[tor-talk] do Cloudfare captchas ever work?

Wed Jun 24 02:46:49 UTC 2015

On Tue, Jun 23, 2015 at 06:58:57PM -0500, Joe Btfsplk wrote:
> Thanks Çağıl,

You are welcome.

> On certain points you made (it seems), it's absolutely trivial for Cloudfare
> or any entity operating on a large number of sites, to track Tor / TBB users
> - across domains - on every site visited, that the tracking entity also
> monitors?

My Example should illustrate, that the amount of privacy or anonymity
you get out of tor, when using a browser depends much more on you
as on the software (TBB) or the anonymizing network and you should
take that into account. How you operate your browser matters.

> That assumes and / or implies several things (in Tor Browser).
> 1. You allow cookies AND 3rd party cookies, on many / most sites visited.

On a network layer, the cdn may be completly transpartent to your
browser, only difference are headers in the response, depending
on the cdn. So, the site you requesting from is a proxy on, or that cdn
and no different entity. This behavior is often not taken into account.

> 2. You rarely clear those cookies.

Depending on setting, cookies may stay arbitrary amounts of time,
depending on cookie orignator and your browser settings. I prefer
to nomalize them all into session cookies, they expire when I close
the browser.

> 3. You never clear browser cache, except at shutdown.

That, or even worse settings are often the default. Like cookies, cached
content can, depending on your browsers history or chache settings stay
arbitrary amounts of time, esp. with TBB and many open tabs over long
periods of time, for example.

> 4. You rarely, if ever, use the TBB new identity feature, during a single
> session.

The new identiy feature is awesome, and my observation that humans
should use it more often before watching cats and not deem it
inconvenient.

> 5. TBB allows other non-cookie tracking methods (beacons, what ever) to be
> set AND allows them to be read *across all domains visited.*
> On #4, did I misunderstand the TBB design document, and misunderstand the
> discussion that Mike Perry (I believe) had on this list, about cross domain
> tracking not being allowed?

As said earlier, I can't tell specifics/interna about TBB, and I am not aware
of said discussion. It depends also on plugins like Noscript and their
configuration and so on, the usage of TLS and so on. My example uses a
default browser and tor thats what I use at the moment.

> 6. A multi site tracker (CDN, Google, NSA) can read TBB all cached content.
> Or, perhaps only the cached content that they set in TBB (but across all
> domains)?

It is not a multi site tracker, its an entity or organization that runs a
huge network of hosts, that delivers either content for said organisation or
content of behalf of their customers (a cdn).

It can't read content in your cache, it is your browser, that sends
information about the state of your cookies file and your filesystem
cache back to said entities, with every request you may send to them.

Depending hugely on the way, how you utilize TBB.

> If everything you say is true (if I understand), then any major tracker can
> know most of the sites you've been to & exactly what you did at each one
> (because of the cross domain tracking that TBB allows - by design)?
> They *only* thing they don't know (yet) may be  your real IPa?

It dependes soley on your browser, and the ability of said entities to
access certain apis (functionalty in your browser) that may or may not
be available at the moment you request data from them.

media.peerconnection is disabled in TBB, which is great and they
patch OCSP and PKIX code too, which I consider awesome.

> It sounds like you're not just saying there are *some* possible ways for
> cross origin tracking, but that much of the Tor Browser design document
> regarding this has no validity?

I didn't say that, I don't doubt the TBB Devs doing a great job. I think
you can't get more privacy than from TBB, but you have to understand
how it works, to let it protect you.

> Sect. 4.5 Cross-Origin Identifier Unlinkability
> https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
> subsection of 4.5,  "Identifier Unlinkability Defenses in the Tor Browser,"
> that says,
> "Here is the list that we have discovered and dealt with to date:"

It says "(isolated) using the URL bar domain." if a cdn, is in part
or fully authorative for said URL bar domain, than identifiers may be
linkable. If in doubt, request a new identity via tor button.

> 4.7. "Long-Term Unlinkability via "New Identity" button"
> https://www.torproject.org/projects/torbrowser/design/#new-identity

This is great, and if you use it between ordering pizza and watching
lewd cats, all is well.

You should read 
https://www.torproject.org/projects/torbrowser/design/#adversary and 
https://www.torproject.org/projects/torbrowser/design/#deprecate
and take that information into consideration.

My hourly consulting fee should be donated to the tor-project.org.

TYVM :)