[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 29 16:31:01 UTC 2017
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nullius):
Replying to [comment:22 cypherpunks]:
> Do you have any actual evidence that they intercepted these decrypted
packets ''and'' used them for their own malicious goals, or those of other
3-letter entities? Otherwise this talk is pure gossip, and it belongs on
tabloids of the DailyMail.
First off, I ''do'' have evidence that they “intercepted these decrypted
packets”. That is how Cloudflare works, period. If you fail to
comprehend this, then go back and reread this thread—or read Cloudflare’s
own documentation—or for that matter, try learning how TLS actually works.
Without full interception and decryption of each and every connection, it
would impossible for them to scan application-layer requests for
“attacks”, insert their own HTTP response headers, and return cache items
from their own servers. Even with their misleadingly named “keyless SSL”,
their diagrams make explicit that they hold the TLS session keys
(symmetric keys) for all sessions (only in that case, not the server
certificate private keys).
As for the rest:
Absence of evidence is not evidence of absence; and your proposition is
diversionary, whereas the real issue is one of ''trust'' and of the
promises made by TLS.
Fact: Cloudflare performs mass decryption, then says in essence, ''Trust
us.''
Evidently, you accept that. For comparison, would you accept key escrow?
There is no “actual evidence” that police agencies would abuse that power,
or that blackhats would steal the escrowed keys. (There is no such
evidence, only because no such system has ever existed in the wild and at
scale.) Also, ''reductio ad absurdum'', would you accept centralized
decryption of 100% of Web traffic? 90%? At what threshold would you deem
such a power a threat in itself? Whom would you trust to have it?
You have no evidence that Cloudflare does not misuse this power, other
than their solemn promise that they don’t. In other words, no “actual
evidence”. But that is beside the point: Nobody should demand that level
of trust, on today’s Internet, in today’s world. The creation of a mass-
decryption chokepoint is implicitly malicious.
Sane people prefer to trust cryptographic algorithms. That is exactly why
we have such things in the first place. Why even bother with TLS? Why
not simply trust large, reputable companies to deliver packets without
peeking at them?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list