Despite routing a whopping 10 percent of all Internet traffic, CloudFlare is more likely known for its annoying CAPTCHAs that most of the times delay Tor users for minutes before letting them access a website.
The Tor Project hasn’t been shy about pointing the finger at CloudFlare in a public manner. Back in February, Tor Project members accused FloudFlare of intentionally sabotaging Tor traffic via its CAPTCHAs and using special cookies to track Tor users across the Web.
CloudFlare responded a month later by denouncing all accusations. The company said that only IP addresses with a bad reputation see the CAPTCHAs, which are a self-defense measure, for the sites CloudFlare is hired to protect.
The company said that 94 percent of all Tor traffic is malicious, and most likely used for automated attacks, hence the reason why regular Tor users see the CAPTCHAs. CloudFlare was adamant that they had nothing against the Tor Project, or its users.
Since actions speak louder than words, CloudFlare is now researching a new system to protect its clients from malicious Tor traffic, but without bombarding Tor users with endless CAPTCHAs.
Called the “Challenge Bypass Specification,” the document has been published on GitHub two weeks ago.
According to this specification, CloudFlare is working on a Tor Browser extension that generates one-time authentication tokens, called nonces.
Whenever a Tor user would access a CloudFlare-protected site, he’d have to solve one initial CAPTCHA. After that, his browser would supply authentication tokens to the CloudFlare firewall, and the user would not be required to deal with anymore CAPTCHAs.
Since malicious traffic is automated with various CLI-tools, attackers wouldn’t be able to provide these tokens, and the firewall would do its job, as intended.
Currently, the draft specification uses a modification of the RSA encryption algorithm to generate “blind signatures” that can be used as nonces.
CloudFlare also explains that this system is not specifically tailored to its network. The entire system is modular and other edge providers can deploy it to handle Tor traffic in the same way.
Furthermore, the initial one-time CAPTCHA is not mandatory, and each edge provider could implement its own system to authenticate human users, and then deploy the nonces for subsequent authentication operations.