I spent a total of 3 hours clicking CloudFlair check-boxes trying to be allowed to login to SaidIt today....like usual

submitted by SoCo from self.whatever

When you try to use TorBrowser, because it is the only browser that is pretty secure out of the box (its not so much really, all browsers forks are of corporate-government partner spy/backdoor browsers)....

Then CloudFlair makes you sit in the back of the Internet bus.

It refuses to work at all unless you disable half of your security or more. Then, it is just random, taking on average an hour of clicking checkboxes and painfully waiting 2 minutes for it to go through...then it is the same damn check box again... that takes another 2 minutes to load...again.

I suspect CloudFlair's fingerprinting and de-anonymization, that they are likely selling to weaponized data-collection companies, may take many times loading the page to measure timing and network paths.

It seems that forced consent always works in a similar pattern. I'm sure if SaidIt found an alternative, mysterious DDoS'ing would start...

Yes, I own a paid VPN. Yes, I understand other options. Yes, I could just not participate, I'm sure that would make it easy for the current mass-public-delusion to continue. Yes, I could find some alternative site.

Sorry, I'm just venting. I wanted to pull up SaidIt while I got some coding work done earlier this morning, then now this evening, but I've been too busy clicking check boxes and stabbing my eyes out to get any work done.

Mostly, I wonder why CloudFlair seems to be treating SaidIt Tor users much much differently than they do other places. It's probably just some sort of cheaper option or something configured on SaidIt's part, but you have to wonder....

all 46 comments
sorted by:
top
newinsightfulfun

[–]magnora7 6 insightful - 2 fun6 insightful - 1 fun7 insightful - 2 fun -  (13 children)

No we can't change it, because turning down tor limitations results in tons of spam accounts and spam posts that make this site even more unusable.

Try having a fixed IP, or just turning off VPNs. VPNs are largely just honeypots anyway...

[–]BISH 3 insightful - 4 fun3 insightful - 3 fun4 insightful - 4 fun -  (0 children)

We need to get /u/socks a VPN with tor.

[–]neolib 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (6 children)

But it looks like a Cloudflare bug, not a "limitation". I mean there's no captcha, just checkbox "verify you're human" or something. You click it, and it reloads again (or on reload there is no checkbox, so you have to return to saidit proper and try clicking login again, or you look at "verifying" message for minutes), and this procedure repeats for hours (or you are lucky to get in sometimes).

There was a big HN discussion btw with Cloudflare people participating, but that guy didn't use Tor, so their fix didn't do anything for me:

https://news.ycombinator.com/item?id=35742606

[–]magnora7 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (5 children)

The checkbox is actually an advanced form of captcha that detects mouse movements and timing to see that they look human, it's not just a random box (even though cloudflare disguised it that way)

[–]SoCo[S] 5 insightful - 1 fun5 insightful - 0 fun6 insightful - 1 fun -  (2 children)

It is also doing a bunch of challenge request communications and funky use of cookies and webworkers.

Many of the requests and cookie uses seem to be purposely done incorrectly, such as with incorrect samesite header rules. They expressly state something to the effect of 'testing your browser's security', so I guess that would be their excuse. Yet, when a website makes certain bad requests, your browser is supposed react in certain ways, which may help leak or fingerprint your network, browser, and/or device.

Cloudflare is notoriously unfriendly towards Tor users. They are a fingerprinting identifying service at their core and Tor is an anonymity services. They are inherent mortal enemies, by my figuring.

[–]Vulptex 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (1 child)

They don't even let you use plain old Firefox. You pretty much have to use Chrome, and only Chrome, because only it has enough tracking functionality to satisfy CloudFlare.

[–]LarrySwinger2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

I can get through their security check it Librewolf, and that has more anti-fingerprinting than vanilla Firefox.

[–]Vulptex 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

That explains why it's so much harder to pass with a touch screen.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Oh that's interesting, I didn't know that was an issue but it makes sense

[–]SoCo[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

Turning off my VPN would be turning off my security, the most important part, which protects me from targeted network attacks.

While most VPN companies may be forced by governments to be spy, tracking, and hacking services for them, one can alternatively use Tor which (further) encrypts all of your (already https encrypted) traffic through the proxy chain.

[–]magnora7 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

I see what you are saying, but VPNs don't actually offer that much security, and we can't make this site more vulnerable to attacks than it already is, and we know for a fact turning it lower causes a lot of problems

[–]Vulptex 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

I think it's some secret plan CloudFlare has and not site-specific settings. It wasn't giving humans any problems for a whole year, even on obvious VPN and TOR IPs. Then suddenly you couldn't even use plain Firefox, and this affected the entire web not just saidit. There was no noticeable difference in attacks here or anywhere.

If I had to guess, CloudFlare is trying to sneak data mining into its security checks. They want to force you to use Chrome so they and Google can track you easier.

[–]Vulptex 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Are you sure? Until recently this hadn't been a problem at all for about a year, so why is it only acting up now?

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Probably because we're getting attacked and the attackers want us to make new holes for them to get through

[–]LarrySwinger2 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (0 children)

Me too /u/magnora7, this is a big problem. We should be able to use this site anonymously. Can you address it?

@OP note that you can use ctrl + shift + L repeatedly to switch the circuit for the current site until you get an exit node where the checkbox pops up right away. When that's the case, it will also let you go through immediately after clicking. But it still takes a while to find such an exit node. At least it's something. And if you trust your VPN: Librewolf has good anti-fingerprinting as well, by default even stricter than Tor browser, so you could try that.

[–]hfxB0oyA 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (3 children)

I know it's no Tor, but I've been using Brave and it works well. I realize it's Chrome, but at least it's not full Google spyware.

[–]SoCo[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

I've found Brave to be a pretty cool project, although I don't use it often enough to get a good feel for it. I think it has Tor support built in, though.

[–]hfxB0oyA 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

It does on desktop, but not mobile

[–]Vulptex 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

That's because it's actually Firefox that CloudFlare doesn't like, not the fact that you're on a TOR IP. But if you're using the TOR browser it's a Firefox derivative.

CloudFlare wants to restrict users to Chrome because it makes them easier to track and mine data from.

[–]neolib 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (23 children)

I also have this problem as a fellow Tor user. It also looks quite random - sometimes you try and try and try for hours without success (I do force "tor circuit change" too dozens of times and it doesn't help), and sometimes it works like on second try.

[–]magnora7 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (21 children)

That's probably a function of how many tor attacks we have received in the previous couple hours, it tightens the security if there is a DDOS attempt through tor or other VPNs (which we get about 10 daily for years now, and they must be automated because they keep trying yet never succeed)

[–]SoCo[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (16 children)

Do people still DDoS with Tor? It seems unlikely to ever be very good at that. To me, it looks like almost all network hacking seems to happens over common big-name cloud services now.

There are only a couple thousand Tor exit nodes I think. That seems like it would consolidate a distributed attack into only like a little over a thousand connections at once, which seems wimpy. (I assume all exit nodes wouldn't be useful against a single target, due to be geographically spread out or otherwise, using all exit nodes at once might be hard to reach).

[–]magnora7 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (15 children)

They're able to spoof IP addresses in the tor node range of IPs, is the actual problem. They're not using tor, they're just acting like they are a lot of times to make the fact their IP changes with every request look less suspicious.

[–]SoCo[S] 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (14 children)

The 'Tor node range of IPs' is regular IPv4 and IPv6......so I'm not following you. Are you saying the whole regular Internet is broken?

You can easily get a list of all the regular Internet IPs of all Tor exit nodes, they provide a list to do just that.

Changing your IP with every request would be problematic for most websites. Tor only does that when the current exit node goes out of service or the user clicks 'new circuit for this site' (usually due to the current circuit of nodes failing to load site).

If you really want unlimited obscured IPs, you get a Google, Amazon, or Microsoft cloud account. Preferably, all of the above, cycle free offers, and grab some European cloud host accounts too. You can have more than 1000 IPs then.

[–]magnora7 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (13 children)

It's worse than that, these attackers can spoof any IP. Trillions of IPs. They often choose Tor node IP ranges to spoof, it seems, to overlap with real traffic, as a means to try and get us to ban tor and to also cover up their activity. They also spoof other IP ranges, but tor is their favorite.

[–]SoCo[S] 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (6 children)

Since a spoofed IP cannot receive a reply, they should be just standard network noise for a HTTPS web server; they cannot preform the HTTPS handshake.

Their likely goal is to both/either:

  • stress the website forcing it to use expensive privacy invading protection services that are feasibly able to de-anonymize users across the net, even on Tor, if so inclined (Cloudflair's transparency reports give the impression of resistance, but I prefer to trust no one and no service).
  • cause a reflection attack against the spoofed IPs

When they connect to the HTTPS and the website replies to the spoofed IP, those packets make the website reply to the Tor IPs, becoming a reflection attack. For a non-valid TCP connection, these should be dropped pretty readily by the Tor node's NAT, and the HTTPS handshake packet shouldn't be too large. Yet, with enough of these, it can likely still degrade the Tor node's network.

Similar to robo callers spoofing caller ID's, this network spoofing can only exist non-locally because large network operators or backbones don't reject packets with obviously forged return addresses. A large amount of cellular and Internet backbones are filtering for this. I suspect that cloud providers have simply covered their eyes and ears, allowing their customers to freely send spoofed packets en mass. Considering how much malicious vulnerability scanning, specific attacks, and scam/malware hosting that comes from the major cloud providers, seemingly without a care or way to identify or report them, this seems a likely origin, even though not helpful.

HTTP (without the S) on the other hand, could cause lots more problems for a webserver and a much more significant reflection as well.

