[tor-dev] Request for feedback/victims: cfc

Arthur D. Edelstein arthuredelstein at gmail.com
Thu Mar 24 05:25:09 UTC 2016


On Wed, Mar 23, 2016 at 2:15 AM, Yawning Angel <yawning at schwanenlied.me> wrote:

> My "proof of concept" tech demo is what I consider good enough for
> use by brave people that aren't me, so I have put up an XPI package
> at: https://people.torproject.org/~yawning/volatile/cfc-20160323/

Very cool!

>  * If archive.is is evil, they can track you across page fetches
>    trivially, because this sort of use case is outside of Tor Browser's
>    current threat model (Yes, CloudFlare/Google can also do the same
>    thing currently, who do you trust more?).

Because CloudFlare presents its captcha page under the target site's
domain name, and the Google ReCAPTCHA iframe is embedded inside that,
Tor Browser is designed to prevent tracking across visits to different
CloudFlared sites. So in that sense the archive.is option allows more
tracking.

One possible solution could be for the extension to replace the HTML
content inside a desired content page (say,
https://imgur.com/some-page.html) with an iframe containing the
archive.is version. The iframe would then be embedded under the
desired first-party domain (e.g., imgur.com instead of archive.is) so
that the page requests and caching are isolated to imgur.com.


More information about the tor-dev mailing list