CloudFlare Working on Proposal to Restrict Captchas for Tor Users

CloudFlare, which provides several internet services, is working on a way to let Tor users solve fewer captchas. CloudFlare CEO Matthew Price confirmed this to Motherboard.

Users of the anonymous Tor browser are currently seeing a lot of captchas because CloudFlare assigns these users a high risk score. This arises because a lot of traffic from the Tor network is malicious, such as traffic from spammers and bots. Motherboard discovered that a new project has been created on the CloudFlare GitHub page, which, among other things, aims to reduce the number of captchas. The solution works through a plug-in, which users can add to the Tor browser.

On the page, the plugin developers describe that many captchas rely on javascript, which is usually disabled in the Tor browser. As a result, users are faced with more complicated captchas, which have been labeled as a form of censorship in the past. In addition, after successfully solving the captcha, a cookie is set, which CloudFlare could use to identify individual users.

The plug-in should provide a solution for this by housing all javascript in a browser extension. That way, the code would be easier to research, the authors say. Tor users with the plugin should still resolve the first captcha, but subsequent tests are handled by the extension. This is done on the basis of a number of bypass tokens, which the user obtains by solving the first captcha. The number of tokens would be sufficient to visit web pages, but too low to carry out an attack, for example. The tokens are signed by means of blind signing.

According to CloudFlare, this solution must also be applicable by other ‘edge providers’. CloudFlare CEO Price told Motherboard that he cannot provide further details about the project at this time.

Captcha that a Tor user sees when visiting a site