[tor-dev] Advice regarding Cloudflare

Yawning Angel yawning at schwanenlied.me
Sun Apr 3 08:04:41 UTC 2016


On Sun, 3 Apr 2016 00:37:45 -0700
Ryan Carboni <ryacko at gmail.com> wrote:> >
> > (as opposed to the people that seem to think that Exits
> > should actively combat abuse by having the capability for
> > censorship).
> >
> >
> Well, a large number of exit nodes already have the capability for a
> man-in-the-middle attack. This capability could very well be a default
> option.

There's legal/ethical issues with that sort of thing.  In the bright
future (more modern versions of HTTP for example), encryption is going
to be the default.

An anonymity system that mounts active-man-in-the-middle attacks
against TLS (or QUIC's encryption) isn't anything I'll be working
on.

>  b) In your magic world, how would accessing any site that uses
> >     multiple hosts for content to work?

> [snip]
> This might seem patronizing, but you seem genuinely ignorant.

No.  I was wondering how a poorly thought out idea is supposed to
not negatively impact anonymity given that bundling multiple endpoints
over a single circuit is good for anonymity.

It was a genuine technical question.

[snip]
> By any reasonable definition of ethics, one must find a middle
> ground, and essentially, Cloudflare has all the negotiating power,
> unless you plan on personally battering down the doors of Cloudflare.
 
Well, I did write an addon that just fetches content from archive.is
whenever I get a Captcha.  Does that count?

> Perhaps a maximum of 63 domain names (forgot Cloudflare only has a
> dozen IPs) per Tor circuit could be done.

You have a definition of "a dozen" that doesn't match one that I'm
familiar with (https://archive.is/eSl37).

Anyway, it's easy for clients to request multiple circuits.  An
anonymity system where the Exit possesses linkable client identifiers
between circuits/sessions is also a poor anonymity system.

*plonk*

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160403/31a64a83/attachment.sig>


More information about the tor-dev mailing list