[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 8 07:52:18 UTC 2020


#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
 Reporter:  nullius                              |          Owner:
                                                 |  cypherpunks
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  security, privacy, anonymity, mitm,  |  Actual Points:
  cloudflare, TorBrowserTeamTriaged              |
Parent ID:  #18361                               |         Points:  1000
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ϲypherpunks):

 Replying to [comment:177 ptaff]:
 > Cloudflare servers effectively MITM 10-15% of the world websites in the
 name of Denial-of-Service protection.
 welcome to centralized internet :'(
 > Cloudflare hence sees the communication in the clear. Credit card
 numbers and all.
 Yes, financial services worst is MitM'ed cryptocurrency websites, even
 regular online banking exists behind the CloudflareSSL MitM.

 > They now offer DNS resolution,
 They are hunting behind tor users, they offer "onion service"  DNS
 resolution.
 That makes privacy worse than the
 default setup with Tor since there's no stream isolation. With the
 standard Tor Browser you get a different circuit for each first-party
 domain, that's not something you'd have with this.
 >trying to enrich their user tracking by adding data about traffic to
 servers not "protected" by Cloudflare.
 Further they offer "free VPN" service. called warp.

 They know what movies you download (piratebay), what you buy online,
 what's your prefered porn you like to watch and how long you can hold
 through by doing so, read everything what you write and watch your private
 chat pictures online in **private messages** in forums or social media
 sites behind cloudflare MitM. Many apps api uses it too, with geolocation.

 Allows them to build a complete profile of you. With no option to opt-out.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:180>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list