[tbb-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 23 13:33:01 UTC 2016

#18361: Issues with corporate censorship and mass surveillance
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |

Comment (by ioerror):

 Replying to [comment:89 jgrahamc]:
 > Replying to [comment:71 lhi]:
 > >  I don't understand why you (or jgrahamc) bother with this discussion
 anyway. what's in it for you?
 > Three reasons:
 > 1. Economic. A group of users (who use our customers web sites) are
 having trouble accessing those web sites. In this case it's Tor users, if
 it were "people in Brazil" or "people on BlackBerry devices" you'd likely
 see me get involved. That's my job (partly).

 It is *also* people in Brazil, though it is unlikely to be people in
 BlackBerry devices. :-)

 > 2. Technical. Solving the spam, DoS, hacking problem for Tor is hard
 because of anonymity. That makes it technically interesting. If we can
 protect our clients from abuse through Tor while letting legitimate users
 browse unhindered it's a technical win.

 What kind of DoS can you guys possibly see through Tor? The network in
 total capacity has to be less than a tiny fraction of the capacity at
 *one* of your PoPs.

 Could you please give us actual data here? I've seen some basic CF API
 data - what is exposed seems to be quite minimal. As far as I can tell -
 the main data is score data that is from project honeynet. That has a lot
 of history that is extremely problematic in my view.

 > 3. Ethical. CloudFlare has a service called Project Galileo
 (https://www.cloudflare.com/galileo/) where we offer free protection to
 at-risk public interest websites referred to us by partners like ACLU,
 EFF, etc. We've deflected massive DDoS attacks keeping people online whose
 speech is threatened.

 There is a tradeoff here which is unsaid along with some other stuff that
 is said often. You guys are clearly doing good by keeping those folks
 online and I think it is important to help with that problem. The unsaid
 trade off is that you're also performing content inspection, over blocking
 Tor users and have effectively full surveillance of those sites. Exploit
 data can be intercepted and gathered, studied and then used. Those at risk
 parties are not just a matter of ethics, they are a source of surveillance
 capital for CloudFlare which is useful for generating so-called "threat"
 scores as well as other data. I assume that 0days found in that process
 are submitted to CERT, the same CERT that exploited Tor Hidden Service
 users, I might add.

 In short - those at risk services are paying for this protection with
 their user/attacker data which is extracted with surveillance by
 CloudFlare. It may be ethical in motivation but unless I completely
 misunderstand the monitoring by CloudFlare of its own network, it appears
 to be sustained with surveillance more than pure good will.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:93>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list