(Not the OP.) I'm using Tor Browser on a desktop/laptop. I'm seeing different problems:
(1) Rate-limiting: My regular account (this is a throwaway) has thousands in karma, but after around 4 comments I still get the 'you're posting too fast' rate limiter. Perhaps HN could disable rate-limiting after the Tor user has a certain amount of karma.
(2) Comments seem penalized, starting in the middle of threads instead of at the top. This issue has come and gone a couple of times (it's happening now on my regular account). It seems to stop when I have had an interaction with the mods; I wonder if they notice and disable it. It seems to restart after I get several downvotes in a short period; perhaps that triggers some algorithm which decides that comments over Tor are shady.
(3) Registering accounts requires a captcha and is frustrating, though something I rarely have to deal with. To register this throwaway account I got a captcha, completed it, approved. HN said the username as taken, and when I entered another username the process started over - another captcha. Then the username was too long, so I started over again.
I suspect these are not related to your use of Tor. Note that jgrahamc is at Cloudflare, not HN, and was asking about the Cloudflare interactions people on Tor are having, as the CAPTCHA the OP is speaking about is implemented by Cloudflare.
I am currently rate-limited, I have been on rate-limiting before, and I've had my rate-limiting disappear. This has more to do with how happy (or unhappy, as the case is) the mods are with your commenting habits than what browser you are using. I do not know if your rate limit penalty has an expiration date or if they manually remove you, HN mods rarely if ever discuss rate limiting, but it is almost surely to curb what HN mods consider poor quality comments and ensure they don't overwhelm a discussion.
It's not so uncommon that we discuss rate limiting. We do that all the time when people email us and I've posted not infrequently about it: https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme.... People are welcome to ask questions, though as the site guidelines ask, it's better to do that by emailing us.
Being rate limited is annoying, so I appreciate the even-handedness in what you wrote.
Well, HN won't let me delete or edit the parent comment for some reason (new accounts can't edit or delete their comments?). I just realized that the parent is from Cloudflare, not HN, so my comment isn't very applicable.
Sorry. I'll copy it to its own thread. HN can blame itself for the spam (unless they block me from posting it anew, too.)
Related: I also get captcha harrassed by other cloudflare fronted sites constantly in Chromium on Android and have simply given up on browsing sites that use it at this point. HN put me over the edge to complain.
I've had this problem as well when using a Tor proxy with Firefox. A
page is displayed that says "Prove you're legit." Disabling other
privacy plugins so I can accept a tracking cookie isn't my idea of a
fix. Is there a threat model that includes anybody in his right mind
attacking HN?
HN isn't "penalizing Tor users", but HN does use Cloudflare.
94% of the requests Cloudflare saw over Tor were malicious[1], but rather than block Tor, they implemented a couple of ways to prove you are part of the 6%, including a browser extension[2] that can get you out of the CAPTCHAs.
I wrote a little script to watch Tor traffic to my servers and way more than 94% is either clearly malicious or probably malicious. Malicious is clearly scans, bruteforcing attempts, and so on. Malicious is obvious most of the time when I look at the web logs. "Probably Malicious" is something like an odd single hit to an index page, really not quite sure what they're doing, but it's clearly not a person looking at the site. Tor traffic is almost never a person looking at a website based on what I see in my Apache logs.
Most clearly malicious traffic to my servers is not Tor, but most Tor traffic is malicious. This is what I see to my servers, you may see different traffic on your servers.
Sweeping bans of users based on shared IP addresses should never be more than a very short term stopgap solution.
There are other ways to solve these problems. As just one example you could support protocols like U2F or FIDO2 that take brute forcing off the table, and the brute forcers go away.
As another example I offer free unix shell services to the general public. Lots of people were using Tor to create accounts for cryptocurrency mining. Instead of banning Tor I blocked all outgoing traffic to all major mining pools. The mining abuse stopped.
Try to find ways to remove the incentive for bad behaviour, rather than throwing out the good with the bad.
I'm not Cloudflare, so I can't answer what they meant. Maybe eastdakota around here can, he wrote the blog post stating it. (Or jgrahamc, who responded in this thread, who is at Cloudflare and can probably be more useful to you.) I would assume it includes things like Denial of Service attack traffic, which is much of why people use Cloudflare.
Well, I think there may be too many peers using pretty limited number of exit nodes to access HN (or any other popular site), currently 1109 hosts, source: https://www.dan.me.uk/tornodes
