[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 10 17:51:54 UTC 2018 

#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
 Reporter:  nullius                              |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:
                                                 |  reopened
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare                                     |
Parent ID:  #18361                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by nullius):

 Bug reporter here.

 Replying to [comment:56 akrey]:
 > Cloudflare is not a man in the middle. Cloudflare is authorized to
 provide the SSL termination for origin, by origin.

 The short version, a rhetorical question:  Would you trust a key escrow
 régime, in which an “authorized” entity was entrusted with the
 ''potential'' to decrypt ''all'' communications at will?  If not, why
 would you trust a ''de facto'' mass decryption chokepoint at which
 ''many'' communications are ''actually'' decrypted?  Apropos this ticket,
 by analogy, would you trust a web browser which displayed a lock icon
 promising the confidentiality, integrity, and authentication of key-
 escrowed communications?

 The longer version:

 As I’ve said elsewhere, Cloudflare is ''sui generis''.  There is not even
 one other entity on Earth today who has realtime “authorized” decrypt
 access to the scope and nature of traffic which passes through Cloudflare.
 Billions of connections to millions of different websites!

 The mass-surveillance potential should be obvious.  Officially,
 [https://www.cloudflare.com/transparency/ Cloudflare does respond to
 government inquiries], as they are required to by U.S. law; this is no
 different from any other U.S. entity, except for the ''huge'' difference
 in the scope of data which Cloudflare has available to it.  Unofficially,
 they could do anything they want with the data they glean from mass-
 decryption; and this imposes the requirement of trust on what’s supposed
 to be a protocol which is built on the adage, “trust the algorithms”.

 Also, you are looking at this question from the wrong perspective.  Tor
 Browser does not exist for the purpose of permitting whatever may be
 “authorized” by origins; indeed, as referenced below, Tor Browser takes
 extensive measures to deliberately ''break'' many things “authorized” by
 origins.  Tor Browser’s job is to protect the user’s privacy, not to serve
 websites.  As such, Tor Browser should protect users against having a
 large proportion of their HTTPS Web use silently, invisibly decrypted by a
 single centralized entity.

 Really, it’s a matter of user choice and the ''user’s'' authorization.  I
 think I have made it clear in my prior comments, I do not wish to prevent
 users from accessing Cloudflared sites.  Rather, the lock icon should stop
 lying to users—and users should be given an informed choice of whether
 they wish to permit Cloudflare to read their traffic, with appropriate
 default settings for different Security Slider levels.  Just as users can
 also override certificate verification and accept the self-signed
 certificate of a MITM running sslstrip, I urge the motto, “Mechanism, not
 policy.”

 And yes, by definition, Cloudflare ''are'' a man in the middle:  They
 silently decrypt, read/modify, and re-encrypt the TLS connection between
 two endpoints.  Be that not a MITM, then what is?  I put this as a
 secondary point, because quibbling over definitions gets nowhere; the
 substance of this bug is in the nature of what Cloudflare does.

 Now, the remainder of your arguments seem to posit that given many
 problems, the multiplicity of problems is reason to do nothing about the
 biggest one:

 > Do you say that tbb should block sites because their internal setup is
 insecure (and yes, cloudflare ''is'' part of that 'internal setup')?

 Please name even one other other singular “internal setup” which, whether
 compromised or not, has full access to the traffic of billions of visitors
 to millions of different websites.

 > Should tbb also block sites that run on rented cloud machinery, because
 they are inherently insecure, and subvertible by the hosting companies?

 Please name even one “cloud” provider which hosts a comparable breadth,
 depth, and apparent diversity of sites to those which have their traffic
 decrypted by Cloudflare.

 > Should tbb also block google-analytics, for obvious reasons?

 Are you trying to add to my wishlist?

 Seriously, Tor Browser already puts considerable effort into prevention of
 third-party cross-origin linking:

 https://www.torproject.org/projects/torbrowser/design/#identifier-
 linkability

 (Also the subsequent section about cross-origin fingerprinting.)

 It is my desire with this bug that Tor Browser should take much simpler
 measures to help users protect themselves against a known mass-attack on
 TLS.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:60>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list