[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18361 [Tor Browser]: Issues with corporate censorship and mass surveillance
#18361: Issues with corporate censorship and mass surveillance
------------------------------------------+--------------------------
Reporter: ioerror | Owner: tbb-team
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: security, privacy, anonymity | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------------------------+--------------------------
Comment (by ioerror):
Replying to [comment:82 jgrahamc]:
> To summarize:
>
> 0. We fixed the bug that caused a new CAPTCHA to be served for a site
when the circuit changes.
>
Doesn't this mean that you've now got cross circuit tracking for Tor
Browser users, effectively? I assume that is by issuing a cookie that
isn't tied to a given IP address - though again without any transparency,
I feel like it is unclear what was actually done in any technical sense.
> 1. We'll roll out the ability for any CloudFlare web site to whitelist
Tor so that Tor users will not see CAPTCHAs within days.
It seems reasonable to thank you for this option, though I admit, I'm
actually quite displeased with it personally. You've chosen to frame this
as a positive thing when in fact, you're allowing a few people to jump
through hoops while keeping the vast majority of the web censored by
default. It would be possible to serve up an Always Online version with no
captcha as the default behavior as a very reasonable middle ground. The
default will not change and so, there is no change to the status quo.
This as a default means that by default CF will continue their censorship
of Tor users who wish to read websites.
I urge you to reconsider this while your points 2 and 3 are outstanding.
>
> 2. We've reproduced the "CAPTCHA loop" problem and have an engineer
looking into what's happening.
Is there a timeline for this? Will they report back on this bug?
> 3. We are in contact with Google to see if they can help us with number
2.
Does this indeed mean that Google, because of actions by CF, has data on
every person prompted for a CAPTCHA?
> 4. I've asked our head of Infosec to look into an alternative CAPTCHA
provider. We had already done this in the past and concluded that
switching to the latest reCAPTCHA was going to be 'better'. It looks like
it has not made things better.
Any American third party presents similar problems as Google. On the one
hand, they are a PRISM provider. On the other, they probably have the best
security team in the world. Why aren't you guys just hosting your own
CAPTCHA solution or proxying it to Google in such a way that Google gets
nothing directly from your users?
I hope that I'm reading you wrong but it also seems like you're concluding
your engagement here. I'd like to encourage you to keep engaging here -
there are many outstanding questions for CloudFlare that you (or others at
CF) haven't answered which help us to understand the shape of the current
and future situation.
The above four points as well as a near total dismissal of all other
questions, could be summed up as confirming a critical multi-month long
bug with a vague promise that you guys will look into it. I really hope
that this isn't the case - especially considering the other questions and
the other options discussed here.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18361#comment:91>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs