[tbb-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 10 17:51:54 UTC 2018
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| reopened
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nullius):
Bug reporter here.
Replying to [comment:56 akrey]:
> Cloudflare is not a man in the middle. Cloudflare is authorized to
provide the SSL termination for origin, by origin.
The short version, a rhetorical question: Would you trust a key escrow
régime, in which an “authorized” entity was entrusted with the
''potential'' to decrypt ''all'' communications at will? If not, why
would you trust a ''de facto'' mass decryption chokepoint at which
''many'' communications are ''actually'' decrypted? Apropos this ticket,
by analogy, would you trust a web browser which displayed a lock icon
promising the confidentiality, integrity, and authentication of key-
escrowed communications?
The longer version:
As I’ve said elsewhere, Cloudflare is ''sui generis''. There is not even
one other entity on Earth today who has realtime “authorized” decrypt
access to the scope and nature of traffic which passes through Cloudflare.
Billions of connections to millions of different websites!
The mass-surveillance potential should be obvious. Officially,
[https://www.cloudflare.com/transparency/ Cloudflare does respond to
government inquiries], as they are required to by U.S. law; this is no
different from any other U.S. entity, except for the ''huge'' difference
in the scope of data which Cloudflare has available to it. Unofficially,
they could do anything they want with the data they glean from mass-
decryption; and this imposes the requirement of trust on what’s supposed
to be a protocol which is built on the adage, “trust the algorithms”.
Also, you are looking at this question from the wrong perspective. Tor
Browser does not exist for the purpose of permitting whatever may be
“authorized” by origins; indeed, as referenced below, Tor Browser takes
extensive measures to deliberately ''break'' many things “authorized” by
origins. Tor Browser’s job is to protect the user’s privacy, not to serve
websites. As such, Tor Browser should protect users against having a
large proportion of their HTTPS Web use silently, invisibly decrypted by a
single centralized entity.
Really, it’s a matter of user choice and the ''user’s'' authorization. I
think I have made it clear in my prior comments, I do not wish to prevent
users from accessing Cloudflared sites. Rather, the lock icon should stop
lying to users—and users should be given an informed choice of whether
they wish to permit Cloudflare to read their traffic, with appropriate
default settings for different Security Slider levels. Just as users can
also override certificate verification and accept the self-signed
certificate of a MITM running sslstrip, I urge the motto, “Mechanism, not
policy.”
And yes, by definition, Cloudflare ''are'' a man in the middle: They
silently decrypt, read/modify, and re-encrypt the TLS connection between
two endpoints. Be that not a MITM, then what is? I put this as a
secondary point, because quibbling over definitions gets nowhere; the
substance of this bug is in the nature of what Cloudflare does.
Now, the remainder of your arguments seem to posit that given many
problems, the multiplicity of problems is reason to do nothing about the
biggest one:
> Do you say that tbb should block sites because their internal setup is
insecure (and yes, cloudflare ''is'' part of that 'internal setup')?
Please name even one other other singular “internal setup” which, whether
compromised or not, has full access to the traffic of billions of visitors
to millions of different websites.
> Should tbb also block sites that run on rented cloud machinery, because
they are inherently insecure, and subvertible by the hosting companies?
Please name even one “cloud” provider which hosts a comparable breadth,
depth, and apparent diversity of sites to those which have their traffic
decrypted by Cloudflare.
> Should tbb also block google-analytics, for obvious reasons?
Are you trying to add to my wishlist?
Seriously, Tor Browser already puts considerable effort into prevention of
third-party cross-origin linking:
https://www.torproject.org/projects/torbrowser/design/#identifier-
linkability
(Also the subsequent section about cross-origin fingerprinting.)
It is my desire with this bug that Tor Browser should take much simpler
measures to help users protect themselves against a known mass-attack on
TLS.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:60>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list