[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 23 13:33:01 UTC 2016
#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: security, privacy, anonymity | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------------+--------------------------
Comment (by ioerror):
Replying to [comment:89 jgrahamc]:
> Replying to [comment:71 lhi]:
> > I don't understand why you (or jgrahamc) bother with this discussion
anyway. what's in it for you?
>
> Three reasons:
>
> 1. Economic. A group of users (who use our customers web sites) are
having trouble accessing those web sites. In this case it's Tor users, if
it were "people in Brazil" or "people on BlackBerry devices" you'd likely
see me get involved. That's my job (partly).
It is *also* people in Brazil, though it is unlikely to be people in
BlackBerry devices. :-)
>
> 2. Technical. Solving the spam, DoS, hacking problem for Tor is hard
because of anonymity. That makes it technically interesting. If we can
protect our clients from abuse through Tor while letting legitimate users
browse unhindered it's a technical win.
What kind of DoS can you guys possibly see through Tor? The network in
total capacity has to be less than a tiny fraction of the capacity at
*one* of your PoPs.
Could you please give us actual data here? I've seen some basic CF API
data - what is exposed seems to be quite minimal. As far as I can tell -
the main data is score data that is from project honeynet. That has a lot
of history that is extremely problematic in my view.
> 3. Ethical. CloudFlare has a service called Project Galileo
(https://www.cloudflare.com/galileo/) where we offer free protection to
at-risk public interest websites referred to us by partners like ACLU,
EFF, etc. We've deflected massive DDoS attacks keeping people online whose
speech is threatened.
There is a tradeoff here which is unsaid along with some other stuff that
is said often. You guys are clearly doing good by keeping those folks
online and I think it is important to help with that problem. The unsaid
trade off is that you're also performing content inspection, over blocking
Tor users and have effectively full surveillance of those sites. Exploit
data can be intercepted and gathered, studied and then used. Those at risk
parties are not just a matter of ethics, they are a source of surveillance
capital for CloudFlare which is useful for generating so-called "threat"
scores as well as other data. I assume that 0days found in that process
are submitted to CERT, the same CERT that exploited Tor Hidden Service
users, I might add.
In short - those at risk services are paying for this protection with
their user/attacker data which is extracted with surveillance by
CloudFlare. It may be ethical in motivation but unless I completely
misunderstand the monitoring by CloudFlare of its own network, it appears
to be sustained with surveillance more than pure good will.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:93>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list