[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance



#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by ioerror):

 Replying to [comment:23 jgrahamc]:
 > Hello. I'm CloudFlare's CTO.
 >
 > ''There are companies - such as CloudFlare - which are effectively now
 Global Active Adversaries.''
 >
 > That's an inflammatory introduction. We are not adversarial to TOR as an
 entity, we are trying to deal with abuse that uses the TOR network.

 It is a statement of facts about capabilities. It is not inflammatory -
 Tor must take into account that Google, for example, can run arbitrary
 code from many thousands of websites visited in Tor Browser.

 To say that CF is not adversarial is awkward - Tor users are prevented
 from browsing the web and are constantly blocked. I do not believe that CF
 has yet made this a specific act of malice, of course. To design such a
 system without considering how it will impact Tor users and then working
 with us is however seriously problematic as we see from user reports.

 > It's inevitable that a system providing anonymity gets abused (as well
 as used). I'm old enough to remember the trials and tribulations of the
 Penet remailer and spent a long time working in antispam.

 Centralization ensures that your company is a high value target. The
 ability to run code in the browsers of millions of computers is highly
 attractive. The fact that CF and Google appear to both appear in those
 captcha prompts probably ensures CF isn't even in control of the entirety
 of the risk. Is it the case that for all the promises CF makes, Google is
 actually in control of the Captcha - and thus is by proxy given the
 ability to run code in the browsers of users visiting CF terminated sites?

 Should we be reaching out to Google here?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs