[tor-bugs] #18361 [Applications/Tor Browser]: Issues with corporate censorship and mass surveillance

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 10 23:55:51 UTC 2018


#18361: Issues with corporate censorship and mass surveillance
--------------------------------------+--------------------------
 Reporter:  ioerror                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  reopened
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:266 cypherpunks]:
 > Replying to [comment:265 nullius]:
 > > I presume you refer to #24351.  As its reporter, I should emphasize
 that on one point you are correct:  I do not suggest that Tor or Tor
 Browser should “block all of Cloudflare”.  Rather, on the application
 level, Tor Browser should provide to users an informed choice—with sane
 defaults, appropriate to the level of the Security Slider.
 > >
 > > On High Security, I would expect that Cloudflare be blocked by default
 (with option to override); at Low Security, I would expect that it be
 permitted by default; in the middle, I am still on the fence.  Moreover,
 at all security levels, ''the lock icon must stop lying to users''.  The
 mixed-content warning on the lock icon provides a good precedent for how
 to proceed here, plus an existing UI graphic for consistency.
 > >
 > > A big part of the problem with Cloudflare is that it’s both invisible
 and pervasive.  Do ''you'' know how much of your own `https` web traffic
 passes in plaintext through Cloudflare’s hands?  Do you even have any
 reasonable means of measuring this?  Most of all, do you have any means of
 avoiding Cloudflare—short of avoiding the Web altogether?
 >
 > You don't seem to be familiar with how the Security Slider choices come
 from. Here's a sample ticket to get the gist of it: #23409 and
 https://trac.torproject.org/projects/tor/attachment/ticket/23409/vuln_hist_esr52
 >
 > Here's the point: '''You can't come up with something similar for
 Cloudflare''', and so the "tie Cloudflare-thing to the security slider" is
 doomed to fail ''ab initio''.

 Read the title of this ticket. Sure you can't tie Cloudflare-thing to the
 security slider but you can tie "corporate MITM" to the security slider.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:267>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list