[tor-talk] do Cloudfare captchas ever work?

Çağıl P. Şesto secpost at abwesend.de
Tue Jun 23 20:41:54 UTC 2015


On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote:
> Is that actually true?  (they can track you over various exits)
> Is that what the design document says?

Tor can't protect you, if your browser emits cookies or information
about cached content back to an entity that operates global scale cdn
or services:

Lets make it easy:
You are you (joe) and there is google (gog) and cloudflare (clo):
You are ordering pizza via tor-exit1 (tex1) and watch some cats while
eating that pizza on tor-exit2 (tex2).

In your first session, you request content, a picture of said pizza from a 
cdn (clo) and with that request comes caching information and cookies 
from (clo) along with that picture.

(clo) knows you now as an entity, you are emitting cookies back to (clo)
with every use of his cdn.

Lets assume the pizza service uses a website analytics service from
(gog) under the premise of customer statisfaction:

Your browser, requests 1x1pixel from that service, with that pixel comes
another cookie, you are now knowm to (gog) as an pizza eating entity too.
Every time you visit another site using (gog) analytics, you are the
same pizza eating entity.

Its time to go to the loo, and the pizza is delivered. The tor-client did
his awesome job and has build new circuits, (joe) is know using (tex2).

So, whats better than pizza? Pizza and cats:
(joe) requests a embedded catmovie from some catmovie site, bad for him
the catmovie is delivered via (clo) cdn, the browser adds the cookie
to the request and (clo) adds that information to the record they
startet about you earlier. Unfortunately catmovies uses the (gog) analytics
service too (because its free, so who would mind), and (gog) gets their
cookie back from earlier.

Sorry to say, I am under the impression, you have watched to much VPN
advertising, if it comes to your browser, your ip is no longer of
interest. You really should get rid of that misconception that you are
a ip address or somebody uses ip address to track people, since the
inception of tor and vpn networks thats plain stupid.

If you don't like to third parties from knowing that you are into the
cat thing, the right thing to do would to use your browser to order
pizza and using TBB to watch cats - that works.

> But, many Tor Browser users  seem to question allowing all scripts by
> default - including 3rd party.

That example works with plain http or https, were https is recommended
while using tor. There was no active content involved.

> On the _latter point_, I'm not as technically advanced as many on this
> list, to fully understand ALL subtleties in the design document.

It gets nasty and scary with active content involved, tor is only a
network, it can hide your ip, but thats not always the solution.

> On the _latter point_, I'm not as technically advanced as many on this
> list,
> to fully understand ALL subtleties in the design document.

If one only has one tool, lets say a hammer, one tends to see every
problem as nail, thats what you are doing.

Please consider which parts of your personal habits and needs you like
to expose in which way. So order pizza with your whatever browser and do
the lewd cats thing with TBB. I know, not very convenient, but privacy
or anonymity aren't avaliable in a convenient way anymore. Your ip has
nothing to do with that anymore.

That said, it isn't impossible. I still try to convice site owners to
respect visitors and not exclude, track or sell their anonymity or
privacy for some funky graphs.


More information about the tor-talk mailing list