[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Nov 19 06:11:53 UTC 2017

#24351: Block Global Active Adversary Cloudflare
 Reporter:  nullius                              |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare                                     |
Parent ID:  #18361                               |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by cypherpunks):

 I'm the person who created "madness" ticket, and you, sir, well writen!

 Yes, please block Cloudflare once and for all. I'm expecting some kind of
 "Isecure connection" errorpage
 to block further connection without user consent.

 For example, when I visit "CloudflareMustDie.com",
 1. TBB will show "Insecure connection" errorpage.
 2. User will decide what to do - go back, try a cache, or ignore.

 Here's my idea of errorpage design:
 Your connection is not secure

 The owner of CloudflareMustDie.com is using Cloudflare on their website.
 To protect your privacy from being attacked, Tor Browser has not connected
 to this website.

 (Learn More)
 [Go Back] [Connect anyway]

 (Learn More) is a link, to Tor documentation or wiki, to explain the
 cloudflare's MITM activity.
 [Connect anyway] is a button. If the user click it, Show warning dialogue
 with 3 seconds timelock:

 This connection is MITMed. Are you sure you want to do this?

 [No] [Yes(3)]


 > response header should immediately terminate, with an error message
 given to the user

 Yes, the connection to CF site *should* be terminate. We should treat them
 like self-signed non-onion website
 which is completely insecure.

 > This can be done by detecting the non-standard CF-Ray: HTTP header.

 You could also look at SSL certificate's CN.
 Most of them are "^sni(.*)\.cloudflaressl\.com".

 for sample:
 https://www.unspam.com/ <--- cloudflare's before project company, ewww

 I use TBB everyday. I got hit by cloudflare and most of the time I go back
 and search for alternative website.
 And if can't, I'll just open up normal browser to browse cloudflare-
 infected websites 'via VPN'.
 I really hope TBB start kicking cloudflare. This will raise attention and
 the website owner MIGHT, MIGHT... add "T1" to whitelist.
 Cloudflare could add "T1" to whitelist by default. They're so mean :'(

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list