[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 27 04:58:08 UTC 2017
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| reopened
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nullius):
With apologies for the bugspam caused by earlier arbitrary ticket-closing
shenanigans, I must highlight this:
Replying to [comment:39 cloudflarezoey]:
> Our users trust us for fast and secure websites. You can trust us.
>
> Please contact us so we can assist you.
>
> https://support.cloudflare.com/hc/en-us/requests/new
''“You can trust us.”'' Assuming that cloudflarezoey is truly an employee
of Cloudflare, this perfectly encapsulates the problem with Cloudflare.
No, I do '''NOT''' trust you. And I shouldn’t need to! The raison d’être
for cryptographic protocols such as TLS is to obviate the need for trust:
Trust the numbers, trust the maths, and trust nobody.
Interposing a MITM into billions of TLS connections to millions of
different websites creates a trust-based Internet. A trust-based Internet
is inherently untrustworthy. Ideal would be a trustless Internet.
Applied cryptography in the form of TLS does not quite achieve that, but
it can make a huge step in that direction.
Aside: I long ago learned a reliable social heuristic known to all
responsible, mature adults: Any stranger who answers wariness by
explicitly saying “trust me” is trying to do something bad. If you have
children, you should teach them this rule for their own safety.
Trustworthy people earn trust by their behaviour. Con artists, criminals,
liars, seducers, swindlers, and other politicians more oft than not say,
“Trust me!”
Anyway, it is not as if I have not already covered the Cloudflare “trust
us” bug on this ticket; I will consider this a confirmation of validity of
this bug and parent #18361:
On 2017-11-20 at 21:55:53, [comment:8 nullius] said:
> Then, they cross their fingers and promise to respect people’s privacy.
“Trust us; we will make you ‘safer’.” Again—why use any encryption at
all?
On 2017-11-29 at 04:31:01, [comment:23 nullius] said:
> Fact: Cloudflare performs mass decryption, then says in essence,
''Trust us.''
On 2017-12-27 at 04:31:54, [comment:39 cloudflarezoey] said:
> You can trust us.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:44>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list