[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 22 22:26:53 UTC 2016

#18361: Issues with corporate censorship and mass surveillance
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |

Comment (by ttr99):

 Right so let's suppose, I am a non tech savvy internet user.  I just
 opened a restaurant and I put up a web page advertising my restaurant
 which gives a phone number people can call to make a booking.

 I've heard about all the bad hackers and spammers on the internet so I
 want to keep my site safe and secure.  I google up on how to do that and I
 read something about cloudflare.  Sounds good, so I decide to protect my
 site with Cloudflare.

 What happens?

 After 1 hour I get my first customer, they come from a clearnet IP, like
 the website and menu, check my address, and call up to make a booking.
 After 1 more hour, I get my second customer, but they are browsing through
 Tor.  Cloudflare gives them an impossible to solve captcha, they leave and
 go to Burger King instead.

 Can you see the problem?  I lost a customer because Cloudflare - for no
 legitimate reason - made my site unusable.

 Cloudflare's threat model is wrong.  It sounds good and proper for
 cloudflare to say, "we protect our users and their sites", but in reality
 that is not what they are doing.  In the case described above, there is no
 question of protection, no reason to suppose harm will occur from the Tor
 user, no question of comment spam or any reason to believe a DDOS is
 happening.  But because Cloudflare have implemented a broken solution to
 the wrong problem (Tor users vs malicious users), I lost a customer.

 So it's easy to say, we protect our users, but in real terms, if you put
 it to any one of Cloudflare's customers, I don't believe any of them will
 see the above situation as something that requires "protection".  Just
 coming from Tor in and of itself is not a problem.  In the case of
 suspected comment spam captchas can be served up, in the case of a DDOS
 attack there are other solutions (and do DDOS attacks even come from Tor,
 seems doubtful?).

 Now you can say the above example is contrived, or you only lost one
 customer which is not a lot, but it highlights that CF are using the wrong
 approach to solve the problem.  Right now this type of problem is not very
 big because the set of Tor users compared to clearnet users is small, so
 the lost business is again small, but I am sure Tor use is only going to
 grow over time, and the problem is only going to grow.  CF need to get
 ahead of the curve on this.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:72>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list