[–]magnora7 6 insightful - 1 fun6 insightful - 0 fun7 insightful - 1 fun -  (5 children)

Interesting technical analysis, I will think about that some more, thank you. They are obviously somehow able to get replies despite the IP changing with literally every request and jumping beyond any normal IP bounds of any service like tor. I don't know exactly how it works. Honestly it's beyond anything I've ever seen, it may be some gov't tech, who knows. It's quite obviously not some dumb script kiddies, there's no question about that. They know what they are doing and have lots of software specifically for this. I have also seen they have software that does automated account registration, and automated comment and post deletion after a saidit account is banned. They're quite obviously well-prepared, and a lot of this was unleashed on day 1 of saidit's launch, wherein a group on reddit literally scanned /r/conspiracy for regularly-commenting usernames and then registered all those usernames on saidit in order to frustrate the migration and scare off new users. They registered something like 5,000 accounts in under a half-day, on saidit's opening day, before we turned on a more advanced captcha system.

Saidit basically had to become a cyber-fortress just to exist, I probably personally spent over 1000 hours just on saidit cybersecurity alone. I learned how to write Cloudflare API bash scripts that send self-autogenerated IP ban lists (which I also wrote a script for) from our server to the cloudflare server, without having to use the paid service, just to save money. D3rr and I used every trick we know to get saidit as secure as it is, and he's even better with this stuff than I am.

Basically my point is, this is a very high hurdle to jump over, and it's little wonder a lot of reddit alternatives implode quickly. You have to absolutely have your stuff together from day 1, or the site will be taken down from malicious attacks that are just free-floating around the internet. Most people can't do this, and most forums fail. Especially if the forum is related to anything controversial.

This itself is a way to stifle the free speech of the masses. You literally have to be a cybersecurity expert just to run a dang forum in 2023. And that's not even mentioning the actual code of just getting the thing running in the first place. And then the critical mass problem of attracting enough users. The hurdles are too high, so it's little wonder there are so few viable reddit alternatives. It's not a good state of affairs for the internet and culture in general. And with with the improving quality of automated AI posting and commenting on top of that, I worry about the future of anonymous text-based forums.

[–]Vulptex 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

Honestly it's beyond anything I've ever seen

It might be reddit then. Reddit is somehow able to detect your alt accounts automatically, going back years, in cases where it should be literally impossible to do even manually.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

Could very well be, especially since this is a fork of reddit's open source, and the attackers seemed to know the software inside-out on day 1, and exactly how to exploit it. And it would make sense that reddit would want to stifle competition.

[–]Vulptex 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (5 children)

Wouldn't be surprised if it's feds doing this, or even CloudFlare and Google shills.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (4 children)

I'm pretty sure it's the former, not the latter. Also could work for reddit, shutting down competition. Although reddit is basically fed owned at this point too, so the distinction probably doesn't matter that much. Also there are Russian and Chinese shill groups, and many more... it's quite frequent the shill groups will even fight each other. The internet is truly a different place from 20 years ago

[–]LarrySwinger2 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (3 children)

What kind of fighting are you talking about?

[–]magnora7 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (2 children)

I mean fighting in the sense of arguing and posting tons of comments and posts that hijack entire threads and forums. Like for example, a thread might have 90 comments, 40 are russian shills arguing the pro-russian side, 40 are US shills arguing the US side, and then 10 are actual real people. Because the different shill groups try to shut each other down they get caught in arguments with each other, and those arguments end up making up the bulk of some threads. Especially if it's a contentious MSM hot button current issue for both sides, then it goes wild and normal folk can barely get a word in edgewise.

[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (3 children)

Ddos would be automated and it is done explicitly for the reason of de-anonymizing users. So data brokers can collect and transmit the content of these messages, the whole of the internet went out of their control and they’ve been doing a massive cya operation by shuffling blame to the users for any mistakes.

[–]magnora7 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (2 children)

ddos has nothing to do with de-anonymizing users. What it does is eat up the bandwidth so no one can access the website. It doesn't grant any access to anything

[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

I know, they are forcing your hand at blocking tor ranges (ddos) in an effort to deanonymize users via cloud flare, since with tor - it makes access more difficult.

[–]Vulptex 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

I wouldn't even be surprised if CloudFlare is actually who's doing it.

[–]SoCo[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

That sounds identical to my experience.

[–]iamonlyoneman 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

3 hours trying to get into a website

touch grass, loser

Then realize nobody cares about your device or data, and use a normal browser like a normal person. u/magnora7 pls ignore these autists.

[–]GoblinJ 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (0 children)

I don't use any of that because I want the feds to know where I stand.

[–]Vulptex 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

CloudFlare doesn't even let you use vanilla Firefox, or any browser other than Chrome. Probably CloudFlare and Google are teaming up to force everyone to use their products only and give them their information.