Pages:
Author

Topic: Cloudflare requiring Javascript for Tor users (and others?) (Read 550 times)

full member
Activity: 305
Merit: 106
Cloudflare has a JavaScript browser check when you do a server request from a "known bad" IP. It logs weird activity from that IP (like trying to access */admin.php or */wp-admin.php and can deny access to the page. I would assume this is mostly encountered while posting (add and get functions mostly). They call it Browser Integrity Check
https://support.cloudflare.com/hc/en-us/articles/200170086-Understanding-the-Cloudflare-Browser-Integrity-Check

Maybe it's worth a slight tweak, tho not sure if it would do more harm than good.
copper member
Activity: 3948
Merit: 2201
Verified awesomeness ✔
Sometimes I'm just stuck outside and hope CF eventually lets me in.

I couldn't help but imagine you like this:


legendary
Activity: 2674
Merit: 2965
Terminated.
Bump, this issue occasionally causes problems for me as well. Sometimes I'm just stuck outside and hope CF eventually lets me in.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
The Cloudflare Javascript cavity-searches continue—on and off, much more “on” than “off”.  This seems to occur about as often as I get a new IP address, approximately every 10 minutes.  The “browser check” page interacts badly with multiple SMF functions, including posting and sending PMs.

Worse, about an hour ago, Cloudflare tried to CAPTCHA me when I was making a post:

Screenshot of Cloudflare CAPTCHA on bitcointalk.org

I backed up, changed Tor circuits, and pasted in my post again.  The change of circuits worked—this time.

I don’t want to keep complaining on this thread, but the situation keeps getting worse.  Moreover, I needed to leave a note somewhere—just in case:

I will not jump through “I am not a robot” hoops simply to access the site when I’m already logged in.  If I suddenly disappear, please check to see whether Cloudflare is CAPTCHAing Tor users.

To inform those who may make assumptions based on non-Tor experience:  The Google CAPTCHA (used by Cloudflare) cranks up the tedium all the way for Tor users, with multiple successive challenges which slooooowly load new images.0  It always takes more than a full minute to complete.  Worse, for the past few months, Google has been frequently refusing to serve CAPTCHAs to Tor users.  The last time I needed to do a Google CAPTCHA, the whole process of obtaining and then solving it took me about 10 minutes!  Obviously, I will NOT even consider doing that just to load a webpage.  I don’t care if the webpage be carved of solid gold.  It is outrageous in principle.

CAPTCHAs for page loads would mean an effectual ban of Tor users.  Please don’t let that happen.





0. Aside, I do not see what possible purpose the long artificial delays in challenge image loading have for stopping robots.  A robot’s time is worth nothing, and it has no feelings of mind-dulling boredom.  The only conceivable purpose of these long delays is to torment humans who use Tor.

Overall, Cloudflare’s mistreatment of Tor users has for years been a textbook example of “the nudge” method for social engineering.  Cloudflare loudly claimes to support privacy, and they say they don’t hate Tor.  But actions are louder than words; and the net effect of their actions is to consistently discourage Tor use.

With only a few exceptions such as the Bitcoin Forum, I have been boycotting Cloudflared sites for about four years now.  I do not want a man in the middle serving as a mass-decryption point to monitor my communications with a wide range of sites.  I do not want to be tormented and have chunks of my lifetime stolen as punishment for caring about my own privacy.  And I miss nothing; it’s not my loss.  There is plenty of other Internet for me.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
Well, it seems to have subsided sometime between about 18:30 and 22:30 hours (UTC).

...and, now it’s back!  This seriously impairs use of the forum for those affected.  Besides other concerns, having Javascript enabled (and running Cloudflare’s scripts) also increases memory usage to the degree that I can’t open many tabs as I am accustomed to doing.  At least in the break, I managed to do most of the searching necessary to nail a copypaste spammer (will post results later).

The obvious inference is that Cloudflare’s incompetent system can’t handle a heavy DDoS, so they ratchet up this Javascript garbage whenever the site gets hit.  To add insult to injury, they have failed to keep the site consistently available during DDoS attacks in the past few months.

Just noticed cloudfare now as well. Similar to nullius' first post i am asked to turn on javascript and then even see the "please wait.." message before getting redirected to the forums. Its just a few seconds of waiting but its quite annoying actually. Wouldn't it be possible to have cloudfare without the "please wait..?"

Or is the "please wait" appearing only to me?

For the “please wait” message, please see Meretrix’s screenshots a few posts above yours.  Do those look familiar?

