[tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Feb 11 17:49:52 UTC 2018
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| reopened
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points: 1000
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by jchevali):
In my opinion, I understand what is being asked, but I don't think it
should be part of Tor. If someone is so concerned about Cloudflare and
other CDN's, he could develop a new browser extension outside of Tor, then
recommend it for use by Tor users. Of course, it will have to run
"invisibly", or that would add to the Tor user's online fingerprint.
And while on the issue of fingerprints, there is of course Key Pinning and
other mechanisms to ensure authenticity of a site (e.g.,
https://www.grc.com/fingerprints.htm). However most sites on Cloudflare
aren't visible outside Cloudflare. So how could one retrieve its
fingerprint? And how could one manage connecting directly to the site?
(when in fact, if Cloudflare manages the site's DNS, you won't have a way
to get to it unless you know the address).
You couldn't even do it by way of elimination, by excluding Cloudflare's
fingerprints, because Cloudflare-issued certificates use a multiplicity of
fingerprints.
And besides, the use of CF-Ray sounds flimsy. It's probably a weak point
in the proposal, because if a malicious MITM wanted do do his job by
stealth, he'd take care of not announcing it by means of CF-Ray in the
first place. So are you going to stop CDN impersonations that "give
themselves away", but not CDN impersonations that don't give themselves
away?
And how you'd detect other CDN's? What headers do they use? Why single out
Cloudflare?
I think the only solution is getting oneself round the idea that, as
cypherpunks writes, "The green icon only tells you that the exit and the
server you're communicating to (Cloudflare in this case) is encrypted, and
that's it." I know it's hard to get our heads around the idea. But soon,
it won't be that hard, because all browsers will start demanding
encryption and flag up anything not encrypted as insecure, and then every
page will have green icons. Soon, green icons won't mean anything (unless
someone is so naive to think that all of a sudden, with the advent of
generalized, pervasive encryption, the whole internet has turned "safe").
So it's a question of user education, and if someone has a problem with a
specific implementation, e.g., Cloudflare's, start an online campaign to
warn people about it, which it's in everyone's right to do, as long as it
does it correctly.
Tor's specific function(s) and what it's trying to achieve doesn't mean
that it would or should get under its banner defending other causes, even
if they seem related. It's a question of scope and limitation, and I think
it's ok where it is.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:67>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list