[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance
#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: security, privacy, anonymity | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------------+--------------------------
Comment (by cypherpunks):
Replying to [comment:10 marek]:
>
> > Here is a non-cryptographic, non-cookie based solution: Never prompt
for a CAPTCHA on GET requests.
>
> There are a number of problems with this model.
>
> (POST is hard) First, what actually the proxy should *do* on the POST?
Abort your POST, serve captcha, and ask you to fill the POST again? Or
accept your 10meg upload, serve captcha and ask you to upload it again?
Now think about proxy behaviour during an attack. Doing captcha validation
on POST is not a trivial thing.
CloudFlare is in a position to inject JavaScript into sites. Why not hook
requests that would result in a POST and challenge after say, clicking the
submit button?
>
> @willscott:
>
> > What sort of data would qualify as an 'i'm a human' bit?
>
> Let's start with something not-worse than now: a captcha solved in last
<XX> minutes.
Is this something that CloudFlare has actually found effective? Are there
metrics on how many challenged requests that successfully solved a CAPTCHA
turned out to actually be malicious?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs