[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 22 06:22:06 UTC 2016 

#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by marek):

 Disclaimer: I work for CloudFlare. Disclaimer: Comments here are opinions
 of myself, not my employer.

 I will restrain myself and not comment on the political issues Jacob
 raised. I'll keep it technical.

 > I would like to find a solution with Cloudflare - but I'm unclear that
 the correct answer is to create a single cookie that is shared across all
 sessions - this effectively links all browsing for the web.

 A thousand times yes. I raised this option a couple times (supercookie)
 and we agreed this is a bad idea. I believe there is a cryptographic
 solution to this. I'm not a crypto expert, so I'll allow others to explain
 this. Let's define a problem:

 > There are CDN/DDoS companies in the internet that provide spam
 protection for their customers. To do this they use captchas to prove that
 the visitor is a human. Some companies provide protection to many
 websites, therefore visitor from abusive IP address will need to solve
 captcha on each and all domains protected. Let's assume the CDN/DDoS don't
 want to be able to correlate users visiting multiple domains. Is it
 possible to prove that a visitor is indeed human, once, but not allow the
 CDN/DDoS company to correlate the traffic?

 In other words: is it possible to provide a bit of data tied to the
 browsing session while not violating anonymity.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list