[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #24351 [Applications/Tor Browser]: Block Global Active Adversary Cloudflare
#24351: Block Global Active Adversary Cloudflare
-------------------------------------------------+-------------------------
Reporter: nullius | Owner: tbb-
| team
Type: enhancement | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: security, privacy, anonymity, mitm, | Actual Points:
cloudflare |
Parent ID: #18361 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by nullius):
* severity: Blocker => Major
Comment:
The enthusiasm for solving this problem is commendable; but as a practical
matter, I doubt that much could be achieved by throwing “Blocker” severity
into the mundane workflow of bug management.
I suggest instead that it would be productive to raise awareness of this
issue, answer the rather specious counterarguments which have been raised,
and—write some code! “Cypherpunks write code.”
As for code: Does anyone interested in this bug have a starting idea for
where to hook this feature into either Torbutton or Firefox? I’m
`main()`ly a C wrangler, and not really familiar with the codebase of
either. From an architectural standpoint, it would be wise to patch this
by some means which could later be ported to other browsers, and/or lifted
out into its own extension. That way, users of other browsers could
ultimately benefit from our efforts here.
As for awareness: Even in tech circles, it seems that most people don’t
even stop to think about how Cloudflare works, or what the implications
could be. I suppose also that those who do, may simply shrug in
resignation: Cloudflare is too big, too powerful; people are too
apathetic about privacy and security. I say this based on my own
experience. The “oh, duh!” moment came for me in 2015, when I was
designing my own little hack on TLS and paused to wonder how Cloudflare
does this. ''They decrypt everything. Of course.'' After that, I simply
never spoke up about this, because it seemed that nobody cared.
On that last point, the responses on this bug have proved me wrong. I
intend to respond to some of the points raised above. Also, I suggest we
should carry on this discussion and get the word out—perhaps, organize in
another venue. Tor should be activism-friendly; but this is a bug tracker
and a Tor Browser bug, where I suggest we ought try to focus on how ''and
why'' to fix this in Tor Browser. Beyond that—any takers?
(As for those those who like what I’ve written here: Feel free to copy
and share, in whole or in part. Simply attribute to ''nullius (@)
nym.zone''. Thanks for actually giving a damn about this issue.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24351#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs