Cloudflare requiring Javascript for Tor users (and others?)

[nullius]

[Edit:  @mods, apologies for making this a new thread.  I tried to post it in the Cloudflare thread.  When Cloudflare ate my post and threw me back to a blank form as described below, I did not realize SMF’s reply info somehow got lost—thus resulting in a new thread.  Meta won’t let me delete my own topic; I just tried.]


@theymos, you’ve always been supportive of privacy and security.  Please be aware that Cloudflare is blocking those who use Tor for the former, and disable Javascript for the latter:

This is not the first time this has happened.  Last time, you posted a note in some Meta thread indicating that there was a DDoS attack.  Usually, the forced-Javascript screen has gone away if I waited an unpredictable time; however, insofar as I can gather, waiting will only work from fresh browsers without “cf_*” cookies.

I observed 5xx Cloudflare errors, earlier.  It’s not even keeping the site up!  Unreliable, incompetent DDoS protection which decrypts all user traffic and forces users to let Cloudflare run unknown, unexplained code on their machines—this is not a very good deal.


Sorry this post is convoluted.  Cloudflare is now requiring users to keep Javascript enabled; I have not seen this before on this forum!  Cloudflare almost ate my post with its “examination” page; when I first tried to post, I was redirected to a blank forum.  It is fortunate that I use an external text editor...


I used some weird ephemeral setup to get in here and post this.  Since I am not inclined to run Cloudflare cavity-search code in the dedicated browser instance I use for the Bitcoin Forum, this is problematic.

Not-yet-working suggested workaround for JS-disabling Tor users:  Try moving cookies between a “weird ephemeral setup” and your usual browser.  I got a new “cf_clearance” cookie (with expiry time just over a day), but I must have missed something else.  (...such as the fact that it’s now continuously requiring Javascript.)

[owlcatz]

I also noticed it's been switched to cloudflare as well. I thought I saw a post about how this service sucked, but IDK. Too many meta threads lately.

[nullius]

I also noticed it's been switched to cloudflare as well. I thought I saw a post about how this service sucked, but IDK. Too many meta threads lately.

theymos posted a notice about the move in on 2017-11-29:

“Moving to Cloudflare”

[suchmoon]

While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.

[owlcatz]

While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.

Vmware FTW?  

I love Vmware!

[nullius]

Edit to add PSA from someone who claims to know a few things about security:  Disable Javascript!

I have been disabling Javascript since the 90s.  The habit has almost certainly saved me from being elitely h4x0r3d.  The Web is almost useless, nowadays.

While I agree that Cloudflare is an abomination, I have long ago resorted to doing my Tor browsing in a VM... so at that point it doesn't really matter if there is JavaScript or not. I can restore a clean snapshot any time I get paranoid, I can run multiple instances in parallel, and the browsers are REALLY sandboxed.

Oh, I do this generally; and I did that when I first started posting here!  But I made myself a dedicated Bitcoin Forum “thing” on the day that I was forced to try seventeen (17) different Tor circuits before Google deigned to grant me a login CAPTCHA.  See “Google is locking Tor users out of Bitcointalk.org!”.  One of my Newbie rank posts!

There and somewhere in the main reCAPTCHA thread, I also think aloud about how Google forcing users to rapidly cycle through circuits may help network adversaries deanonymize users.

Now, Cloudflare + Google are hitting Tor users from both sides:  Cloudflare sometimes requires Javascript to even read the site; and Google effectually forces Tor users to try to maintain a long-term login cookie.  Ephemeral VM browser?  Nope!  Disable Javascript?  Nope!

And I disagree with you that a VM is good enough.  I dislike and try to avoid Javascript, even in a VM.  Do you follow the security bulletins for, say, Xen?  Ouch.  (I desire to not specify what I use, for obvious reasons.)  Moreover, a VM does nothing to protect you against fingerprinting attacks which require Javascript.  I would be amazed if Cloudflare was not somehow doing that with its forced-JS.  Of course, the objective there is not to remotely compromise your system, but rather, to link together different secret identities.

Browsers are some of the worst software on Earth; and nowadays we are all forced to either use them, or unplug from—everything.  Then, we are forced to let them run network-loaded executable code.  Not good.

(Aside, an ephemeral VM also makes it difficult to use a text editor and a local drafts directory to produce high-quality posts of the long type.  I would still do it for security; but it does make the writer miserable.)

Vmware FTW?  

I love Vmware!

Is it fully open-source?  I don’t know for certain, nowadays; I’m asking.  The last time I used VMware, it was a pile of inscrutable BLOBs; but that was a very long time ago.

[owlcatz]

No, vmware is not open source, but over my 10 years of using it (like in enterprise envs),  I have never had any issue or security problem. OFC,Nothing is completely secure in this day and age as you know I'm sure.

[suchmoon]

vmware is not open-source but there are open-source hypervisors... like linux kvm or whatever-the-fuck it's called nowadays.

I use ESXi though because I need it for work.

I don't quite get the issue with fingerprinting. You can fake nearly everything about your environment in a VM. Screen resolution, browser type/version, OS type, VPN endpoints, not sure what else is there that JavaScript could potentially disclose?

Re drafts - e.g. if I open a VM for Bitcointalk I will probably use it for a few days so good enough for me although TBH I'm not into long essays. Sometimes when I need to save it for longer I send it in a PM to myself.

[nullius]

(Actually, nothing changed.  One post got through without problems, for some reason.)  Edit:  In the time it took to write this, something seems to have changed.  I’m not yet sure; but this is my first post in some hours which was not quasi-eaten, etc.

If theymos twiddled some knobs—thank you.  If not—then for future reference, I want it somehow known that occasionally, if Cloudflare is busy valiantly stopping a DDoS attack, I might become unavailable on the forum due to denial of service.


Cloudflare is an anti-user D.o.S., Denial of Service!  It is currently making the forum unusable through Tor.  “Unusuable” meaning, to a reasonable person; I am sometimes unreasonably stubborn.

It repeatedly hits my browser with Javascript checks, re-checks, Rapiscans porno-scans, X-rays, and cavity searches which spin my CPU, eat up my RAM, and do who-knows-what else.  It does this so frequently that because I spend significant time on posts, I am regularly directed to a blank form which even forgets which thread I’m trying to reply in.  My posts would be eaten, and lost forever if I didn’t have a copy set aside outside the browser.

If I weren’t so fond of this forum and already quite invested in it, I would have given up three hours ago.

Please do something about this!  I suggest starting by immersing DDoS attackers in boiling oil.  I am fantasizing about that right now.  But really, if you’re going to get DDoSed, DoSing your users is not the solution.

No, vmware is not open source, but over my 10 years of using it (like in enterprise envs),  I have never had any issue or security problem.

How do you know that?  The type of attacks which break out of VMs are not typically used by the authors of popular widespread malware.

OFC,Nothing is completely secure in this day and age as you know I'm sure.

You may be assured, I would not allege “open source” to be a security panacea!  The magical security of open source is a pernicious and contemptible myth.  Availability of source code is only a prerequisite which facilitates auditing.  When actual people (as opposed to hypothetical eyeballs) are auditing the source, the next step is reproducible builds, as Core does.

But the availability of source code provides the potential.  Intentionally opaque blobs do not.

vmware is not open-source but there are open-source hypervisors... like linux kvm or whatever-the-fuck it's called nowadays.

Xen: Bare-metal hypervisor, but more or less married to Linux for dom0 (last I checked)

KVM: Linux thing

Bhyve: FreeBSD thing

VirtualBox: Mostly open-source thing.

qemu: Not a VMM per se; but I feel it deserves mention here.

Am I forgetting any popular ones?

I don't quite get the issue with fingerprinting. You can fake nearly everything about your environment in a VM. Screen resolution, browser type/version, OS type, VPN endpoints, not sure what else is there that JavaScript could potentially disclose?

Zeroth of all, do you fake all these things separately each time you hit the “New Identity” button?  And how many combinations thereof could you reasonably make?  The most urgent concern is not preventing identification of your computer:  It is preventing linkability of your browsing sessions.

And first of all, some things can reveal quite hardware-specific information.  Reading from <canvas>.  webgl.  Many others, because browser makers are idiots who add stupid new features willy-nilly (or may want things this way).  Some of these are disabled or limited in Tor Browser.  But you said VPN—actually, if you use an ordinary browser with a VPN, you are pretty much toast anyway for fingerprinting.

How about CPU timing?  The Javascript language provides sufficient resolution to make this a fingerprinting issue.  (Tor Browser limits the resolution, but not enough IMO.)

How about the fact that—well, correct me if I’m wrong, but I doubt that VMware lets you conceal the fact that you are running in VMware.  It probably leaks the version, too!  ESXi, did you say?  Is my brain half-melted by the heat of Cloudflare spinning my CPU, or is ESXi some kind of server stuff which is very rare for end-users?  Ooh, 23.8 bits of suchmoon identification!

(In a related matter:  When I started searching for privacy leaks, I found some very unpleasant surprises in my kernel.  Don’t get me started.  It is astonishing how much uniquely identifying hardware info can be easily scooped up by heavily sandboxed unprivileged processes.  How do you do your Tor daemon?)

Note:  I am not even up right now on all the latest research.  I have seen some tantalizing discussions of fingerprint attacks which will turn your whole browser into a supercookie to link your sessions.

From there, the concept is simple:  suchmoon on bitcointalk.org = xyz on abc = [your so-called “real name”] who lives at [address], according to that non-Bitcoin online shopping you just did.  Oopsie!

Re drafts - e.g. if I open a VM for Bitcointalk I will probably use it for a few days so good enough for me although TBH I'm not into long essays. Sometimes when I need to save it for longer I send it in a PM to myself.

PMs here are a disaster, in my opinion.

Feature suggestion for a “crypto” forum:  An opt-in remailer, which would let me send mail to suchmoon@users.bitcointalk.org—or maybe 234771@, since usernames here can contain charcters which are problematic.  (Problematic, despite being allowed by the original RFC 822.)  Spam could be curtailed by requiring SMTP envelope FROM the registered e-mail address, and obeying SPF records, etc.

That way, I could use the very convenient PGP functionality of my mail client.  Plus its drafts box.

I should start a new Meta topic.  Watch for it.

[suchmoon]

Oh I'm sure there are ways to fuck me over even through VMs, however my gut is telling¹ me that the probability of me geting pwned or fingerprinted in a VM with JavaScript is not significantly higher than the probability of same happening in a non-VM browser with JavaScript disabled. E.g. a buffer overflow without a VM would be far more catastrophic IMO.

I doubt it's possible to detect ESXi via JavaScript but I'm not paranoid enough to start worrying about that. The choice is basically whether I dial my paranoia up to 11.5, disable JavaScript, and frustrate myself with half-broken web, or keep it at 11 and worry about the important things in life instead. YMMV

Re VPN: I use Tor over VPN mainly due to traveling thus using VPN by default.

Bottom line though: Cloudflare sucks.


¹ This could be my daily dose of brandy talking though. Take it with a truck of salt. I mean the words. Don't put salt into brandy.

[Jabba the Bit]

Yeah I don't agree with bitcointalk running cloudflare. I hate running javascript when I need to rely on security.

Fingerprinting is now a big issue like mentioned above.

Canvas, user agent, fonts, these can all tie your identity back to your facebook account or email account.

Also a VPN doesn't really do shit if you're being fingerprinted. It will hide your browsing from your ISP but wont hide your privacy from Google

[al1n]

similar problems on android opera (not even opera mini)

https://bitcointalk.org/index.php?topic=3003707.0

(I didn't notice your topic until after I created mine)

[babo]

Yeah I don't agree with bitcointalk running cloudflare. I hate running javascript when I need to rely on security.

Fingerprinting is now a big issue like mentioned above.

Canvas, user agent, fonts, these can all tie your identity back to your facebook account or email account.

Also a VPN doesn't really do shit if you're being fingerprinted. It will hide your browsing from your ISP but wont hide your privacy from Google

total agree

is security big issue for unveil people identity.. in my humble opinion, force use of javascript, is very bad
javascript is evil tecnology (i'm javascript coder)

[Jabba the Bit]

For anyone that isn't aware of what fingerprinting is, here is an example.

I rob a bank without using a disguise, showing my face and leave behind my fingerprints on the door I use to enter the building.
Nobody there knows my name and so I still remain 'anonymous'.
But then the cameras and witnesses can fingerprint me based on how I look and law enforcement can fingerprint my identity from the fingerprints I leave behind on the door and counter. So then I'm caught.

If I was to use a disguise and wear gloves, I would remain anonymous and I leave only a few fingerprints behind.

In the virtual world there are many more fingerprints that your browser leaves behind that will track you and a HUGE amount of this information is sourced with javascript.

[Meretrix]

Cloudflare has effectually locked me out since sometime yesterday—both of me.  I am posting this from the account under which I first got hit with it, almost 22 hours ago.  This time, it does not stop!  It has caused me to avoid the forum until I worked out the mitigation given below.

Translation:  Bend over, and spread your cheeks.  Cloudflare wants to check if you’re human on the inside:

cloudflare_cavity_search.png

Moreover...

[Edit:  @mods, apologies for making this a new thread.  I tried to post it in the Cloudflare thread.  When Cloudflare ate my post and threw me back to a blank form as described below, I did not realize SMF’s reply info somehow got lost—thus resulting in a new thread.  Meta won’t let me delete my own topic; I just tried.]

This Cloudflare/SMF interaction bug persists:  Cloudflare is rerunning these checks regularly, at times unpredictable to the user.  If it collides with your hitting the “Post” button, then the Cloudflare cavity search function will throw away your post and redirect you to a blank form for starting a new topic.  That is how the current topic came to exist:  I had tried to post a reply on the main Cloudflare thread, then received a screen which looks like the following; I then just pasted in my post and hit the button again, without realizing that I was submitting a a new topic.  It is fortunate that I compose in a text editor.  Those who don’t will lose their posts.

Here is what it looks like, from when I was hit with this again while making this post:

Temporary mitigation:

An absolute requirement of Javascript will drive away many of the types of people whom the forum should want to attract:  Privacy and security experts, cypherpunks, people for whom the word “crypto” means something other than get-rich-quick schemes or Paypal 2.0.  For my part, it is unacceptable to me in the long term.

As an interim threat mitigation for occasional Cloudflare flare-ups, for those running ephemeral Tor Browser instances in vanishing VMs, here is a script which shows what you need to instantiate your saved login cookies and avoid being effectually locked out by the Google CAPTCHA.

No technical support will be provided by me with this script.  Figure it out.  It is provided as “documentation” of badly undocumented stuff not made by me.  I developed this by running diff(1) against prefs.js at various stages of configuration; if there exist any references, I would like to know about them.

Code:

#!/bin/sh

#
# Set this to the path containing subpath:
# "Browser/TorBrowser/Data/Browser/profile.default"
#
ffprofile="path/to/tor-browser/Browser/TorBrowser/Data/Browser/profile.default"

#
# Change this (duh).
#
case "${1}" in
nullius)
	bcfuser="nullius"
	;;
[Mm]eretrix)
	bcfuser="meretrix"
	;;
*)
	echo "User not specified, or unknown user" >&2
	exit 1
	;;
esac

