#24351: Block Global Active Adversary Cloudflare -------------------------------------------------+------------------------- Reporter: nullius | Owner: tbb- | team Type: enhancement | Status: | reopened Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Major | Resolution: Keywords: security, privacy, anonymity, mitm, | Actual Points: cloudflare | Parent ID: #18361 | Points: 1000 Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by jchevali): In my opinion, I understand what is being asked, but I don't think it should be part of Tor. If someone is so concerned about Cloudflare and other CDN's, he could develop a new browser extension outside of Tor, then recommend it for use by Tor users. Of course, it will have to run "invisibly", or that would add to the Tor user's online fingerprint. And while on the issue of fingerprints, there is of course Key Pinning and other mechanisms to ensure authenticity of a site (e.g., https://www.grc.com/fingerprints.htm). However most sites on Cloudflare aren't visible outside Cloudflare. So how could one retrieve its fingerprint? And how could one manage connecting directly to the site? (when in fact, if Cloudflare manages the site's DNS, you won't have a way to get to it unless you know the address). You couldn't even do it by way of elimination, by excluding Cloudflare's fingerprints, because Cloudflare-issued certificates use a multiplicity of fingerprints. And besides, the use of CF-Ray sounds flimsy. It's probably a weak point in the proposal, because if a malicious MITM wanted do do his job by stealth, he'd take care of not announcing it by means of CF-Ray in the first place. So are you going to stop CDN impersonations that "give themselves away", but not CDN impersonations that don't give themselves away? And how you'd detect other CDN's? What headers do they use? Why single out Cloudflare? I think the only solution is getting oneself round the idea that, as cypherpunks writes, "The green icon only tells you that the exit and the server you're communicating to (Cloudflare in this case) is encrypted, and that's it." I know it's hard to get our heads around the idea. But soon, it won't be that hard, because all browsers will start demanding encryption and flag up anything not encrypted as insecure, and then every page will have green icons. Soon, green icons won't mean anything (unless someone is so naive to think that all of a sudden, with the advent of generalized, pervasive encryption, the whole internet has turned "safe"). So it's a question of user education, and if someone has a problem with a specific implementation, e.g., Cloudflare's, start an online campaign to warn people about it, which it's in everyone's right to do, as long as it does it correctly. Tor's specific function(s) and what it's trying to achieve doesn't mean that it would or should get under its banner defending other causes, even if they seem related. It's a question of scope and limitation, and I think it's ok where it is. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:67> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs