Opened 8 weeks ago

Closed 6 weeks ago

#27848 closed defect (fixed)

Cloudflare consistently displays captcha for TorBrowser 8.0.1 but not for 8.0.0

Reported by: cypherpunks_reply Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: mahrud Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Nick Sullivan on twitter claims that Cloudflare detects and treats Tor users differently so however they're detecting that may have been broken by 8.0.1.

Given the recent collaboration between Tor and Cloudflare on avoiding the captcha I hope it's OK to report this here.

I don't mean to imply the problem has anything to do with this new feature because if you see the screenshots, neither was given the alt-svc header that is supposed to allow Torbrowser to access Cloudflare sites without the captcha.

Child Tickets

Attachments (4)

8.0.0 - Copy.png (149.8 KB) - added by cypherpunks_reply 8 weeks ago.
8.0.0
8.0.1 - Copy.png (142.7 KB) - added by cypherpunks_reply 8 weeks ago.
8.0.1
Before_TLSv1.3 - Copy.png (79.1 KB) - added by cypherpunks_reply 7 weeks ago.
After_TLSv1.2 - Copy.png (81.4 KB) - added by cypherpunks_reply 7 weeks ago.

Download all attachments as: .zip

Change History (15)

Changed 8 weeks ago by cypherpunks_reply

Attachment: 8.0.0 - Copy.png added

8.0.0

Changed 8 weeks ago by cypherpunks_reply

Attachment: 8.0.1 - Copy.png added

8.0.1

comment:1 Changed 7 weeks ago by fuckingcf

UA changed.

comment:2 Changed 7 weeks ago by cypherpunks_reply

mitmflare does detect tor browser, this is not new (it has nothing to do with the mentioned alt-svc-based onion redirections), it exists since at least tor browser 7.x

and it's not a trivial detection (like just the value of request headers), their fingerprint includes much more, it likely goes to the tls level, possibly to the tcp level

if anyone knows details, I want to read them, thanks

comment:3 Changed 7 weeks ago by boklm

This might be related with the changes we did for #26146.

comment:4 Changed 7 weeks ago by cypherpunks_reply

If I go to about:config in 8.0.1 and change security.tls.version.max to 3 from 4, blog.cloudflare.com will not block me with a captcha.

See this change which mentions bug #27535.

comment:5 Changed 7 weeks ago by cypherpunks_reply

Adding screenshots of before and after the change showing the TLS version in the dev tools view.

Changed 7 weeks ago by cypherpunks_reply

Attachment: Before_TLSv1.3 - Copy.png added

Changed 7 weeks ago by cypherpunks_reply

Attachment: After_TLSv1.2 - Copy.png added

comment:6 Changed 7 weeks ago by traumschule

Cc: mahrud added
Status: newneeds_information

Cloudflare is all for TLS 1.3, so why the captcha?


A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) 10 Aug 2018 by Nick Sullivan
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

TLS 1.3 is a modern security protocol built with modern tools like formal analysis that retains its backwards compatibility. It has been tested widely and iterated upon using real world deployment data. It’s a cleaner, faster, and more secure protocol ready to become the de facto two-party encryption protocol online. Draft 28 of TLS 1.3 is enabled by default for all Cloudflare customers, and we will be rolling out the final version soon.
Publishing TLS 1.3 is a huge accomplishment. It is one the best recent examples of how it is possible to take 20 years of deployed legacy code and change it on the fly, resulting in a better internet for everyone. TLS 1.3 has been debated and analyzed for the last three years and it’s now ready for prime time. Welcome, RFC 8446.


FIXED in Firefox 52: CloudFlare triggers unsafe negotiation warning with TLS 1.3
https://bugzilla.mozilla.org/show_bug.cgi?id=1305561

comment:7 Changed 7 weeks ago by gk

I reached out to Cloudflare to get this fixed on their end.

comment:8 Changed 6 weeks ago by fuckingcf

Captcha seems to be broken (neverending) on Safer security settings.

comment:9 in reply to:  8 Changed 6 weeks ago by gk

Replying to fuckingcf:

Captcha seems to be broken (neverending) on Safer security settings.

Could you give an example where this happens?

comment:10 Changed 6 weeks ago by gk

I pinged Cloudflare folks again.

comment:11 Changed 6 weeks ago by boklm

Resolution: fixed
Status: needs_informationclosed

According to people from Cloudflare, this should be fixed now.

Note: See TracTickets for help on using tickets.