Cloudflare consistently displays captcha for TorBrowser 8.0.1 but not for 8.0.0

Nick Sullivan on twitter claims that Cloudflare detects and treats Tor users differently so however they're detecting that may have been broken by 8.0.1.

Given the recent collaboration between Tor and Cloudflare on avoiding the captcha I hope it's OK to report this here.

I don't mean to imply the problem has anything to do with this new feature because if you see the screenshots, neither was given the alt-svc header that is supposed to allow Torbrowser to access Cloudflare sites without the captcha.

Trac:
Username: cypherpunks_reply

added component::applications/tor browser owner::tbb-team priority::medium reporter::cypherpunks_reply resolution::fixed severity::normal status::closed type::defect labels

Trac:
Username: cypherpunks_reply

8.0.0

Trac:
Username: cypherpunks_reply

Trac:
Username: cypherpunks_reply

8.0.1

Trac:
Username: cypherpunks_reply

UA changed.

Trac:
Username: fuckingcf

mitmflare does detect tor browser, this is not new (it has nothing to do with the mentioned alt-svc-based onion redirections), it exists since at least tor browser 7.x

and it's not a trivial detection (like just the value of request headers), their fingerprint includes much more, it likely goes to the tls level, possibly to the tcp level

if anyone knows details, I want to read them, thanks

Trac:
Username: cypherpunks_reply

This might be related with the changes we did for #26146 (moved).

If I go to about:config in 8.0.1 and change security.tls.version.max to 3 from 4, blog.cloudflare.com will not block me with a captcha.

See this change which mentions bug #27535 (moved).

Trac:
Username: cypherpunks_reply

Adding screenshots of before and after the change showing the TLS version in the dev tools view.

Trac:
Username: cypherpunks_reply

Trac:
Username: cypherpunks_reply

Trac:
Username: cypherpunks_reply

Trac:
Username: cypherpunks_reply

Trac:
Username: cypherpunks_reply

Cloudflare is all for TLS 1.3, so why the captcha?

A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) 10 Aug 2018 by Nick Sullivan https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

TLS 1.3 is a modern security protocol built with modern tools like formal analysis that retains its backwards compatibility. It has been tested widely and iterated upon using real world deployment data. It’s a cleaner, faster, and more secure protocol ready to become the de facto two-party encryption protocol online. Draft 28 of TLS 1.3 is enabled by default for all Cloudflare customers, and we will be rolling out the final version soon. Publishing TLS 1.3 is a huge accomplishment. It is one the best recent examples of how it is possible to take 20 years of deployed legacy code and change it on the fly, resulting in a better internet for everyone. TLS 1.3 has been debated and analyzed for the last three years and it’s now ready for prime time. Welcome, RFC 8446.

---

FIXED in Firefox 52: CloudFlare triggers unsafe negotiation warning with TLS 1.3 https://bugzilla.mozilla.org/show_bug.cgi?id=1305561

Trac:
Cc: N/A to mahrud
Status: new to needs_information

I reached out to Cloudflare to get this fixed on their end.

Captcha seems to be broken (neverending) on Safer security settings.

Trac:
Username: fuckingcf

Replying to fuckingcf:

Captcha seems to be broken (neverending) on Safer security settings.

Could you give an example where this happens?

I pinged Cloudflare folks again.

According to people from Cloudflare, this should be fixed now.

Trac:
Resolution: N/A to fixed
Status: needs_information to closed

closed

moved to tpo/applications/tor-browser#27848 (closed)