[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance
#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: security, privacy, anonymity | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------------+--------------------------
Comment (by ttr99):
Right so let's suppose, I am a non tech savvy internet user. I just
opened a restaurant and I put up a web page advertising my restaurant
which gives a phone number people can call to make a booking.
I've heard about all the bad hackers and spammers on the internet so I
want to keep my site safe and secure. I google up on how to do that and I
read something about cloudflare. Sounds good, so I decide to protect my
site with Cloudflare.
What happens?
After 1 hour I get my first customer, they come from a clearnet IP, like
the website and menu, check my address, and call up to make a booking.
After 1 more hour, I get my second customer, but they are browsing through
Tor. Cloudflare gives them an impossible to solve captcha, they leave and
go to Burger King instead.
Can you see the problem? I lost a customer because Cloudflare - for no
legitimate reason - made my site unusable.
Cloudflare's threat model is wrong. It sounds good and proper for
cloudflare to say, "we protect our users and their sites", but in reality
that is not what they are doing. In the case described above, there is no
question of protection, no reason to suppose harm will occur from the Tor
user, no question of comment spam or any reason to believe a DDOS is
happening. But because Cloudflare have implemented a broken solution to
the wrong problem (Tor users vs malicious users), I lost a customer.
So it's easy to say, we protect our users, but in real terms, if you put
it to any one of Cloudflare's customers, I don't believe any of them will
see the above situation as something that requires "protection". Just
coming from Tor in and of itself is not a problem. In the case of
suspected comment spam captchas can be served up, in the case of a DDOS
attack there are other solutions (and do DDOS attacks even come from Tor,
seems doubtful?).
Now you can say the above example is contrived, or you only lost one
customer which is not a lot, but it highlights that CF are using the wrong
approach to solve the problem. Right now this type of problem is not very
big because the set of Tor users compared to clearnet users is small, so
the lost business is again small, but I am sure Tor use is only going to
grow over time, and the problem is only going to grow. CF need to get
ahead of the curve on this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:72>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs