[tor-dev] Request for feedback/victims: cfc

Yawning Angel yawning at schwanenlied.me
Wed Mar 23 09:15:36 UTC 2016 

Hello,

Inspired by https://trac.torproject.org/projects/tor/ticket/18361
I've been working on way to improve the situation.

My "proof of concept" tech demo is what I consider good enough for
use by brave people that aren't me, so I have put up an XPI package
at: https://people.torproject.org/~yawning/volatile/cfc-20160323/

The source: https://git.schwanenlied.me/yawning/cfc (Requires the
Firefox SDK aka Jetpack to package).

By default the addon will:

 * Rewrite the CloudFlare captcha error page with messages that reflect
   my perception of reality[0].

 * Rewrite imgur ".gifv" links to ".gif".

Under "Tools->Addons->Extensions" you can configure the addon to:

 * Automatically fetch a cached copy of pages hosted on CloudFlare
   infrastructure from archive.is.

 * Automatically fetch a cached copy of pages that present a CloudFlare
   captcha from archive.is.

 * Pop up a UI widget asking if you want to fetch a cached copy of the
   page from archive.is each time you encounter a captcha.

 * Disable the snarky error message replacement (Requires a restart to
   take effect, because I'm lazy).

 * Disable the gifv URL rewrite.

TODO:

 * Support a user definable blacklist (eg: If you want to always use
   archive.is to access gawker.com or other clickbait bullshit, you
   should be able to easily do so).

 * Add more general quality of life things.

 * Think about making it work on Fenec (It currently will not because
   PopUpNotifications are handled differently, among other things).

 * Rewrite the internals to prepare for e10s.

WARNING:

 * If archive.is is evil, they can track you across page fetches
   trivially, because this sort of use case is outside of Tor Browser's
   current threat model (Yes, CloudFlare/Google can also do the same
   thing currently, who do you trust more?).

 * PEOPLE THAT HAVE BIG SCARY ADVERSARIES IN THEIR THREAT MODEL SHOULD
   NOT USE THIS.

If you don't know how to install addons given as XPI files, you
shouldn't be using this.  This is only tested on 6.0a4 (Linux/64 bit).
It *should* work on everything that isn't Orfox that's relatively
modern, YMMV.

Regards,

-- 
Yawning Angel

[0]: A very cynical/adversarial take on things.  Opinions are my own,
etc, and I don't care if you're offended.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160323/2665bf1c/attachment.sig>

More information about the tor-dev mailing list