Tor users welcome

Another CloudFlare experiment that I'm happy to get behind.

I've whitelisted Tor for this site.

So if you happen to use Tor, you should not get challenged with a captcha everytime you visit the site.

Don't use for this site, but dear oh dear the number of captchas I have to complete for some sites is incredible.
Also they make me feel dirty as most are street numbers or is this is street sign, or highlight the commercial properties- creating valuable information for someone else.

Does that leave the site vulnerable in a any way or is the risk minimal?

I can't do the street signs captcha's at all. I give up as soon as I see one and resort to using the audio captcha... just listen for 5 numbers and type them in.

The pictorial captcha's basically require multiple correct answers if you're a Tor user using anonymous browsing... it's maddening.

Just use the accessibility route of the audio captcha, that accepts a single answer.

The risk is minimal.

Tor exit node IP addresses are pretty dirty, because people do a lot of crappy bot and spam stuff. But the biggest targets for that are either email (does not affect us) or Wordpress comment spam (does not affect us).

Given that our auth system requires a verified email address to actually do anything, and it's trivial for me to ban the email and nuke everything... it shifts the cost (create emails and get a new IP) heavily back onto the spammer.

I don't want to punish regular use of Tor, just spamming... and Stop Forum Spam and other systems I've integrated already handle that.

So I think the risk is basically not there.

That's only true for this site... were I to run Wordpress on this domain I'd say the risk was still there.

Thank you for the info, and also the audio captcha tip- never thought to use it.

Yeah, it's saved my sanity.

We (CloudFlare) internally ran our systems with captcha's enabled for every site on CloudFlare.

It's basically the "Give us the worst-case experience of being on Tor + having an untrusted browser.".

A few weeks of that and what do you know, we're starting to create things that help Tor users and our customers... such as the ability to whitelist Tor if your site is on CloudFlare.

Which is what I've just turned on for LFGSS.

We also reload the Tor IP address list more frequently to prevent new nodes triggering captchas before we include them in the virtual country that is Tor.

And we've made the captcha's auto-submit and reload the page upon completion... saving a click and some time.

But I suspect we're heading towards just turning them off. A lot of traffic to a site is legitimate bot traffic (especially if a site has APIs), and that stuff can never answer a captcha successfully.

I'm listening to an interesting podcast on Amazon's Audible at present by the tech correspondent of C4 News. It comproses ten 30 minutes episodes and purports to cover every aspect of the Dark Web.

What I haven't worked out yet is whether I, as someone who has no interest in breaking the law in any way, I simply don't want to buy illicit things, have any use for the Dark Web. Also, would downloading Tor make me any more vulnerable to attack?

These may be very naive questions and may be answered as I progress in the podcast. Any pointers would, however, be useful.