[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance



#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
 Reporter:  ioerror                       |          Owner:  tbb-team
     Type:  enhancement                   |         Status:  new
 Priority:  High                          |      Milestone:
Component:  Tor Browser                   |        Version:
 Severity:  Critical                      |     Resolution:
 Keywords:  security, privacy, anonymity  |  Actual Points:
Parent ID:                                |         Points:
  Sponsor:                                |
------------------------------------------+--------------------------

Comment (by misc-human):

 I'll add that anecdotally, I've redirected at least $100 but probably more
 of purchases to competitors of CloudFlare customers due to captchas.

 In economic terms, CloudFlare's service is creating "negative
 externalities". This term describes the fact that CloudFlare profits from
 an action that negatively affects a 3rd party, in this case Tor user
 agents, as readily admitted by jgrahamc. (Among others - remote execution
 risks pointed out by ioerror, privacy degradation).

 It's a poor security mechanism from the view of false positives, and as
 pointed out it's hard to believe spammers don't operate human captcha-
 solving farms in any case, leading to unavoidable, high false negatives.

 Combined with the laughable notion to classify Tor IPs using a generic IP
 reputation implementation when *you have the exit IP list as a given*, the
 security engineering employed at CloudFlare is beyond reproach. It's a
 turd that should not be polished, IMO. I agree on the proportionality and
 carrier-grade NAT points above.

 Worth mentioning the entire Tor network has very small egress bandwidth
 relatively, so the strain on CloudFlare, from Tor, will never be that
 high.

 Yes, it is preferable as default to serve Always Online content, to Tor
 Exits for GET requests, where you would otherwise have served a captcha.
 Stop polishing the turd.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:75>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs