[tor-bugs] #24816 [Applications/Tor Browser]: Tor Browser is not your privacy browser, Non-goal: PRIVACY

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 9 11:24:38 UTC 2018


#24816: Tor Browser is not your privacy browser, Non-goal: PRIVACY
--------------------------------------+--------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  task                      |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:  #24351                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:9 cypherpunks]:
 > Replying to [comment:7 cypherpunks]:
 > > LOL if I go to https://kproxy.com to visit https://github.com, should
 the browser inform me that my connection is insecure because kproxy is
 essentially MiTM? Of course not! So why should it do exactly that for
 sites behind kproxy, uh, I mean Cloudflare?
 >
 > You do realize you're connecting to KPROXY.COM right? Going beyond that
 isn't MITM because you do know your destination server is KPROXY.COM.
 >
 > You ============ KPROXY.COM
 >
 > The problem is Cloudflare websites. You never notice you are connecting
 to Cloudflare.
 >
 > Expected result:
 > You ============ WTF.COM
 >
 > Actual result:
 > You =====CF:)=== WTF.COM
 In both cases, I, the IT specialist, can realize that KPROXY.com and CF
 (by looking at the headers with `Ctrl+Shift+Q`) are MiTM, but what about
 my grandma? You seem to be treating all FF and TB users are some non-
 nuanced populace.

 Replying to [comment:11 cypherpunks]:
 > Replying to [comment:8 cypherpunks]:
 > > Also, in Tor Browser context, this penalizes HTTPS websites (even if
 they're behind Cloudflare and don't have Cloudflare's full SSL(TM)
 support) and puts them in the same rank as HTTP ones, which is--to say the
 least--unfair (the first one is at least resilient to exit node plaintext
 sniffing whereas the second isn't).
 >
 > CLoudflare *is* exit node. Not unfair because Tor node and coudflare can
 read your data
 This is just wrong, the Tor node won't look at your traffic which is great
 since in the past it would've been able to just do that, thank you
 Cloudflare and eastdakota for protecting Tor users!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24816#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list