It’s more than “just a few seconds of waiting”.  What the hell is that script actually doing, when it says “checking your browser”?  I don’t know.  I do know that even against Tor Browser, there exist fingerprint attacks which could be used for deanonymization—and I don’t trust Cloudflare.

One of the great things about the Bitcoin Forum is that it’s run by a clueful admin who cares about privacy and security.  I understand the untenable position in which theymos has been placed by the large-scale attacks of Internet arsonists; but in the long term, Cloudflare can ruin the site in the manner of a cure worse than the disease.
full member
Activity: 280
Merit: 102
Just noticed cloudfare now as well. Similar to nullius' first post i am asked to turn on javascript and then even see the "please wait.." message before getting redirected to the forums. Its just a few seconds of waiting but its quite annoying actually. Wouldn't it be possible to have cloudfare without the "please wait..?"

Or is the "please wait" appearing only to me?
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
Cloudflare has effectually locked me out since sometime yesterday—both of me.  I am posting this from the account under which I first got hit with it, almost 22 hours ago.  This time, it does not stop!

Well, it seems to have subsided sometime between about 18:30 and 22:30 hours (UTC).  If theymos did anything to make Cloudflare back off, thank you.

I hope this will not happen again; though if it does, I now have shell scripts to help deal with it.  Whereas in the long term, for this and other reasons, everybody should hope a better anti-DDoS solution can be found.  Part of my own proposal would be a large mallet, applied to the heads of DDoSers.

An absolute requirement of Javascript will drive away many of the types of people whom the forum should want to attract:  Privacy and security experts, cypherpunks, people for whom the word “crypto” means something other than get-rich-quick schemes or Paypal 2.0.  For my part, it is unacceptable to me in the long term.





I have noticed an increased amount of "Try again later" errors during the repatcha solving process (where you have to select vehicles and street signs which Google seems to be obsessed with for some reason). Looks like Tor nodes are getting banned again at a higher rate.

See reference upthread; and if you have any information from your experience which may be helpful, perhaps consider documenting it for the benefit of others on the Google lockout thread.  I suggest that you check the box to stay logged in, and save your cookies.  Basic instructions are referenced on that thread; see also Meretrix’s shell script above.

...I made myself a dedicated Bitcoin Forum “thing” on the day that I was forced to try seventeen (17) different Tor circuits before Google deigned to grant me a login CAPTCHA.  See “Google is locking Tor users out of Bitcointalk.org!”.  One of my Newbie rank posts!
legendary
Activity: 1372
Merit: 1252
I have noticed an increased amount of "Try again later" errors during the repatcha solving process (where you have to select vehicles and street signs which Google seems to be obsessed with for some reason). Looks like Tor nodes are getting banned again at a higher rate.

Anyway, enabling javascript to solve the recaptcha has been the case for a while now. The Cloudfare frontend page blocking you to even browse the forum is definitely new to me, I only saw it yesterday I think. But once I log in, im able to browse the forum if I disable javascript. Im posting this right now with javascript turned off for instance (using noScript)
copper member
Activity: 23
Merit: 4
Meretrix Conceptions, Disincorporated
Cloudflare has effectually locked me out since sometime yesterday—both of me.  I am posting this from the account under which I first got hit with it, almost 22 hours ago.  This time, it does not stop!  It has caused me to avoid the forum until I worked out the mitigation given below.

Loading image of Cloudflare demand to violate you...

Translation:  Bend over, and spread your cheeks.  Cloudflare wants to check if you’re human on the inside:

Loading photo of Cloudflare cavity search...
cloudflare_cavity_search.png

Moreover...

[Edit:  @mods, apologies for making this a new thread.  I tried to post it in the Cloudflare thread.  When Cloudflare ate my post and threw me back to a blank form as described below, I did not realize SMF’s reply info somehow got lost—thus resulting in a new thread.  Meta won’t let me delete my own topic; I just tried.]

This Cloudflare/SMF interaction bug persists:  Cloudflare is rerunning these checks regularly, at times unpredictable to the user.  If it collides with your hitting the “Post” button, then the Cloudflare cavity search function will throw away your post and redirect you to a blank form for starting a new topic.  That is how the current topic came to exist:  I had tried to post a reply on the main Cloudflare thread, then received a screen which looks like the following; I then just pasted in my post and hit the button again, without realizing that I was submitting a a new topic.  It is fortunate that I compose in a text editor.  Those who don’t will lose their posts.

Here is what it looks like, from when I was hit with this again while making this post:

Loading image...




