbucks WiFi? 0.0001%?
I personally don't use CloudFlare but do manage a website which uses one for a job, and there's a button to mangle e-mail addresses, so I don't think this is their concern.
DDoS attacks are surprisingly negligible, comparable for ordinary IPs, so I don't think that's what they're protecting at.
