[tor-talk] do Cloudfare captchas ever work?

Joe Btfsplk joebtfsplk at gmx.com
Tue Jun 23 23:58:57 UTC 2015 

Thanks Çağıl,
I'll have to ponder some of your comments.
On other points, some highly advanced users may have to jump in & comment.

On certain points you made (it seems), it's absolutely trivial for 
Cloudfare or any entity operating on a large number of sites, to track 
Tor / TBB users - across domains - on every site visited, that the 
tracking entity also monitors?

That assumes and / or implies several things (in Tor Browser).
1. You allow cookies AND 3rd party cookies, on many / most sites visited.
2. You rarely clear those cookies.
3. You never clear browser cache, except at shutdown.
4. You rarely, if ever, use the TBB new identity feature, during a 
single session.

5. TBB allows other non-cookie tracking methods (beacons, what ever) to 
be set AND allows them to be read *across all domains visited.*
On #4, did I misunderstand the TBB design document, and misunderstand 
the discussion that Mike Perry (I believe) had on this list, about cross 
domain tracking not being allowed?

6. A multi site tracker (CDN, Google, NSA) can read TBB all cached 
content.  Or, perhaps only the cached content that they set in TBB (but 
across all domains)?

If everything you say is true (if I understand), then any major tracker 
can know most of the sites you've been to & exactly what you did at each 
one (because of the cross domain tracking that TBB allows - by design)?
They *only* thing they don't know (yet) may be  your real IPa?

It sounds like you're not just saying there are *some* possible ways for 
cross origin tracking, but that much of the Tor Browser design document 
regarding this has no validity?

Sect. 4.5 Cross-Origin Identifier Unlinkability 
https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
subsection of 4.5,  "Identifier Unlinkability Defenses in the Tor 
Browser," that says,
"Here is the list that we have discovered and dealt with to date:"

Sect 4.6 "Cross-Origin Fingerprinting Unlinkability"
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

4.7. "Long-Term Unlinkability via "New Identity" button" 
https://www.torproject.org/projects/torbrowser/design/#new-identity




On 6/23/2015 3:41 PM, Çağıl P. Şesto wrote:
> On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote:
>> Is that actually true?  (they can track you over various exits)
>> Is that what the design document says?
> Tor can't protect you, if your browser emits cookies or information
> about cached content back to an entity that operates global scale cdn
> or services:
>
> Lets make it easy:
> You are you (joe) and there is google (gog) and cloudflare (clo):
> You are ordering pizza via tor-exit1 (tex1) and watch some cats while
> eating that pizza on tor-exit2 (tex2).
>
> In your first session, you request content, a picture of said pizza from a
> cdn (clo) and with that request comes caching information and cookies
> from (clo) along with that picture.
>
> (clo) knows you now as an entity, you are emitting cookies back to (clo)
> with every use of his cdn.
>
> Lets assume the pizza service uses a website analytics service from
> (gog) under the premise of customer statisfaction:
>
> Your browser, requests 1x1pixel from that service, with that pixel comes
> another cookie, you are now knowm to (gog) as an pizza eating entity too.
> Every time you visit another site using (gog) analytics, you are the
> same pizza eating entity.
>
> Its time to go to the loo, and the pizza is delivered. The tor-client did
> his awesome job and has build new circuits, (joe) is know using (tex2).
>
> So, whats better than pizza? Pizza and cats:
> (joe) requests a embedded catmovie from some catmovie site, bad for him
> the catmovie is delivered via (clo) cdn, the browser adds the cookie
> to the request and (clo) adds that information to the record they
> startet about you earlier. Unfortunately catmovies uses the (gog) analytics
> service too (because its free, so who would mind), and (gog) gets their
> cookie back from earlier.
>
> Sorry to say, I am under the impression, you have watched to much VPN
> advertising, if it comes to your browser, your ip is no longer of
> interest. You really should get rid of that misconception that you are
> a ip address or somebody uses ip address to track people, since the
> inception of tor and vpn networks thats plain stupid.
>
> If you don't like to third parties from knowing that you are into the
> cat thing, the right thing to do would to use your browser to order
> pizza and using TBB to watch cats - that works.
>
>> But, many Tor Browser users  seem to question allowing all scripts by
>> default - including 3rd party.
> That example works with plain http or https, were https is recommended
> while using tor. There was no active content involved.
>
>> On the _latter point_, I'm not as technically advanced as many on this
>> list, to fully understand ALL subtleties in the design document.
> It gets nasty and scary with active content involved, tor is only a
> network, it can hide your ip, but thats not always the solution.
>
>> On the _latter point_, I'm not as technically advanced as many on this
>> list,
>> to fully understand ALL subtleties in the design document.
> If one only has one tool, lets say a hammer, one tends to see every
> problem as nail, thats what you are doing.
>
> Please consider which parts of your personal habits and needs you like
> to expose in which way. So order pizza with your whatever browser and do
> the lewd cats thing with TBB. I know, not very convenient, but privacy
> or anonymity aren't avaliable in a convenient way anymore. Your ip has
> nothing to do with that anymore.
>
> That said, it isn't impossible. I still try to convice site owners to
> respect visitors and not exclude, track or sell their anonymity or
> privacy for some funky graphs.

More information about the tor-talk mailing list