Temporary mitigation:

An absolute requirement of Javascript will drive away many of the types of people whom the forum should want to attract:  Privacy and security experts, cypherpunks, people for whom the word “crypto” means something other than get-rich-quick schemes or Paypal 2.0.  For my part, it is unacceptable to me in the long term.

As an interim threat mitigation for occasional Cloudflare flare-ups, for those running ephemeral Tor Browser instances in vanishing VMs, here is a script which shows what you need to instantiate your saved login cookies and avoid being effectually locked out by the Google CAPTCHA.

No technical support will be provided by me with this script.  Figure it out.  It is provided as “documentation” of badly undocumented stuff not made by me.  I developed this by running diff(1) against prefs.js at various stages of configuration; if there exist any references, I would like to know about them.

Code:
#!/bin/sh

#
# Set this to the path containing subpath:
# "Browser/TorBrowser/Data/Browser/profile.default"
#
ffprofile="path/to/tor-browser/Browser/TorBrowser/Data/Browser/profile.default"

#
# Change this (duh).
#
case "${1}" in
nullius)
bcfuser="nullius"
;;
[Mm]eretrix)
bcfuser="meretrix"
;;
*)
echo "User not specified, or unknown user" >&2
exit 1
;;
esac

{
cat << EOF

# Turn off Tor Browser's no-disk-write mode:
pref("browser.cache.disk.enable", true);
pref("browser.download.manager.retention", 2);
pref("browser.privatebrowsing.autostart", false);
pref("permissions.memory_only", false);
pref("security.nocertdb", false);
pref("volatilePrivatePermissions", false);
pref("pref.privacy.disable_button.cookie_exceptions", false);
EOF
} >> "${ffprofile}/preferences/extension-overrides.js"

#
# permissions.sqlite could also be reconstructed with
# `sqlite3 -batch -bail -init permissions.sql -cmd .quit "${ffprofile}/permissions.sqlite"`
# using the SQL provided below.  The important cookies are
# the SMF login tokens, of course.
#

cp -p permissions.sqlite \
"${bcfuser}/cookies.sqlite" \
"${bcfuser}/cookies-tor.json" \
"${ffprofile}"

permissions.sql:

Code:
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE moz_perms ( id INTEGER PRIMARY KEY,origin TEXT,type TEXT,permission INTEGER,expireType INTEGER,expireTime INTEGER,modificationTime INTEGER);
INSERT INTO moz_perms VALUES(1,'https://bitcointalk.org','cookie',1,0,0,1521640330020);
CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY,host TEXT,type TEXT,permission INTEGER,expireType INTEGER,expireTime INTEGER,modificationTime INTEGER,appId INTEGER,isInBrowserElement INTEGER);
COMMIT;

HTH, HAND.
newbie
Activity: 14
Merit: 0
For anyone that isn't aware of what fingerprinting is, here is an example.

I rob a bank without using a disguise, showing my face and leave behind my fingerprints on the door I use to enter the building.
Nobody there knows my name and so I still remain 'anonymous'.
But then the cameras and witnesses can fingerprint me based on how I look and law enforcement can fingerprint my identity from the fingerprints I leave behind on the door and counter. So then I'm caught.

If I was to use a disguise and wear gloves, I would remain anonymous and I leave only a few fingerprints behind.

In the virtual world there are many more fingerprints that your browser leaves behind that will track you and a HUGE amount of this information is sourced with javascript.
legendary
Activity: 3696
Merit: 4343
The hacker spirit breaks any spell
Yeah I don't agree with bitcointalk running cloudflare. I hate running javascript when I need to rely on security.

Fingerprinting is now a big issue like mentioned above.

Canvas, user agent, fonts, these can all tie your identity back to your facebook account or email account.

Also a VPN doesn't really do shit if you're being fingerprinted. It will hide your browsing from your ISP but wont hide your privacy from Google

total agree

is security big issue for unveil people identity.. in my humble opinion, force use of javascript, is very bad
javascript is evil tecnology (i'm javascript coder)
member
Activity: 154
Merit: 29
similar problems on android opera (not even opera mini)

https://bitcointalksearch.org/topic/bitcointalk-and-cloudflare-opera-issues-3003707

(I didn't notice your topic until after I created mine)
newbie
Activity: 14
Merit: 0
Yeah I don't agree with bitcointalk running cloudflare. I hate running javascript when I need to rely on security.

Fingerprinting is now a big issue like mentioned above.

Canvas, user agent, fonts, these can all tie your identity back to your facebook account or email account.

