[tor-dev] Request for feedback/victims: cfc-0.0.2

Yawning Angel yawning at schwanenlied.me
Sun Mar 27 06:12:57 UTC 2016 

Hello,

Thanks for the feedback so far.

  [ PEOPLE THAT HAVE BIG SCARY ADVERSARIES IN THEIR THREAT MODEL
    STILL SHOULD NOT USE THIS. ]

New version with changes some that add functionality, some code of
quality stuff, hence a version bump to 0.0.2, especially since it'll
probably be a bit before I can focus on tackling the TODO items.

Source: https://git.schwanenlied.me/yawning/cfc
XPI: https://people.torproject.org/~yawning/volatile/cfc-20160327/

Major changes:

 * Properly deregister the HTTP event listeners on addon unload.

 * Toned down the snark when I rewrite the CloudFlare captcha page,
   since I wasn't very nice.

 * Additional quality of life/privacy improvements courtesy of Will
   Scott, both optional and enabled by default.

   * (QoL) Skip useless landing pages (github.com/twitter.com will be
     auto-redirected to the "search" pages).

   * (Privacy) Kill twitter's outbound link tracking (t.co URLs) by
     rewriting the DOM to go to the actual URL when possible.  Since
     DOM changes made from content scripts are isolated from page
     scripts, this shouldn't substantially alter behavior.

   * (Code quality) Use a pref listener to handle preference changes.

TODO:

 * Try to figure out a way to mitigate the ability for archive.is to
   track you.  The IFRAME based approach might work here, needs more
   investigation.

 * Handle custom CloudFlare captcha pages (In general my philosophy is
   to minimize false positives, over avoiding false negatives).
   Looking at the regexes in dcf's post, disabling the title check may
   be all that's needed.

 * Handle CloudFlare 503 pages.

 * Get samples of other common blanket CDN based Tor blocking/major
   sites that block Tor, and implement bypass methods similar to how
   CloudFlare is handled.

 * Look into adding a "contact site owner" button as suggested by Jeff
   Burdges et al (Difficult?).

 * Support a user specified "always use archive.is for these sites"
   list.

 * UI improvements.

 * More Quality of Life/Privacy improvements (Come for the Street
   Signs, stay for the user scripts).

   * I will eventually get annoyed enough at being linked to mobile
     wikipedia that I will rewrite URLs to strip out the ".m.".

 * Test this on Fennec.

 * Maybe throw this up on addons.mozilla.org.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160327/9dcb9f5f/attachment.sig>

More information about the tor-dev mailing list