[tbb-bugs] #18361 [Applications/Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 10 18:55:56 UTC 2018 

#18361: Issues with corporate censorship and mass surveillance
--------------------------------------+--------------------------
 Reporter:  ioerror                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by nullius):

 Replying to [comment:263 cypherpunks]:
 > While I disagree with their proposal, I think  the proposal isn't "block
 all of Cloudflare", but rather "mark as insecure traffic whose HTTP
 headers indicate that it has been tempered by Cloudflare, i.e. it has for
 e.g. `CF-RAY:"3db104efec5c14cd-CDG"` in its HTTP headers" (you can test
 that with https://discordapp.com/)

 I presume you refer to #24351.  As its reporter, I should emphasize that
 on one point you are correct:  I do not suggest that Tor or Tor Browser
 should “block all of Cloudflare”.  Rather, on the application level, Tor
 Browser should provide to users an informed choice—with sane defaults,
 appropriate to the level of the Security Slider.

 On High Security, I would expect that Cloudflare be blocked by default
 (with option to override); at Low Security, I would expect that it be
 permitted by default; in the middle, I am still on the fence.  Moreover,
 at all security levels, ''the lock icon must stop lying to users''.  The
 mixed-content warning on the lock icon provides a good precedent for how
 to proceed here, plus an existing UI graphic for consistency.

 A big part of the problem with Cloudflare is that it’s both invisible and
 pervasive.  Do ''you'' know how much of your own `https` web traffic
 passes in plaintext through Cloudflare’s hands?  Do you even have any
 reasonable means of measuring this?  Most of all, do you have any means of
 avoiding Cloudflare—short of avoiding the Web altogether?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:265>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list