[jgrahamc]

We're making a lot of changes to how we handle Tor: https://support.cloudflare.com/hc/en-us/articles/203306930

[apecat]

I missed this! This is great news and frankly deserves a mention on CF's really nice company blog so that as many site owners as possible learn about the new granularity for Tor.

As a Tor relay operator and CF customer, I've been really split on the effects of CF's power. After all, blocking heuristics is just what I need.

Part of my job is maintaining a bunch of viral WordPress sites on a small budget. In addition to the crazy bandwidth and responsiveness a CF pro subscription buys you, the service really is a small biz secops dream machine. I can actually focus on writing when I just put sites behind CF.

Maybe it's Appelbaum's fate to be the Stallman of any tech with mass surveillance potential. That's not an insult and it's good to have immutable critics of centralized infrastructure. But it's certainly a bit tiresome sometimes.

The options presented by CF seem to hit a nice balance. Making blanket Tor blocking an enterprise-only feature is a nice touch. In the spirit of that, it'd maybe make sense to also make JS challenge the default for new Cloudflare domains?

Now, if there only was some magic beyond keyless ssl to get rid of the MiTM aspect...

[jgrahamc]

We are going to blog about Tor soon.

[dastbe]

It's funny how Often a real space concept (country) which is used to model business logic ends up morphing into a abstract configuration knob.

[kangman]

i believe Conway's law applies here.

[austinheap]

What's the point in restricting this to enterprise users? I can make access rules for every other country except 'T1' on a the entry-level paid plan?

[buro9]

It's only the "country level block" bit that is limited to enterprise.

But then again, if you're using Nginx something like the following may work (gah, have not tested):

    http {
      map $http_cf_ipcountry $allow_country {
          default yes;
          T1 no;
      }
      server {
        if ($allow_country = no) {
          return 403;
        }    
      }
    }

Assumes you have enabled the GeoIP stuff, which again... I've not tested whether it sends Tor through as a country identifier... I shall ask.

Or you could do the opposite and restrict access unless someone is accessing via Tor ;)

[neilwillgettoit]

The move to the new reCAPTHA alone has made it a lot more usable for tor users.

[Jordrok]

No, it really hasn't. In most cases the new reCAPTCHAs actually take longer to solve than the old ones.

The old variant which makes you read street numbers is pretty quick and painless - type in 3 or 4 digits and you're done. With the new one, first you have to figure out what it wants you to identify (street signs? storefronts? lakes? mountains? food?), and then scan through a bunch of small, poorly focused images. Even if you get it right, many times it asks you to complete two or three separate challenges before it lets you through.

The only time the new version is more usable is when you run into the one old variant which is virtually unsolvable.[1] I actually wonder if some of these even have solutions. There have been countless times where it's rejected an answer I was sure was correct.

[1]https://2.bp.blogspot.com/---dJJOn8n9c/U1rZNDiWG1I/AAAAAAAAO...

[neilwillgettoit]

Before the switch, 80% of the time I would get the unsolvable ones.