I was shocked to see South Africa's popular Tech site myBroadband uses CloudFlare, which is poorly blacklisting legitimate traffic. I trust myBroadband is well informed about what is happening with the IP. So many times, CloudFlare denies me access to so many sites, which is worse on mobile devices. I am no longer visiting sites using CloudFlare. More people will second me on this issue; Captcha is irritating and wasting time.  

CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are blocked from reaching websites under CloudFlare's system.

The Tor project started hear from CloudFlare's explanation of how they arrived at the 94% figure and why they chose to block so much legitimate and Tor traffic. In their blog post, they mentioned obtaining data from Project Honey Pot and their own systems. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are generally not in use. CloudFlare has yet to describe the nature of the IP reputation systems they use.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, which has steadily increased over time.

3) That same study found that it typically took 30 days for an event that caused a Tor IP address to acquire a bad reputation and become blocked. Still, once it happened, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large number of false positives in the form of impeding regular traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that from the Internet specifically, Akamai found that the "conversion rate" of Tor IP talks clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly, and users may have to solve dozens each day without a guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away or choose not to use Tor and put themselves at risk.

Also, see our new fact sheet about CloudFlare and Tor:https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf.