[tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 24 08:15:06 UTC 2016

#18361: Issues with corporate censorship and mass surveillance
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |

Comment (by lhi):

 Replying to [comment:104 ford]:
 > I think it's great that CloudFlare is participating in this discussion
 and working to address the most immediate pain points.  Especially given
 the amount of vitriol getting thrown their way.

 I agree. Though technically a global active adversary, they're neither
 unapproachable (they're facing the complaints they've caused) nor as
 fiendishly inimical to us as certain state-level actors (who may however
 already have decided to co-opt their tentacles, who knows).

 > But the larger issue is not remotely specific to CloudFlare.  Remember
 way back when Wikipedia allowed anonymous edits without logins, even by
 Tor users?  Or even farther back, when USENET was the thing but then died
 a heat death from uncontrollable spam and abuse, forcing everyone to
 scurry away to private mailing lists and walled-garden discussion
 websites?  Many websites and other online services would like to support
 privacy and anonymity, but most can't afford to spend all their time and
 financial resources dealing with anonymous abuse.

 Wikipedia is a nutcase. It merits another ticket. I'm not even asking for
 anonymous contribution or being allowed to correct small mistakes anymore
 (where research on anonymous trust tokens could come handy), no, I'm not
 allowed to use my established username, let alone a new one, at all unless
 forgoing Tor. That doesn't even make sense.

 Thanks for sharing your research! It's an extremely interesting subject
 and there are fine applications for it in every single one of the other
 domains you mentioned. I just don't think it's the solution to the problem
 at hand, which in my opinion is:

 In the absence of ongoing large-scale attacks, Cloudflare should just
 serve the damn page and not give us bullshit about how this is not

 For me, the rest of the original ticket boils down to

 1) We all know that the web and the internet it is built on, are
 fundamentally broken at an architectural level. As long as: DNS is around,
 servers are insecure, proper end-to-end crypto isn't the norm hence MITM
 goes unnoticed, anonymity is an edge case, routing lacks built-in
 resiliency to disruption, we're always going to have actors building a
 bus.ness model around cobbling together superficial, overapproximating
 mitigations. It's nice of them to build workarounds, it would be nicer
 still to see them relegating Threat Scores and IP-based blocking to the
 dustbin of history where this belongs, but we can't expect them to retract
 their tendrils which will continue to suck in as much data as they can

 2) They will be able to suck considerably less data out of anonymous users
 when not allowed to execute Javascript. Hence whatever workaround they
 choose, it must work exactly the same without Javascript.

 3) Warning the user UI-wise? There are already add-ons which allow fine-
 grained control over connections to Google and so on.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:112>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list