Opened 6 months ago

Last modified 8 days ago

#24321 reopened task

Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!

Reported by: cypherpunks Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: cloudflare, mitm
Cc: nullius@…, fdsfgs@… Actual Points:
Parent ID: #18361 Points:
Reviewer: Sponsor:

Child Tickets

Change History (36)

comment:1 Changed 6 months ago by nullius

Cc: nullius@… added

Please don’t. All of the following reasons are valid, and any would be sufficient to close this bug WONTFIX:

  1. The idea that Tor users should be forced to install arbitrary software to comply with the wishes of Tor-blockers is wrong, wrong, WRONG in principle. To do so would set a horrid precedent. What’s next, a Tor Browser plugin which provides blinded signatures from a smartcard chip in a government-issued “Internet Driver’s License”? Such blinding should be done with some scheme which can be reversed by “escrowed” keys, of course. Hey, if you have nothing to hide, that would not only stop net abuse, it would also facilitate legitimate law enforcement! (I am scared by the number of people who will not detect sarcasm in that statement.)
  1. Privacy Pass is still experimental. Well, quote-unquote “beta”, according to their own FAQ: “we regard Privacy Pass and the protocol we use as being beta releases currently and still under active development”. Moreover, it is their own cryptographic construction—“developed independently”—and a subtly novel one. There is nothing wrong with that; all good crypto starts that way; but it does mean, this needs to be thoroughly peer-reviewed. Frankly, it needs to see some serious public attempts to attack it (especially its promises of unlinkability). This is NOT ready to be included with Tor Browser at all, let alone enabled by default.
  1. The right way to “end Cloudflare captcha madness!”, per this ticket’s title, is for Cloudflare to stop being mad—or better still, for its customers to dump it. Not for the Tor Browser team to jump through Cloudflare-defined hoops, or feel their users are being held as hostages. Myself, I simply ignore most sites which demand a CAPTCHA for read-only, no-side-effect requests. There are plenty of other sites I can go to. Their loss is worse than mine. Really. Throwing up a Cloudflare CAPTCHA before you deign to let me see your site is the equivalent of a Flash-required splash page 20 years ago. It makes you look stupid. Cloudflare “madness” is losing quality site visitors, and sites need to be told that.

(Any apparent ire in the foregoing is not directed at Privacy Pass itself. It looks like a neat idea. It needs crypto experts to hammer on it for awhile. Then, sane sites may have more options for filtering the limited subset of requests which have high abuse potential. Ire is directed at Cloudflare, the Net’s single largest MITM security hole, which needs to die in a fire. “IMO.”)

comment:2 Changed 6 months ago by yawning

Against.

Of all the people that get to run code as an addon in my browser, it's hard to think of people I trust less than Cloudflare.

Edit: All the people that worked there that I trusted left I think.

Last edited 6 months ago by yawning (previous) (diff)

comment:3 Changed 6 months ago by cypherpunks

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

comment:4 Changed 6 months ago by cypherpunks

Too many websites use Cloudflare for FREE SSL and Cache. No other online service provide this level, for FREE, zero dollars! That's why they use Cloudflare and they won't change that easily. Piracy site use Cloudflare to hide their IP too.

Cloudflare can collect information what IP goes to what cloudflared website. This will bring enough information to make online profile of the user. With Google's captcha API combined, non-Tor users are always fucked up. And Tor users like us can't read cloudflared websites.

comment:6 in reply to:  3 Changed 6 months ago by nullius

Replying to cypherpunks:

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Yes, sorry, I am aware of that. And that’s not the first time this has come up here; compare ticket:18361#comment:190 and following. It highlights the scope of the problem, really.

archive.is did click a whitelist checkbox, which made this CAPTCHA “sporadic” rather than “always”.

comment:7 Changed 6 months ago by nullius

Parent ID: #18361

This is a duplicate of #18361, or at best its child bug. See ticket:18361#comment:241 as proposed solution by jgrahamc (Cloudflare’s CTO) to #18361. (Note: Does not actually fix the problem.)

comment:8 Changed 6 months ago by nullius

Related: #24351

comment:9 Changed 6 months ago by cypherpunks

I agree, Cloudflare captchas have been much much lesser in frequency these 8 months with the Tor Browser so I don't even see the usefulness of this...

