Why CloudFlare can never satisfy Tor die-hards, and shouldn't try

Analysis: Tor admins say that CloudFlare security makes the service unusable. CloudFlare said there is no way for them to placate Tor users while protecting their customers.
Written by Larry Seltzer, Contributor

About a week ago Jacob Appelbaum, an advocate, security researcher, and developer at the Tor Project, launched an angry and frustrated trouble ticket complaining about the treatment of Tor users on sites protected by networking giant and security vendor CloudFlare.

"[CloudFlare] do not appear open to working together in open dialog, they actively make it nearly impossible to browse to certain websites, they collude with larger surveillance companies (like Google), their CAPTCHAs are awful, they block members of our community on social media rather than engaging with them and, frankly, they run untrusted code in millions of browsers on the web for questionable security gains," said Appelbaum.

CloudFlare seems sympathetic, but there are few benefits in going out of its way to give Appelbaum and others a good user experience.

The basic issue here is that Tor anonymizes traffic. As with so much in security, reputation analysis is a critical part of the protection that CloudFlare provides to its customers. Tor makes reputation analysis impossible beyond the point of the Tor exit node. As a result, CloudFlare must treat even repeated interaction with a Tor node, even a simple GET request, as suspicious and possibly a bot. It treats the traffic so by using CAPTCHA challenges. Obviously repeated CAPTCHA challenges make for a lesser user experience.

CloudFlare CTO John Graham-Cumming and Marek Majkowski, a systems engineer, spend some time discussing these problems in the ticket thread. But the Tor users don't cut them a whole lot of slack and express little concern for the needs of CloudFlare and its customers.

Graham-Cumming rebuffed some complaints, arguing that there can be malicious traffic coming from Tor exit nodes. Sometimes it's reasonable for CloudFlare customers to block entire nodes, particularly if they are geolocated in regions where the CloudFlare customer has no legitimate clients.

And it's not just CloudFlare

A recent Akamai "State of the Internet" report contained an entire section on Tor. They looked at traffic inbound to about 3,000 Akamai customers. The key data from the report pointed to malicious traffic constituting a much higher portion of Tor traffic -- about 1 in 380 requests -- than non-Tor traffic -- about 1 in 11,500. Certainly the non-Tor traffic dwarfed the Tor traffic, so only 1.26 percent of attack requests were from Tor exit nodes, but that's a high percentage considering that only 0.04 percent of traffic was from Tor. On the other hand, and somewhat to my surprise, the conversion rates for requests to commerce sites were not all that different (1:895 for Tor, 1:834 for non-Tor), so Tor customers have value.

In the end, Akamai doesn't tell customers to do one thing or the other, but it hints that for customers with sophisticated and up-to-date web application security it makes sense to let Tor traffic through and to scrutinize it heavily, just as they do with non-Tor traffic.

For other sites, the risks of accepting any Tor traffic may well outweigh the potential benefits. This Akamai data hasn't been updated in subsequent reports, including the Q4 report released today.

This is basically CloudFlare's philosophy as well, although their default settings may be more restrictive than Akamai's. Many of these impediments to Tor users are set by the CloudFlare customer. It is their decision, not CloudFlare's, to make their service more or less accessible to Tor users. The default setting of CloudFlare services are important, but a clear consensus has developed over the years that the defaults for security products should tend to be stricter and that users should affirmatively relax restrictions, if that is what they wish. And more than its competitors, CloudFlare emphasizes security in its marketing, although CDN performance is obviously an important function.

I spoke to CloudFlare CEO Matthew Prince. A key takeaway is that he wants to accommodate Tor users as best he can, arguing strongly for the ability to be anonymous. But Tor users aren't his customers. Customers come to CloudFlare to get security for their sites, and so whatever he does he can't compromise that security, and I don't think he would want to.

One illustrative point Prince made was, as Graham-Cumming had indicated in the Tor Project thread, that they would now allow customers to whitelist specific Tor exit nodes. This elicited much enthusiasm on the Tor project thread, but Prince says that it's not something that customers want. With rare exceptions, what they want is to blacklist Tor exit nodes.

The reason he had resisted whitelisting for so long is that he felt he couldn't enable it without also enabling blacklisting, and he resists anything that will serve to balkanize the Internet. Customers ask them to allow blacklisting of whole countries, and why not? If you're a take-out BBQ restaurant in Chicago, Internet traffic to your site from Turkey is probably not legitimate and you're better off losing the business.

The usual trade-off

As always, there's a general trade-off between convenience, or ease of use, and security. This is a phenomenon well beyond computers; it applies, for example, to controlling the access of people to a building. Prince put a second-level twist on it. He said to imagine a triangle where the three points are security, anonymity, and friction, the last being the antithesis of convenience. You can't have all three. Given that you have to have maximum security, as it's the reason customers buy the product, there will be a trade-off between anonymity and friction. The choice CloudFlare makes, to create some friction (CAPTCHAs) in order to allow anonymity, is the most logical decision to make, and the one that Facebook and Google have made in similar circumstances.

This may not satisfy Appelbaum or the rest of Tor's core users.

Prince, Graham-Cumming, and others at CloudFlare who are working hard to do so are probably working too hard.

How to secure your computer and online accounts in 10 simple steps

Why should CloudFlare expend a whole lot of effort accommodating the users of a system designed to make their job as hard as possible? Certainly it would be better if Tor users could have a good experience, but I don't see how that can be done, with talk of blinded tokens notwithstanding. It's just unreasonable for Tor users to expect service providers to compromise their security for the convenience of a service that carries large amounts of malicious traffic. Prince told me that the percentage of malicious traffic they see from Tor exit nodes is far higher than what is reported by Akamai. CloudFlare would do better to direct its effort at improving overall traffic performance.

There will be a lot of sympathy for Tor among CloudFlare's engineers, but it's hard to see that CloudFlare's customers feel the same. Surely they would like to get extra business from Tor users, but at what cost? As long as CloudFlare doesn't force this sympathy for Tor on them, they probably won't care that Tor users are inconvenienced, and they too would rather CloudFlare focus on other matters.

Editorial standards