[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Nov 19 06:11:53 UTC 2017
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by cypherpunks):
I'm the person who created "madness" ticket, and you, sir, well writen!
Yes, please block Cloudflare once and for all. I'm expecting some kind of
"Isecure connection" errorpage
to block further connection without user consent.
For example, when I visit "CloudflareMustDie.com",
1. TBB will show "Insecure connection" errorpage.
2. User will decide what to do - go back, try a cache, or ignore.
Here's my idea of errorpage design:
=====================================
Your connection is not secure
The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected
to this website.
(Learn More)
[Go Back] [Connect anyway]
=====================================
(Learn More) is a link, to Tor documentation or wiki, to explain the
cloudflare's MITM activity.
[Connect anyway] is a button. If the user click it, Show warning dialogue
with 3 seconds timelock:
=====================================
This connection is MITMed. Are you sure you want to do this?
[No] [Yes(3)]
=====================================
And,
> response header should immediately terminate, with an error message
given to the user
Yes, the connection to CF site *should* be terminate. We should treat them
like self-signed non-onion website
which is completely insecure.
> This can be done by detecting the non-standard CF-Ray: HTTP header.
You could also look at SSL certificate's CN.
Most of them are "^sni(.*)\.cloudflaressl\.com".
for sample:
https://www.unspam.com/ <--- cloudflare's before project company, ewww
P.S.
I use TBB everyday. I got hit by cloudflare and most of the time I go back
and search for alternative website.
And if can't, I'll just open up normal browser to browse cloudflare-
infected websites 'via VPN'.
I really hope TBB start kicking cloudflare. This will raise attention and
the website owner MIGHT, MIGHT... add "T1" to whitelist.
Cloudflare could add "T1" to whitelist by default. They're so mean :'(
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list