[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 31 06:00:10 UTC 2017
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| reopened
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nullius):
General comment before I reply: Sites which do not themselves use
Cloudflare may embed third-party content from a Cloudflared site. By
analogy to the http/https divide, it is a sort of “mixed content”
situation. This introduces additional complexity into the design
requirements.
Replying to [comment:45 cypherpunks]:
> > Low (default)
> Do nothing (as default description says).
> Cloudflared websites will greet you captcha, and you are not sure the
website is
> using Cloudflare or not.
Seems the least-pessimal way. Users who surf on “Low” are already
privacy/security suicidal, anyway.
I think also, the vast majority of users (unfortunately) would never see
the effect of this change. Whether you consider that a bug or a feature
depends on your perspective; I think it’s a bug. The set of users who
actually takes two clicks to change the Security Slider is probably almost
identical with the set of those who know what “MITM” means.
> > Medium
> Cloudflare websites's title and favicon are changed, so the user can
notice it.
> (from add-on's settings: "Don't show warning message; just change title
and favicon")
I myself would want the option to either warn or block at this level. At
least, I would want the option to block “mixed content” as referred to
above; if I visit a top-level https site which itself is not Cloudflared,
then I do not want Javascript, third-party cookies, etc. potentially
passing unencrypted through Cloudflare.
Perhaps a case could be made that the default should be to warn in the
simple cases, and warn or block with error in case of “mixed content”. If
that last be not the default, it should be at least an option. Though I
am well aware that “add an option” is considered bad design, Torbutton
does much of its Security Slider work through about:config entries,
anyway. It would suffice for me if those were provided, and would persist
through changes of the slider to/from a given setting.
> > High
> Show a warning message on MiTMed websites.
> User can create a whitelist, but it will be purged each time the user
click "New Identity"
> or restart the Tor Browser.
I think Cloudflare (including “mixed content” Cloudflare) should be
unequivocally blocked on the High setting, except on explicitly
whitelisted sites. There could not be many complaints from this. The
High setting already breaks much of the Web—even including Wikipedia.[0]
Who surfs the Web on High? I know that I do. Who else?
----
0. Mathematical equations rendered in SVG show up as gibberish text
fallback bizarrely formatted in ways which break up the text; and
Wikipedia’s image fallbacks are not loaded. Fixing this requires either
dropping the security slider to Medium (thus enabling Javascript), or
enabling SVG by manually twiddling an about:config setting while in High
mode. I can’t get the PNG fallbacks to load. I should probably file a
separate bug about this; but the point hereof is, if nobody noticed that
in the past few ''years'', then very few people (including TBB devs) ever
surf with the slider on “High”.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:46>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list