Also a VPN doesn't really do shit if you're being fingerprinted. It will hide your browsing from your ISP but wont hide your privacy from Google
legendary
Activity: 3654
Merit: 8909
https://bpip.org
Oh I'm sure there are ways to fuck me over even through VMs, however my gut is telling1 me that the probability of me geting pwned or fingerprinted in a VM with JavaScript is not significantly higher than the probability of same happening in a non-VM browser with JavaScript disabled. E.g. a buffer overflow without a VM would be far more catastrophic IMO.

I doubt it's possible to detect ESXi via JavaScript but I'm not paranoid enough to start worrying about that. The choice is basically whether I dial my paranoia up to 11.5, disable JavaScript, and frustrate myself with half-broken web, or keep it at 11 and worry about the important things in life instead. YMMV Smiley

Re VPN: I use Tor over VPN mainly due to traveling thus using VPN by default.

Bottom line though: Cloudflare sucks.



1 This could be my daily dose of brandy talking though. Take it with a truck of salt. I mean the words. Don't put salt into brandy.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
(Actually, nothing changed.  One post got through without problems, for some reason.)  Edit:  In the time it took to write this, something seems to have changed.  I’m not yet sure; but this is my first post in some hours which was not quasi-eaten, etc.

If theymos twiddled some knobs—thank you.  If not—then for future reference, I want it somehow known that occasionally, if Cloudflare is busy valiantly stopping a DDoS attack, I might become unavailable on the forum due to denial of service.




Cloudflare is an anti-user D.o.S., Denial of Service!  It is currently making the forum unusable through Tor.  “Unusuable” meaning, to a reasonable person; I am sometimes unreasonably stubborn.

It repeatedly hits my browser with Javascript checks, re-checks, Rapiscans porno-scans, X-rays, and cavity searches which spin my CPU, eat up my RAM, and do who-knows-what else.  It does this so frequently that because I spend significant time on posts, I am regularly directed to a blank form which even forgets which thread I’m trying to reply in.  My posts would be eaten, and lost forever if I didn’t have a copy set aside outside the browser.

If I weren’t so fond of this forum and already quite invested in it, I would have given up three hours ago.

Please do something about this!  I suggest starting by immersing DDoS attackers in boiling oil.  I am fantasizing about that right now.  But really, if you’re going to get DDoSed, DoSing your users is not the solution.


No, vmware is not open source, but over my 10 years of using it (like in enterprise envs),  I have never had any issue or security problem.

How do you know that?  The type of attacks which break out of VMs are not typically used by the authors of popular widespread malware.

OFC,Nothing is completely secure in this day and age as you know I'm sure. Cheesy

You may be assured, I would not allege “open source” to be a security panacea!  The magical security of open source is a pernicious and contemptible myth.  Availability of source code is only a prerequisite which facilitates auditing.  When actual people (as opposed to hypothetical eyeballs) are auditing the source, the next step is reproducible builds, as Core does.

But the availability of source code provides the potential.  Intentionally opaque blobs do not.


vmware is not open-source but there are open-source hypervisors... like linux kvm or whatever-the-fuck it's called nowadays.

Xen: Bare-metal hypervisor, but more or less married to Linux for dom0 (last I checked)

KVM: Linux thing

Bhyve: FreeBSD thing

VirtualBox: Mostly open-source thing.

qemu: Not a VMM per se; but I feel it deserves mention here.

Am I forgetting any popular ones?

I don't quite get the issue with fingerprinting. You can fake nearly everything about your environment in a VM. Screen resolution, browser type/version, OS type, VPN endpoints, not sure what else is there that JavaScript could potentially disclose?

Zeroth of all, do you fake all these things separately each time you hit the “New Identity” button?  And how many combinations thereof could you reasonably make?  The most urgent concern is not preventing identification of your computer:  It is preventing linkability of your browsing sessions.

And first of all, some things can reveal quite hardware-specific information.  Reading from .  webgl.  Many others, because browser makers are idiots who add stupid new features willy-nilly (or may want things this way).  Some of these are disabled or limited in Tor Browser.  But you said VPN—actually, if you use an ordinary browser with a VPN, you are pretty much toast anyway for fingerprinting.

How about CPU timing?  The Javascript language provides sufficient resolution to make this a fingerprinting issue.  (Tor Browser limits the resolution, but not enough IMO.)

How about the fact that—well, correct me if I’m wrong, but I doubt that VMware lets you conceal the fact that you are running in VMware.  It probably leaks the version, too!  ESXi, did you say?  Is my brain half-melted by the heat of Cloudflare spinning my CPU, or is ESXi some kind of server stuff which is very rare for end-users?  Ooh, 23.8 bits of suchmoon identification!

