[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Fri May 8 07:42:06 UTC 2020

#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
 Reporter:  nullius                              |          Owner:
                                                 |  cypherpunks
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare, TorBrowserTeamTriaged              |
Parent ID:  #18361                               |         Points:  1000
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by Ï²ypherpunks):

 Because the abuser tried to censor trac and last user comments again, here
 i quote them to not let him a chance.

 my advice, please open a pseudonym account
 [http://ea5faa5po25cf7fb.onion/projects/tor/register] before commenting.
 (you do not need provide email address) because the cypherpunks account is
 abused to edit your comment afterwards. trying to hide your free speach.
 according to the trac logs, he spent at least an 20minutes up to half hour
 daily since 3 weeks of effort to just hide anything related to cloudflare
 in trac comments and trac wiki pages.
 Start of 9 Full Quotes of 83 other users affected comments separated by
 hline in chronological order:

 ----
 comment:9
  @same guy,
 Using cloudflare means all traffic route to cloudflare. This is not just
 about free HTTPS.
 HTTP connection to cloudflare and HTTPS connection to cloudflare, both are
 fucked up.
 "If you're using their free cache, proxy, certificate service, YOU ARE THE
 PRODUCT."
 @nullius,
 I have no argue with that - you wrote what I wanna write.
 ----
 comment:10
  Cloudflare and Incapsula. Both HTTP/HTTPS connections to them needs to be
 blocked as MiTM attack against TBB.
 https://www.incapsula.com/
 Not many use Incapsula though. Most of their customers moved to Cloudflare
 because of price and popularity. And we the tor users are blocked to read
 their site. Such a shame LOL
 ----
 comment:11
  Browser developer's ego incoming!
 >
 https://github.com/privacytoolsIO/privacytools.io/issues/364#issuecomment-346040970
 > hugoncosta
 > Can anyone confirm if CDNs decrypt https traffic or just pass it along?
 > https://github.com/MoonchildProductions/Pale-
 Moon/issues/1486#issuecomment-345980344
 > JustOff
 > Sorry, but this is utter nonsense.
 Why these people don't understand how CLoudflare works?
 They can't handle encrypted data. It must be decrypted to check data.
 Cloudflare decrypt the incoming data, test it, (collect it), then
 reencrypt and send to original server(if "Full mode" ssl).
 Now I hate Palemoon too. I'll tell this to other people. Ty Palemoon.
 ----
 comment:12
  And also they tag EVERY SINGLE REQUEST with "RAY" ID. Every action you
 took on Cloudflare proxied sites are completely watched.
 Are they, who defend Cloudflare, an exhibitionist or something? LOL...
 ----
 comment:13
 Why is Mozilla ignoring Cloudflare's MiTM attack? This is a security issue
 that needs to be fix in Chrome and Firefox.
 ----
 comment:14
 https://security.stackexchange.com/questions/97920/cloudflares-free-ssl-
 options-require-trusting-them-what-could-they-do-to-chang?noredirect=1
 https://news.ycombinator.com/item?id=8377029
 ----
 comment:15
 We need some official member's thought here.
 @mikeperry, @arma, @gk, and so on.
 Why are you allowing MITM attack? This browser's main topic should be
 "privacy". Come on, say something already.
 Especially @mikeperry wrote a blog last year. You need to do this again,
 soon.
 https://blog.torproject.org/trouble-cloudflare
 ----
 comment:175
 Replying to [comment:173 Thernet]:
 > 2 clearnet URL and onions are dead?
 Yes.
 > what happened?
 Some random asshole attacked the {{{shared hosting server}}} and the
 server owner decided to [https://danwin1210.me/hosting/ shut it down]
 completely.
 But the website is {{{not dead}}}. It was moved to new home and their
 onion name was changed because re-using same private key of .onion is
 dangerous. Search harder. You will find latest link.
 ----
 comment:178
 Re: 173
 Why don't you post your questions to codeberg? No one is going to answer
 them
 ----

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:179>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online