[tor-dev] Request for feedback/victims: cfc

Adam Shostack adam at shostack.org
Wed Mar 23 16:33:15 UTC 2016


Nice!

Random thought: rather than "unreachable from Tor", "unreachable when
using the internet safely."  This is really about people wanting
security, and these companies not wanting to grapple with what their
customers want.


On Wed, Mar 23, 2016 at 05:31:50PM +0100, Jeff Burdges wrote:
| 
| Thank you, Yawning!  This looks great.  :)
| 
| 
| I think Kate was planning on writing up an official position of the Tor
| project on the CloudFlare situation.  Amongst other things, it's
| expected to contain several strong arguments for convincing sites that
| the CAPTCHA does them no good and to make their CloudFlare configuration
| more Tor friendly.  Or simply use another CDN like Akamai.
| 
| After that appears, one could add a mailto: link alongside the cfc
| button, so that users could easily start a dialog with the site where
| they encounter a CloudFlare CAPTCHA. 
| 
| A mailto: link can have email header and body information like
| 	mailto:.. at ..?subject=Unreachable from Tor due to CloudFlare
| CAPTCA&body=..  
| And the body could contain some text derived from whatever Kate writes.
| 
| In principle, the mailto: link's destination could determine the site's
| contact information from whois : 
|  https://stackoverflow.com/questions/8435678/whois-with-javascript 
| If that's annoying, then simply placing a unix command like  "whois
| [site] | grep Email" into the body along with some explanation should
| suffice. 
| 
| It's easy enough to do all this with a shell script of course, but if
| cfc moves towards many people using it then maybe encouraging people to
| email sites will help. 
| 
| Jeff
| 
| 
| 
| 
| On Wed, 2016-03-23 at 11:00 +0000, Yawning Angel wrote:
| > [I hate replying to myself.]
| > 
| > On Wed, 23 Mar 2016 09:15:36 +0000
| > Yawning Angel <yawning at schwanenlied.me> wrote:
| > > My "proof of concept" tech demo is what I consider good enough for
| > > use by brave people that aren't me, so I have put up an XPI package
| > > at: https://people.torproject.org/~yawning/volatile/cfc-20160323/
| > 
| > I noticed some dumb bugs and UI issues in the version I pushed so I
| > changed a lot of things and uploaded a new version that should be
| > better behaved.  In particular:
| > 
| >  * It is now Content Script based, and does IPC so it may survive the
| >    transition to sandboxed/multiprocess firefox better.
| > 
| >  * It will always inject a button into the DOM instead of trying to
| >    display browser UI stuff (content scripts are supposed to have
| >    isolation...).
| > 
| >    * The UI selection pref is removed.
| > 
| >    * The ask on captcha option for behavior is removed, since a button
| >      always will be there to bypass it.
| > 
| >  * Loading lots of pages that end up displaying street signs *should*
| >    now behave correctly.
| > 
| > The old release is under `./old` for posterity.
| > 
| > Sorry for the inconvenience,
| > 
| > _______________________________________________
| > tor-dev mailing list
| > tor-dev at lists.torproject.org
| > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
| 



| _______________________________________________
| tor-dev mailing list
| tor-dev at lists.torproject.org
| https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev


-- 
Don't miss out on my news, which comes out roughly once a quarter.
http://adam.shostack.org/newthing.html



More information about the tor-dev mailing list