[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Wed May 6 01:11:36 UTC 2020

#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
 Reporter:  nullius                              |          Owner:
                                                 |  cypherpunks
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare, TorBrowserTeamTriaged              |
Parent ID:  #18361                               |         Points:  1000
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by Ï²ypherpunks):

 Because someone is regularly repeatedly abusing the community account to
 censor content on a anti censorship community, by changing original
 comment with unrelated placeholder or white spaces. Including my own
 single comment posted here and even such over two year old including
 defacement of trac wiki pages. I'm now quoting all of previous talk, from
 all people of that was their free speech hidden. To not let him again the
 possibility of his wet censor dreams and archive valuable thought
 provoking thoughts.

 == Start of Full Quotes of 76 other users comments separated by hline in
 chronological order:
 ----
 I'm the person who created "madness" ticket, and you, sir, well writen!
 Yes, please block Cloudflare once and for all. I'm expecting some kind of
 "Isecure connection" errorpage
 to block further connection without user consent.
 For example, when I visit "CloudflareMustDie.com",
 1. TBB will show "Insecure connection" errorpage.
 2. User will decide what to do - go back, try a cache, or ignore.
 Here's my idea of errorpage design:
 =====================================
 Your connection is not secure
 The owner of CloudflareMustDie.com is using Cloudflare on their website.
 To protect your privacy from being attacked, Tor Browser has not connected
 to this website.
 (Learn More)
 [Go Back] [Connect anyway]
 =====================================
 (Learn More) is a link, to Tor documentation or wiki, to explain the
 cloudflare's MITM activity.
 [Connect anyway] is a button. If the user click it, Show warning dialogue
 with 3 seconds timelock:
 =====================================
 This connection is MITMed. Are you sure you want to do this?
 [No] [Yes(3)]
 =====================================
 And,
 > response header should immediately terminate, with an error message
 given to the user
 Yes, the connection to CF site *should* be terminate. We should treat them
 like self-signed non-onion website
 which is completely insecure.
 > This can be done by detecting the non-standard CF-Ray: HTTP header.
 You could also look at SSL certificate's CN.
 Most of them are "^sni(.*)\.cloudflaressl\.com".
 for sample:
 https://www.unspam.com/ <--- cloudflare's before project company, ewww
 P.S.
 I use TBB everyday. I got hit by cloudflare and most of the time I go back
 and search for alternative website.
 And if can't, I'll just open up normal browser to browse cloudflare-
 infected websites 'via VPN'.
 I really hope TBB start kicking cloudflare. This will raise attention and
 the website owner MIGHT, MIGHT... add "T1" to whitelist.
 Cloudflare could add "T1" to whitelist by default. They're so mean :'(

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:172>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online