[tbb-bugs] #24321 [Applications/Tor Browser]: Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Nov 18 20:00:20 UTC 2017
#24321: Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare
captcha madness!
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by nullius):
* cc: nullius@… (added)
Comment:
Please ''don’t''. All of the following reasons are valid, and any would
be sufficient to close this bug WONTFIX:
1. The idea that Tor users should be forced to install arbitrary software
to comply with the wishes of Tor-blockers is wrong, wrong, WRONG in
principle. To do so would set a horrid precedent. What’s next, a Tor
Browser plugin which provides blinded signatures from a smartcard chip in
a government-issued “Internet Driver’s License”? Such blinding should be
done with some scheme which can be reversed by “escrowed” keys, of course.
Hey, if you have nothing to hide, that would not only stop net abuse, it
would also facilitate legitimate law enforcement! (I am scared by the
number of people who will not detect sarcasm in that statement.)
2. Privacy Pass is still experimental. Well, quote-unquote “beta”,
according to their own [https://archive.is/W2Tii FAQ]: “we regard Privacy
Pass and the protocol we use as being beta releases currently and still
under active development”. Moreover, it is their own cryptographic
construction—“[https://archive.is/RwRat developed independently]”—and a
subtly novel one. There is nothing wrong with that; all good crypto
starts that way; but it does mean, this needs to be thoroughly peer-
reviewed. Frankly, it needs to see some serious public attempts to attack
it (especially its promises of unlinkability). This is NOT ready to be
included with Tor Browser at all, let alone enabled by default.
3. The right way to “end Cloudflare captcha madness!”, per this ticket’s
title, is for Cloudflare to stop being mad—or better still, for its
customers to dump it. Not for the Tor Browser team to jump through
Cloudflare-defined hoops, or feel their users are being held as hostages.
Myself, I simply ignore most sites which demand a CAPTCHA for read-only,
no-side-effect requests. There are plenty of other sites I can go to.
Their loss is worse than mine. Really. Throwing up a Cloudflare CAPTCHA
before you deign to let me see your site is the equivalent of a Flash-
required splash page 20 years ago. It makes you look stupid. Cloudflare
“madness” is losing quality site visitors, and sites need to be told that.
(Any apparent ire in the foregoing is not directed at Privacy Pass itself.
It looks like a neat idea. It needs crypto experts to hammer on it for
awhile. Then, sane sites ''may'' have more options for filtering the
limited subset of requests which have high abuse potential. Ire ''is''
directed at Cloudflare, the Net’s single largest MITM security hole, which
needs to die in a fire. “IMO.”)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24321#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list