The Tor user may pay the fee from a bitcoin exchange account. As far as I'm aware, exchanges do not offer their customers the option of signing messages.
The average fee users pay is below most exchanges minimum withdrawal allowed.
Single data point: This applies to me. I dont wish to discuss details publicly. I did overpay.
Any users who couldn't sign messages from an address could be given an option to associate another address with their account.
Well, then why bother with the large (and futile) effort of trying to associate a payment-from address? Delegating trust to a public key (Bitcoin or otherwise) is an ordinary key management issue; and its orthogonal to the anti-abuse payment mechanism.
And if the Tor user pays the fee from non-P2PKH addresses (e.g., segwit P2SH addresses or multisig P2SH addresses), the Tor user can't sign the message using those addresses.
Sure they can. They can sign from the private key(s) used to sign the transaction. The public key associated with the private key(s) used to sign a transaction is public information once the transaction is broadcast.
(only discusses Segwit P2WPKH-in-P2SH; generalizing a signature scheme for P2SH would be a
non sequitur.)
I recently made this mistake, much to my embarrassment.
Anyway, this whole discussion is on the wrong thread. The login CAPTCHA issue is distinct from the Cloudflare issue. theymos
added the login CAPTCHA sometime before 2017-10-19, and
moved behind Cloudflare 2017-11-29. The login CAPTCHA is not from Cloudflare.