Cloudflare ends CAPTCHA challenges for Tor users

Company launches new Cloudflare Onion Service. Only Tor Browser 8 and Tor Browser for Android users will see less or no CAPTCHAs.
Written by Catalin Cimpanu, Contributor

Cloudflare launched today a new service named the "Cloudflare Onion Service" that can distinguish between bots and legitimate Tor traffic. The main advantage of this new service is that Tor users will see far less, or even no CAPTCHAs when accessing a Cloudflare-protected website via the Tor Browser.

The new Cloudflare Onion Service needed the Tor team to make "a small tweak in the Tor binary," hence it will only work with recent versions of the Tor Browser --the Tor Browser 8.0 and the new Tor Browser for Android, both launched earlier this month.

Tor users who are dead tired of seeing an endless stream of Google reCAPTCHAs when accessing a Cloudflare-protected site are advised to update to one of these two versions.

Also: Cloudflare IPFS Gateway boosts decentralized website development | Cloudflare's new DNS attracting 'gigabits per second' of rubbish | Cloudflare emerges triumphant in Blackbird patent lawsuit | Cloudflare snaps up Neumob to boost mobile app speeds

The new Cloudflare Onion Service is also free for all Cloudflare customers and can be enabled by switching on the "Onion Routing" option under the Crypto tab of the Cloudflare dashboard.


Tor users have been complaining about seeing too many CAPTCHAs when accessing a Cloudflare-protect site for years now. In February 2016, Tor Project administrators went as far as to accuse Cloudflare of "sabotaging Tor traffic" by forcing Tor users to solve CAPTCHA fields ten times or more, in some cases.

Cloudflare responded to accusations a month later, claiming the company was only showing CAPTCHAs because 94 percent of all Tor traffic was either automated bots or originating from malicious actors.

CNET: How to change your DNS and (maybe) take the internet back

Half a year later, in October 2016, Cloudflare started looking into methods of removing CAPTCHAS for Tor users. Their first foray was the Challenge Bypass Specification and a Tor Browser extension, but that project didn't go too far.

The company's engineers chose another path, building on a feature called Opportunistic Encryption, that they introduced in September 2016.

TechRepublic: How to enable DNS over TLS in Android Pie

In a blog post today, the Cloudflare team explained how they used this feature, together with a custom Proxy Protocol header, HTTP/2, and a few other tools to create the Cloudflare Onion Service, a system capable of distinguishing between good and bad Tor users, and allowing the good Tor traffic to flow to Cloudflare-protected sites without hassling users with annoying "street signs" CAPTCHA challenges.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards