CloudFlare and Tor Have a Spat

Douglas Crawford

Douglas Crawford

April 21, 2016

CloudFlare is US company “that provides a content delivery network and distributed domain name server services, sitting between the visitor and the CloudFlare user’s hosting provider, acting as a reverse proxy for websites. Its network protects, speeds up, and improves availability for a website or mobile application with a change in DNS.”

A huge percentage of the world’s websites (it is estimated that some 25 percent of global Web visitors pass through CloudFlare’s servers each month) rely on CloudFlare to deliver their pages quickly and without problems to users, and to protect them against spam, DDoS attacks, and other malicious internet activity.

The Tor Network aims to provide its users with anonymity while accessing the internet. It does this by routing users’ internet connection through at least three different volunteer-run “nodes”, which can be located anywhere in the world.

All data is re-encrypted each time it passes through a node, and at no point can anyone know the whole path between your computer and the website you are trying to connect to (even if some nodes along the path nodes are controlled by malicious entities).

Tor is therefore a vital tool for dissidents, whistleblowers, and anyone who lives under a repressive government and requires uncensored access to data, and /or who might get into trouble for doing so.

The Trouble with Tor

Any Tor user will be all too familiar with being challenged when they visit a website, and being forced to solve an irritating CAPTCHA puzzle before being allowed to proceed. It now seems that one reason this problem is so common is that CloudFlare views Tor users as a threat…


In a recent blog post titled The Trouble with Tor, CloudFlare CEO Matthew Prince claimed that,

Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network.”

As CloudFlare’s support documentation makes clear, CloudFlare does not automatically block Tor users. If the IP address of a Tor exit node has earned a “bad reputation”, however, it receives a high “threat score”. Visitors using that exit node will then by default face a CAPTCHA challenge.

Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.”

What I find particularly creepy, however, is that Prince freely admits to tracking the behavior of ordinary internet users as they access websites across the internet, in order to determine their trustworthiness,

With most browsers, we can use the reputation of the browser from other requests it’s made across our network to override the bad reputation of the IP address connecting to our network. For instance, if you visit a coffee shop that is only used by hackers, the IP of the coffee shop’s WiFi may have a bad reputation. But, if we’ve seen your browser behave elsewhere on the Internet acting like a regular web surfer and not a hacker, then we can use your browser’s good reputation to override the bad reputation of the hacker coffee shop’s IP.

I can only presume from this that CloudFlare routinely uses browser tracking techniques such as Browser Fingerprinting and Canvas Fingerprinting –  techniques that privacy advocates condemn as being highly invasive to individuals’ privacy!

The Trouble with CloudFlare

In a snappily titled blog post called The Trouble with CloudFlare, the Tor Network has responded by questioning CloudFlare’s figures,

“We’ve asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as ‘malicious. Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare’s system. We’re interested in hearing CloudFlare’s explanation of how they arrived at the 94 per cent figure and why they choose to block so much legitimate Tor traffic.

A solution?

CloudFlare has introduced a new way of dealing with webpage requests originating from Tor exit node IPs, aimed at putting control of how to deal with such requests in the hands of website owners themselves.


ClouldFlare now allows domain owners to treat Tor as its own country. The code T1 is used for Tor

CloudFlare blocks captcha whitelist javascriptchallenge

They can then easily choose how they want to deal with such requests

Prince, however, describes this as an “imperfect” solution as, if anything, website owners are more likely to Block Tor users than Whitelist them!

While Tor users think it’s a no-brainer that sites would whitelist their traffic, if you talk actually with site owners the majority would prefer to just block Tor traffic entirely. In fact, when we looked at our customer base, we found that far more had manually entered Tor exit node IPs to block them than to whitelist them. We didn’t want to make blacklisting easier because, again, we believe there’s value in the anonymous web surfing that Tor offers.


There is an increasing trend for prejudicing against Tor users on the internet. For example CloudFlare competitor Akamai simply stonewalls Tor users with a 404 error message, and the other list of services that block Tor is getting longer.

Tor Akamai

The Fox News website uses CloudFlare rival Akamai to protect it from internet threats

Given that many vulnerable users rely on the anonymity and ability to evade censorship that Tor provides, this cannot be a good thing. I therefore strongly encourage all website to Whitelist or otherwise ensure that Tor users have unrestricted access to their websites.

Exclusive Offer
Get NordVPN for only