[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 31 06:00:10 UTC 2017

#24351: Block Global Active Adversary Cloudflare
 Reporter:  nullius                              |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  reopened
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare                                     |
Parent ID:  #18361                               |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by nullius):

 General comment before I reply:  Sites which do not themselves use
 Cloudflare may embed third-party content from a Cloudflared site.  By
 analogy to the http/https divide, it is a sort of “mixed content”
 situation.  This introduces additional complexity into the design

 Replying to [comment:45 cypherpunks]:
 > > Low (default)
 > Do nothing (as default description says).
 > Cloudflared websites will greet you captcha, and you are not sure the
 website is
 > using Cloudflare or not.

 Seems the least-pessimal way.  Users who surf on “Low” are already
 privacy/security suicidal, anyway.

 I think also, the vast majority of users (unfortunately) would never see
 the effect of this change.  Whether you consider that a bug or a feature
 depends on your perspective; I think it’s a bug.  The set of users who
 actually takes two clicks to change the Security Slider is probably almost
 identical with the set of those who know what “MITM” means.

 > > Medium
 > Cloudflare websites's title and favicon are changed, so the user can
 notice it.
 > (from add-on's settings: "Don't show warning message; just change title
 and favicon")

 I myself would want the option to either warn or block at this level.  At
 least, I would want the option to block “mixed content” as referred to
 above; if I visit a top-level https site which itself is not Cloudflared,
 then I do not want Javascript, third-party cookies, etc. potentially
 passing unencrypted through Cloudflare.

 Perhaps a case could be made that the default should be to warn in the
 simple cases, and warn or block with error in case of “mixed content”.  If
 that last be not the default, it should be at least an option.  Though I
 am well aware that “add an option” is considered bad design, Torbutton
 does much of its Security Slider work through about:config entries,
 anyway.  It would suffice for me if those were provided, and would persist
 through changes of the slider to/from a given setting.

 > > High
 > Show a warning message on MiTMed websites.
 > User can create a whitelist, but it will be purged each time the user
 click "New Identity"
 > or restart the Tor Browser.

 I think Cloudflare (including “mixed content” Cloudflare) should be
 unequivocally blocked on the High setting, except on explicitly
 whitelisted sites.  There could not be many complaints from this.  The
 High setting already breaks much of the Web—even including Wikipedia.[0]
 Who surfs the Web on High?  I know that I do.  Who else?

 0. Mathematical equations rendered in SVG show up as gibberish text
 fallback bizarrely formatted in ways which break up the text; and
 Wikipedia’s image fallbacks are not loaded.  Fixing this requires either
 dropping the security slider to Medium (thus enabling Javascript), or
 enabling SVG by manually twiddling an about:config setting while in High
 mode.  I can’t get the PNG fallbacks to load.  I should probably file a
 separate bug about this; but the point hereof is, if nobody noticed that
 in the past few ''years'', then very few people (including TBB devs) ever
 surf with the slider on “High”.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:46>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list