[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Feb 11 17:49:52 UTC 2018

#24351: Block Global Active Adversary Cloudflare
 Reporter:  nullius                              |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  reopened
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare                                     |
Parent ID:  #18361                               |         Points:  1000
 Reviewer:                                       |        Sponsor:

Comment (by jchevali):

 In my opinion, I understand what is being asked, but I don't think it
 should be part of Tor. If someone is so concerned about Cloudflare and
 other CDN's, he could develop a new browser extension outside of Tor, then
 recommend it for use by Tor users. Of course, it will have to run
 "invisibly", or that would add to the Tor user's online fingerprint.

 And while on the issue of fingerprints, there is of course Key Pinning and
 other mechanisms to ensure authenticity of a site (e.g.,
 https://www.grc.com/fingerprints.htm). However most sites on Cloudflare
 aren't visible outside Cloudflare. So how could one retrieve its
 fingerprint? And how could one manage connecting directly to the site?
 (when in fact, if Cloudflare manages the site's DNS, you won't have a way
 to get to it unless you know the address).

 You couldn't even do it by way of elimination, by excluding Cloudflare's
 fingerprints, because Cloudflare-issued certificates use a multiplicity of

 And besides, the use of CF-Ray sounds flimsy. It's probably a weak point
 in the proposal, because if a malicious MITM wanted do do his job by
 stealth, he'd take care of not announcing it by means of CF-Ray in the
 first place. So are you going to stop CDN impersonations that "give
 themselves away", but not CDN impersonations that don't give themselves

 And how you'd detect other CDN's? What headers do they use? Why single out

 I think the only solution is getting oneself round the idea that, as
 cypherpunks writes, "The green icon only tells you that the exit and the
 server you're communicating to (Cloudflare in this case) is encrypted, and
 that's it." I know it's hard to get our heads around the idea. But soon,
 it won't be that hard, because all browsers will start demanding
 encryption and flag up anything not encrypted as insecure, and then every
 page will have green icons. Soon, green icons won't mean anything (unless
 someone is so naive to think that all of a sudden, with the advent of
 generalized, pervasive encryption, the whole internet has turned "safe").

 So it's a question of user education, and if someone has a problem with a
 specific implementation, e.g., Cloudflare's, start an online campaign to
 warn people about it, which it's in everyone's right to do, as long as it
 does it correctly.

 Tor's specific function(s) and what it's trying to achieve doesn't mean
 that it would or should get under its banner defending other causes, even
 if they seem related. It's a question of scope and limitation, and I think
 it's ok where it is.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:67>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list