vltf mailrss

One more step

Mar 2016

This is the current page that CloudFlare serves up when they decide to block a user from accessing a web site:

Screenshot of a block page

Tor users have been seeing a lot of it recently because of how CloudFlare’s reputation system handles multiple people sharing a single IP address. If a spambot decides to use an IP address that is also being shared by humans then everyone gets punished for the bot’s behavior.

This particular block page has become notorious because of how difficult it is to get through. Often the captcha will fail to load entirely or the user will become stuck in a captcha loop, endlessly trying to satisfy CloudFlare’s unquenchable thirst for street signs. If you have disabled JavaScript then there is little hope.

Vanity block pages

I had a go at redesigning CloudFlare’s block page to use more direct wording, offer better alternatives than solving captchas and not push the user to enable JavaScript. It’s implemented as a browser extension that detects when you’re about to be blocked, then swaps in a custom error page that’s styled like a native browser error.

I tried a couple of different styles for the error page, but mimicking the browser’s own error page felt the best. It’s got that authoritative tone that says the internet is broken in a serious and fundamental way and that seemed to fit the feeling.

Browser-styled error message reading: Internet centralization error. The owner of medium.com allows ClodFlare to intercept and censor its content. Because you have taken steps to resist online mass surveillance, CloudFlare has blocked access.

First and foremost are links to archived copies of the page, but there’s also the option to solve captchas. That works by scraping the CloudFlare block page and Google’s captcha service then presenting it in a clean, easy-to-use format. Scraping means it’s super brittle to any changes to the block or captcha pages but it has the advantage that you don’t have to allow arbitrary scripts to run.

Captcha asking the user to select all images with street signs

One of the main goals of this project was to make getting through the block pages possible without being exposed to JavaScript or cookies. It wasn’t possible to do entirely without cookies, unfortunately, as cookies are what CloudFlare uses to track who has completed captchas. The extension compromises by allowing an exception for session cookies on sites that you have clicked the “Let CloudFlare track you” button. I can’t recommend it, but for completeness’ sake here’s a video of it in action:

Anonymity loves company

I’m not going to offer the extension as a downloadable package though, only as source. It’s got flaws that defeat its purpose as a privacy-enhancing tool.

Namely, it alters how browsers load the block page in a way that’s detectable by CloudFlare, Google or in fact any other site that might decide to test whether the extension is installed. Currently this extension has no users so anybody that decided to install it would stand out from the crowd.

Also it doesn’t even run in Firefox or Tor Browser. I developed it using the WebExtensions API and Firefox’s implementation is currently missing some parts needed for it to work properly.

Oh well

Making this vanity block page was fun, but it doesn’t touch the bigger issue that many site owners have granted CloudFlare the power to block arbitrary users from reading their sites. If anything, this winter’s flare-up of block pages has served as a reminder of how large the proportion of web traffic flowing through CloudFlare has become.