(In a related matter:  When I started searching for privacy leaks, I found some very unpleasant surprises in my kernel.  Don’t get me started.  It is astonishing how much uniquely identifying hardware info can be easily scooped up by heavily sandboxed unprivileged processes.  How do you do your Tor daemon?)

Note:  I am not even up right now on all the latest research.  I have seen some tantalizing discussions of fingerprint attacks which will turn your whole browser into a supercookie to link your sessions.

From there, the concept is simple:  suchmoon on bitcointalk.org = xyz on abc = [your so-called “real name”] who lives at [address], according to that non-Bitcoin online shopping you just did.  Oopsie!

Re drafts - e.g. if I open a VM for Bitcointalk I will probably use it for a few days so good enough for me although TBH I'm not into long essays. Sometimes when I need to save it for longer I send it in a PM to myself.

PMs here are a disaster, in my opinion.

Feature suggestion for a “crypto” forum:  An opt-in remailer, which would let me send mail to [email protected]—or maybe 234771@, since usernames here can contain charcters which are problematic.  (Problematic, despite being allowed by the original RFC 822.)  Spam could be curtailed by requiring SMTP envelope FROM the registered e-mail address, and obeying SPF records, etc.

That way, I could use the very convenient PGP functionality of my mail client.  Plus its drafts box.

I should start a new Meta topic.  Watch for it.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
vmware is not open-source but there are open-source hypervisors... like linux kvm or whatever-the-fuck it's called nowadays.

I use ESXi though because I need it for work.

I don't quite get the issue with fingerprinting. You can fake nearly everything about your environment in a VM. Screen resolution, browser type/version, OS type, VPN endpoints, not sure what else is there that JavaScript could potentially disclose?

Re drafts - e.g. if I open a VM for Bitcointalk I will probably use it for a few days so good enough for me although TBH I'm not into long essays. Sometimes when I need to save it for longer I send it in a PM to myself.
legendary
Activity: 3570
Merit: 1959
No, vmware is not open source, but over my 10 years of using it (like in enterprise envs),  I have never had any issue or security problem. OFC,Nothing is completely secure in this day and age as you know I'm sure. Cheesy
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
Edit to add PSA from someone who claims to know a few things about security:  Disable Javascript!

I have been disabling Javascript since the 90s.  The habit has almost certainly saved me from being elitely h4x0r3d.  The Web is almost useless, nowadays.


While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.

Oh, I do this generally; and I did that when I first started posting here!  But I made myself a dedicated Bitcoin Forum “thing” on the day that I was forced to try seventeen (17) different Tor circuits before Google deigned to grant me a login CAPTCHA.  See “Google is locking Tor users out of Bitcointalk.org!”.  One of my Newbie rank posts!

There and somewhere in the main reCAPTCHA thread, I also think aloud about how Google forcing users to rapidly cycle through circuits may help network adversaries deanonymize users.

Now, Cloudflare + Google are hitting Tor users from both sides:  Cloudflare sometimes requires Javascript to even read the site; and Google effectually forces Tor users to try to maintain a long-term login cookie.  Ephemeral VM browser?  Nope!  Disable Javascript?  Nope!

And I disagree with you that a VM is good enough.  I dislike and try to avoid Javascript, even in a VM.  Do you follow the security bulletins for, say, Xen?  Ouch.  (I desire to not specify what I use, for obvious reasons.)  Moreover, a VM does nothing to protect you against fingerprinting attacks which require Javascript.  I would be amazed if Cloudflare was not somehow doing that with its forced-JS.  Of course, the objective there is not to remotely compromise your system, but rather, to link together different secret identities.

Browsers are some of the worst software on Earth; and nowadays we are all forced to either use them, or unplug from—everything.  Then, we are forced to let them run network-loaded executable code.  Not good.

(Aside, an ephemeral VM also makes it difficult to use a text editor and a local drafts directory to produce high-quality posts of the long type.  I would still do it for security; but it does make the writer miserable.)


Vmware FTW? Grin  

I love Vmware! Cheesy

Is it fully open-source?  I don’t know for certain, nowadays; I’m asking.  The last time I used VMware, it was a pile of inscrutable BLOBs; but that was a very long time ago.
legendary
Activity: 3570
Merit: 1959
While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.

Vmware FTW? Grin 

I love Vmware! Cheesy
legendary
Activity: 3654
Merit: 8909
https://bpip.org
While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.
Pages:
Jump to: