Re: Fsck Cloudflair
There also seems to be an assumption the tor=bad guy
Nope, if that was the case we'd have simply banned known tor exit nodes IPs, or 403'ed known tor user-agents (or both).
That doesn't mean that a lot of hurt can't come from tor connections, though!
So, forcing traffic from known-possibly-bad locations to answer a captcha in order to progress through is a kind of "acceptable middle ground" between "yup, go ahead, possible robotic connection with possibly malicious intentions" and "fuck off, tor user".
If your tor browser clears cookies every time you close it, and you tend to close it ten times per day… well, each time your browser will seem to Cloudflare to be a "new" one, and you'll have to answer the captcha.
Crudflair suggest that the targets of this hassle and levels of hassle are under the control of the customer
Yes, that's right.
The "security level" on cloudflare has been set to "medium" six months ago. As such, connections with a "threat level" > 14 are shown a captcha. A "threat level" of 10 is considered "high" by Cloudflare - so we're doing quite right in only blocking > 14.
Even with that security level system in place there's still a lot of shit traffic that goes through, though, so it's unlikely we'll want to lower it anytime soon.