[tbb-bugs] #18361 [Applications/Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 10 21:24:50 UTC 2018 

#18361: Issues with corporate censorship and mass surveillance
--------------------------------------+--------------------------
 Reporter:  ioerror                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:265 nullius]:
 > I presume you refer to #24351.  As its reporter, I should emphasize that
 on one point you are correct:  I do not suggest that Tor or Tor Browser
 should “block all of Cloudflare”.  Rather, on the application level, Tor
 Browser should provide to users an informed choice—with sane defaults,
 appropriate to the level of the Security Slider.
 >
 > On High Security, I would expect that Cloudflare be blocked by default
 (with option to override); at Low Security, I would expect that it be
 permitted by default; in the middle, I am still on the fence.  Moreover,
 at all security levels, ''the lock icon must stop lying to users''.  The
 mixed-content warning on the lock icon provides a good precedent for how
 to proceed here, plus an existing UI graphic for consistency.
 >
 > A big part of the problem with Cloudflare is that it’s both invisible
 and pervasive.  Do ''you'' know how much of your own `https` web traffic
 passes in plaintext through Cloudflare’s hands?  Do you even have any
 reasonable means of measuring this?  Most of all, do you have any means of
 avoiding Cloudflare—short of avoiding the Web altogether?

 You don't seem to be familiar with how the Security Slider choices come
 from. Here's a sample ticket to get the gist of it: #23409 and
 https://trac.torproject.org/projects/tor/attachment/ticket/23409/vuln_hist_esr52

 Here's the point: '''You can't come up with something similar for
 Cloudflare''', and so the "tie Cloudflare-thing to the security slider" is
 doomed to fail ''ab initio''.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:266>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list