Home » Featured » Tor Users May Soon Be Able To Circumvent Endless CAPTCHAs
Click Here To Hide Tor

Tor Users May Soon Be Able To Circumvent Endless CAPTCHAs

CAPTCHAs have effectively protected websites from harmful bots and various types of spam for years. They are an internet commonplace. For Tor users, however, the number of CAPTCHAs presented to the user becomes debilitating. Tor users have routinely voiced complaints about the number of anti-robot puzzles presented to them.

CloudFlare, however, has defended their use of CAPTCHAs, stating that 94% of requests from the Tor network are malicious. When a user browses the internet using Tor, they are assigned the IP address of the Tor exit node. Many users, and bots, use the same exit node. Differentiating between concurrent legitimate and malicious requests coming from the same IP is no easy task.

Consequently, some form of filtering needs to be done to protect the website being travelled to.


In March 2016, CloudFlare implemented a step in what some consider the right direction. Website owners using CloudFlare as a CDN were given the option to whitelist all incoming Tor traffic. However, in whitelisting all such traffic, the site essentially becomes vulnerable to everything the CAPTCHA would detect and prevent.

Some sites began to utilize this configuration. DeepDotWeb whitelisted every Tor exit node and encouraged other sites to follow suit. Unfortunately, this option did not catch on for the vast majority of websites. Many webmasters felt uncomfortable allowing every exit node the ability to bypass CAPTCHAs.


CloudFlare, being the massive CDN and anti-DDOS company that it is, may have found a solution. This potential solution comes in the form of a recent update to the challenge-bypass-specification proposal on CloudFlare’s GitHub repo. In the update, CloudFlare notably points out that Tor users do face a disproportionate number of CAPTCHAs

CloudFlare’s acknowledgement of the difficulty CAPTCHAs present to Tor users:

While CAPTCHAs in themselves are supposed to be easily solvable for humans, Tor users are dealt a disproportionate amount of these challenges due to the regularity of Tor exit nodes being deal with poor IP reputations. This problem has been likened to an act of censorship against Tor users as these users are the most targeted by this protection mechanism. This problem also affects users of certain VPN providers and of I2P services.

In an effort to make Tor browsing more seamless, CloudFlare is proposing a form of blind signatures. “A blind signature is a cryptographic signature in which the signer can’t see the content of the message that she’s signing,” Brave developer Yan Xu points out.

Tor users would solve a single CAPTCHA and in doing so, be granted a predefined number of access tokens. These access tokens would allow the user to visit websites without being confronted by subsequent CAPTCHAs. However, without the concept of blind signatures, this implementation would be fundamentally contradictory to the anonymity Tor provides.


The spec explains how this protocol would be implemented in a way that would not impact a user’s web footprint. “First, it moves JavaScript execution into a consistent browser plugin (for use in TBB etc.) that can be more effectively audited than a piece of ephemerally injected JavaScript,” they detail. The writers continue “Second, it separates CAPTCHA solving from the request endpoint and eliminates linkability across domains with blind signatures.”

Tokens granted to the user following the solving of an initial CAPTCHA would not be without limitations. Every puzzle solved would provide tokens that would be useable for standard web browsing. The number of granted tokens would be too low for attacks and malicious requests. Furthermore, this would not change the “protective guarantees” that CloudFlare currently offers.

“We also leave the door open to an elevated threat response that does not offer to accept bypass tokens,” authors explain.

Ultimately, if this proposal gets implemented, it would mean Tor users would experience a much smoother browsing experience. They would face less CAPTCHAs while maintaining the same anonymity currently provided.


  1. Why this sounds like fingerprinting individual tor users?

    I think it’s better to avoid cloudflare sites or at least use some webproxy to visit them so you won’t get the captcha.

  2. “First, it moves JavaScript execution into a consistent browser plugin”

    A plugin or addon would have full access to your computer Hostname, MAC and public IP address.

  3. I always use the highest security settings within the Tor Browser, which means NO JavaScript!!

  4. Similar NAG problem

    What about that shitty flashing yellow triangle in the onion to indicate updates? That sucks really bad too. Amazing that there is no easy way to turn it off without going into about:config. Why won’t TOR team do something about this??? Chinese Water Torture.

    • If you’re not updating your Tor Browser when you get the nag, you’re setting yourself up to get pwned. They don’t issue updates just for the fun of it; they’re patching critical vulnerabilities that could lead to deanon or worse.

Leave a Reply

Your email address will not be published. Required fields are marked *


Captcha: *