{
cat << EOF

# Turn off Tor Browser's no-disk-write mode:
pref("browser.cache.disk.enable", true);
pref("browser.download.manager.retention", 2);
pref("browser.privatebrowsing.autostart", false);
pref("permissions.memory_only", false);
pref("security.nocertdb", false);
pref("volatilePrivatePermissions", false);
pref("pref.privacy.disable_button.cookie_exceptions", false);
EOF
} >> "${ffprofile}/preferences/extension-overrides.js"

#
# permissions.sqlite could also be reconstructed with
# `sqlite3 -batch -bail -init permissions.sql -cmd .quit "${ffprofile}/permissions.sqlite"`
# using the SQL provided below.  The important cookies are
# the SMF login tokens, of course.
#

cp -p permissions.sqlite \
	"${bcfuser}/cookies.sqlite" \
	"${bcfuser}/cookies-tor.json" \
	"${ffprofile}"

permissions.sql:

Code:

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE moz_perms ( id INTEGER PRIMARY KEY,origin TEXT,type TEXT,permission INTEGER,expireType INTEGER,expireTime INTEGER,modificationTime INTEGER);
INSERT INTO moz_perms VALUES(1,'https://bitcointalk.org','cookie',1,0,0,1521640330020);
CREATE TABLE moz_hosts ( id INTEGER PRIMARY KEY,host TEXT,type TEXT,permission INTEGER,expireType INTEGER,expireTime INTEGER,modificationTime INTEGER,appId INTEGER,isInBrowserElement INTEGER);
COMMIT;

HTH, HAND.

[cellard]

I have noticed an increased amount of "Try again later" errors during the repatcha solving process (where you have to select vehicles and street signs which Google seems to be obsessed with for some reason). Looks like Tor nodes are getting banned again at a higher rate.

Anyway, enabling javascript to solve the recaptcha has been the case for a while now. The Cloudfare frontend page blocking you to even browse the forum is definitely new to me, I only saw it yesterday I think. But once I log in, im able to browse the forum if I disable javascript. Im posting this right now with javascript turned off for instance (using noScript)

[nullius]

Cloudflare has effectually locked me out since sometime yesterday—both of me.  I am posting this from the account under which I first got hit with it, almost 22 hours ago.  This time, it does not stop!

Well, it seems to have subsided sometime between about 18:30 and 22:30 hours (UTC).  If theymos did anything to make Cloudflare back off, thank you.

I hope this will not happen again; though if it does, I now have shell scripts to help deal with it.  Whereas in the long term, for this and other reasons, everybody should hope a better anti-DDoS solution can be found.  Part of my own proposal would be a large mallet, applied to the heads of DDoSers.

An absolute requirement of Javascript will drive away many of the types of people whom the forum should want to attract:  Privacy and security experts, cypherpunks, people for whom the word “crypto” means something other than get-rich-quick schemes or Paypal 2.0.  For my part, it is unacceptable to me in the long term.

I have noticed an increased amount of "Try again later" errors during the repatcha solving process (where you have to select vehicles and street signs which Google seems to be obsessed with for some reason). Looks like Tor nodes are getting banned again at a higher rate.

See reference upthread; and if you have any information from your experience which may be helpful, perhaps consider documenting it for the benefit of others on the Google lockout thread.  I suggest that you check the box to stay logged in, and save your cookies.  Basic instructions are referenced on that thread; see also Meretrix’s shell script above.

...I made myself a dedicated Bitcoin Forum “thing” on the day that I was forced to try seventeen (17) different Tor circuits before Google deigned to grant me a login CAPTCHA.  See “Google is locking Tor users out of Bitcointalk.org!”.  One of my Newbie rank posts!

[m.vina]

Just noticed cloudfare now as well. Similar to nullius' first post i am asked to turn on javascript and then even see the "please wait.." message before getting redirected to the forums. Its just a few seconds of waiting but its quite annoying actually. Wouldn't it be possible to have cloudfare without the "please wait..?"

Or is the "please wait" appearing only to me?

[nullius]

Well, it seems to have subsided sometime between about 18:30 and 22:30 hours (UTC).

...and, now it’s back!  This seriously impairs use of the forum for those affected.  Besides other concerns, having Javascript enabled (and running Cloudflare’s scripts) also increases memory usage to the degree that I can’t open many tabs as I am accustomed to doing.  At least in the break, I managed to do most of the searching necessary to nail a copypaste spammer (will post results later).

The obvious inference is that Cloudflare’s incompetent system can’t handle a heavy DDoS, so they ratchet up this Javascript garbage whenever the site gets hit.  To add insult to injury, they have failed to keep the site consistently available during DDoS attacks in the past few months.

Just noticed cloudfare now as well. Similar to nullius' first post i am asked to turn on javascript and then even see the "please wait.." message before getting redirected to the forums. Its just a few seconds of waiting but its quite annoying actually. Wouldn't it be possible to have cloudfare without the "please wait..?"

Or is the "please wait" appearing only to me?

For the “please wait” message, please see Meretrix’s screenshots a few posts above yours.  Do those look familiar?

It’s more than “just a few seconds of waiting”.  What the hell is that script actually doing, when it says “checking your browser”?  I don’t know.  I do know that even against Tor Browser, there exist fingerprint attacks which could be used for deanonymization—and I don’t trust Cloudflare.

One of the great things about the Bitcoin Forum is that it’s run by a clueful admin who cares about privacy and security.  I understand the untenable position in which theymos has been placed by the large-scale attacks of Internet arsonists; but in the long term, Cloudflare can ruin the site in the manner of a cure worse than the disease.

[nullius]

The Cloudflare Javascript cavity-searches continue—on and off, much more “on” than “off”.  This seems to occur about as often as I get a new IP address, approximately every 10 minutes.  The “browser check” page interacts badly with multiple SMF functions, including posting and sending PMs.

Worse, about an hour ago, Cloudflare tried to CAPTCHA me when I was making a post:

I backed up, changed Tor circuits, and pasted in my post again.  The change of circuits worked—this time.

I don’t want to keep complaining on this thread, but the situation keeps getting worse.  Moreover, I needed to leave a note somewhere—just in case:

I will not jump through “I am not a robot” hoops simply to access the site when I’m already logged in.  If I suddenly disappear, please check to see whether Cloudflare is CAPTCHAing Tor users.

To inform those who may make assumptions based on non-Tor experience:  The Google CAPTCHA (used by Cloudflare) cranks up the tedium all the way for Tor users, with multiple successive challenges which slooooowly load new images.⁰  It always takes more than a full minute to complete.  Worse, for the past few months, Google has been frequently refusing to serve CAPTCHAs to Tor users.  The last time I needed to do a Google CAPTCHA, the whole process of obtaining and then solving it took me about 10 minutes!  Obviously, I will NOT even consider doing that just to load a webpage.  I don’t care if the webpage be carved of solid gold.  It is outrageous in principle.

CAPTCHAs for page loads would mean an effectual ban of Tor users.  Please don’t let that happen.




0. Aside, I do not see what possible purpose the long artificial delays in challenge image loading have for stopping robots.  A robot’s time is worth nothing, and it has no feelings of mind-dulling boredom.  The only conceivable purpose of these long delays is to torment humans who use Tor.

Overall, Cloudflare’s mistreatment of Tor users has for years been a textbook example of “the nudge” method for social engineering.  Cloudflare loudly claimes to support privacy, and they say they don’t hate Tor.  But actions are louder than words; and the net effect of their actions is to consistently discourage Tor use.

With only a few exceptions such as the Bitcoin Forum, I have been boycotting Cloudflared sites for about four years now.  I do not want a man in the middle serving as a mass-decryption point to monitor my communications with a wide range of sites.  I do not want to be tormented and have chunks of my lifetime stolen as punishment for caring about my own privacy.  And I miss nothing; it’s not my loss.  There is plenty of other Internet for me.