Global cookie is a session, if the user wipes the cookie, resets the TOR connection, etc. that's their issue. TOR is not designed to hide sessions, nor would setting a global cookie break anonymity unless the user doesn't understand how TOR works. All exit nodes are watched and session device fingerprints are correlated with or without a global cookie.
If the same global cookie is accessible via two circuits, that a bug in a product that uses TOR, not TOR; I personally go above and beyond simply creating a new circuit, never open two circuits at the same time or boot, limit TOR sessions to single use, and locally compartmentize data per session, etc. TOR is not plug in play, it takes effort and discipline, and will never be a fully automated solution.
Yes, TBB on default settings is vulnerable to associating multiple tabs (if I'm reading the link above right), if an adversary sets a shared cookie. That does not mean it's ok for someone to set a shared cookie.
The possibility of exploitation does not mean exploitation or making exploitation easier is fine.
Point is Cloudflair giving abusive volumes of requests is ironic, they should stop, and a global cookie won't harm anyone that knows how to use TOR and they could even give the option NOT to set the cookie. Not offering a solution because "I'm not a robot" doesn't work (happy to prove this) and users don't userstand how to use TOR is not an excuse for their behavior and exploitation of users.
Requiring user to do work for free is the very definition. Google and Cloudflair are very aware that there test don't work for stopping bots, but they're very good at extracting free labor.
Unless you work at Cloudflare and aware of it's relation to Google, any comments on there relationship is speculation. That data is vital to Google future and it think being valuable to Google beyond any direct benefit is of value; I'm not aware of any company that provides more of this type of data to Google; Google would have to pay 10k+ contractors $30+ an hour to do this if it wasn't being done for free; Google [Google Search Quality Rater] if you're not aware of what I'm talking about.
Thanks, might be worth updating the blog post to reflect this, what percent of Google's reCAPTCHA data comes from Cloudflair, and why Cloudflair doesn't roll their own to insure data is not being leaked/given to Google.
