Tor, Cloudflare, and Google CAPTCHAs

UPDATE: A solution is available; see the bottom of this page

Today I saw these Tweets:

I decided to test this, so I installed Tor Browser and tried to view my own site.

Indeed, I was confronted with an endless series of incomprehensible CAPTCHAs. It took me eight or nine attempts to get through. If anyone can understand what the right answer is to the CAPTCHA below, my hat's off to you. I can make logical arguments for selecting numbers from zero to eleven of those squares.

The "Report a problem" link is useless, because it vanishes when I attempt to solve the CAPTCHA--I'm not sure there is a problem until that link is gone.

Here are some CAPTCHAs I found trying to access my own site. As you can see, they are very frustrating. I even lowered the Cloudflare protection to "Low" and the CAPTCHAs still appear. I cannot have any protection without frustrating Tor users.

I think Tor enthusiasts are justified to protest Cloudflare's decision to force them to undergo this torture. Perhaps someone could convince Google to fix their CAPTCHAs, or Cloudflare could use some other CAPTCHAs. Or perhaps the CAPTCHAs are unnecessary--I don't know how many attacks come over Tor.

CAPTCHA Examples

Here my answer was judged to be incorrect. Perhaps I was supposed to flag the small sign behind the car, but is that sign on the bus? Does a sign on the bus count as a street sign?

This answer was judged correct, despite not selecting the squares on the right with portions of street signs in them.

This answer was also judged correct, so apparently the pole does not count as part of the street sign.

Here the answer seems clear, but Google decided I was incorrect. Apparently a sign without writing on it is not a sign.

This one seems identical to the last one, but now Google decided I was correct. What is that floppy thing draped over a cone? Is that a sign? I arbitrarily decided it was not.

Cloudflare Tor Whitelister

After posting this page and Tweeting about it, I got this reply from @shiromarieke (Thanks!):

That sounds like just what I need!

https://github.com/DonnchaC/cloudflare-tor-whitelister

I can whitelist Tor with just two commands:

pip install cloudflare-tor-whitelister

cloudflare-whitelist -t 'API_TOKEN' -e 'CLOUDFLARE_EMAIL'

I found my Coudflare API token after some hunting. To get it, log in to Cloudflare, at the top right of the page, click the arrow under your name, and click "My Settings".

I just ran those commands directly on my Mac:

And now Tor Browser goes right to my site without CAPTCHAs :)

It's recommended to run that job once per day to keep the list of Tor exit nodes current. I don't plan to do that, just to see what happens.

Posted 2-19-16 by Sam Bowne