[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 22 07:33:20 UTC 2016


#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:10 marek]:
 >
 > > Here is a non-cryptographic, non-cookie based solution: Never prompt
 for a CAPTCHA on GET requests.
 >
 > There are a number of problems with this model.
 >
 > (POST is hard) First, what actually the proxy should *do* on the POST?
 Abort your POST, serve captcha, and ask you to fill the POST again? Or
 accept your 10meg upload, serve captcha and ask you to upload it again?
 Now think about proxy behaviour during an attack. Doing captcha validation
 on POST is not a trivial thing.
 CloudFlare is in a position to inject JavaScript into sites. Why not hook
 requests that would result in a POST and challenge after say, clicking the
 submit button?

 >
 > @willscott:
 >
 > > What sort of data would qualify as an 'i'm a human' bit?
 >
 > Let's start with something not-worse than now: a captcha solved in last
 <XX> minutes.
 Is this something that CloudFlare has actually found effective? Are there
 metrics on how many challenged requests that successfully solved a CAPTCHA
 turned out to actually be malicious?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list