[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 29 14:09:15 UTC 2017

#24351: Block Global Active Adversary Cloudflare
 Reporter:  nullius                              |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare                                     |
Parent ID:  #18361                               |         Points:
 Reviewer:                                       |        Sponsor:
Changes (by nullius):

 * severity:  Blocker => Major


 The enthusiasm for solving this problem is commendable; but as a practical
 matter, I doubt that much could be achieved by throwing “Blocker” severity
 into the mundane workflow of bug management.

 I suggest instead that it would be productive to raise awareness of this
 issue, answer the rather specious counterarguments which have been raised,
 and—write some code!  “Cypherpunks write code.”

 As for code:  Does anyone interested in this bug have a starting idea for
 where to hook this feature into either Torbutton or Firefox?  I’m
 `main()`ly a C wrangler, and not really familiar with the codebase of
 either.  From an architectural standpoint, it would be wise to patch this
 by some means which could later be ported to other browsers, and/or lifted
 out into its own extension.  That way, users of other browsers could
 ultimately benefit from our efforts here.

 As for awareness:  Even in tech circles, it seems that most people don’t
 even stop to think about how Cloudflare works, or what the implications
 could be.  I suppose also that those who do, may simply shrug in
 resignation:  Cloudflare is too big, too powerful; people are too
 apathetic about privacy and security.  I say this based on my own
 experience.  The “oh, duh!” moment came for me in 2015, when I was
 designing my own little hack on TLS and paused to wonder how Cloudflare
 does this.  ''They decrypt everything.  Of course.''  After that, I simply
 never spoke up about this, because it seemed that nobody cared.

 On that last point, the responses on this bug have proved me wrong.  I
 intend to respond to some of the points raised above.  Also, I suggest we
 should carry on this discussion and get the word out—perhaps, organize in
 another venue.  Tor should be activism-friendly; but this is a bug tracker
 and a Tor Browser bug, where I suggest we ought try to focus on how ''and
 why'' to fix this in Tor Browser.  Beyond that—any takers?

 (As for those those who like what I’ve written here:  Feel free to copy
 and share, in whole or in part.  Simply attribute to ''nullius (@)
 nym.zone''.  Thanks for actually giving a damn about this issue.)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list