Last edited 6 months ago by cypherpunks (previous) (diff)

comment:10 in reply to:  3 Changed 6 months ago by cypherpunks

Replying to cypherpunks:

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Don't go to archive.is use their archive.fo instead. Or use https://via.hypothes.is/https://archive.fo (you'll need to refresh the page when it's capturing the page in the "Loading...")

Last edited 6 months ago by cypherpunks (previous) (diff)

comment:11 Changed 6 months ago by cypherpunks

https://www.reddit.com/r/TOR/comments/7e2joe/endless_captchas_privacy_pass_doesnt_help/

Here's an example of a user who tripped into Cloudflare's rabbithole.
Write a blog to inform the "newbie" user like him to stop using that add-on.

comment:13 Changed 6 months ago by nullius

Suggestion: Instead of using some ad hoc “pass” scheme to distinguish “good” from “bad” traffic, Cloudflare and Tor Browser should both implement an Internet Standard, RFC 3514. If Tor Browser may consider implementing such a feature, should I open a new bug for this?

N.b. that this suggested implementation does not eliminate CAPTCHAs. Rather, it turns so-called “challenges” into an in-browser currency whilst snookering the user into serving as a mechanical Turk. Thus, it is perhaps the worst form of micropayments ever conceived. As a more general issue, users should be educated on the current market value of their time and “Attention Required!” attention performing mind-numbingly boring tasks on behalf of computers: The new masters, whom humans are hatched to serve.

comment:14 Changed 5 months ago by tokotoko

Cc: fdsfgs@… added

comment:15 Changed 5 months ago by cypherpunks

Priority: Very HighLow
Severity: CriticalNormal

comment:16 Changed 5 months ago by cypherpunks

Resolution: invalid
Status: newclosed

comment:17 Changed 5 months ago by cypherpunks

Resolution: invalid
Status: closedreopened

Can you please stop closing random tickets? Thanks!

comment:18 Changed 5 months ago by cypherpunks

Resolution: wontfix
Status: reopenedclosed

comment:19 Changed 5 months ago by gk

Resolution: wontfix
Status: closedreopened

Please stop closing random bugs, thanks.

comment:20 Changed 5 months ago by cypherpunks

Milestone: Deliverable-Mar2011
Sponsor: Sponsor8-must
Status: reopenedneeds_information
Version: Tor: 0.3.2.3-alpha

comment:21 Changed 5 months ago by cypherpunks

Reviewer: gk
Summary: Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!Let's use Cloudflare's Official "Privacy Pass" addon!

comment:22 Changed 5 months ago by gk

Milestone: Deliverable-Mar2011
Owner: tbb-team deleted
Reviewer: gk
Sponsor: Sponsor8-must
Status: needs_informationassigned
Summary: Let's use Cloudflare's Official "Privacy Pass" addon!Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!
Version: Tor: 0.3.2.3-alpha

comment:23 Changed 5 months ago by gk

Owner: set to tbb-team

comment:24 Changed 5 months ago by cloudflarezoey

Parent ID: #18361

comment:25 Changed 5 months ago by cloudflarezoey

Our add-on is open source. You can trust us.

Please contact us so we can assist you.

https://support.cloudflare.com/hc/en-us/requests/new

comment:26 Changed 5 months ago by cypherpunks

Parent ID: #18361

comment:27 Changed 5 months ago by cypherpunks

Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.

Tor devs, why not write about Cloudflare in your blog already?
Other anonymous users, stop using this add-on.

If you use this, YOU ARE TRADING YOUR PRIVACY, AND CLOUDFLARE CAN IDENTIFY YOU
EVEN WHEN YOU VISIT OTHER CLOUDFLARED WEBSITE!!

This add-on send "token"(like passport in real life) in background to
Cloudflare server, when add-on detect "HTTP 403" and Cloudflare-specific header.

It scan all website's response, and it's using multiple listener(which is unnecessary).
Adding this add-on to your browser may seriously degrade your browsing speed.

If you really care about your privacy or internet anonymity, you should do:

  1. Ask the website owner to stop using Cloudflare and pick alternative method such as WAF module.
  2. Ask the website owner to add "T1" to Cloudflare's whitelist(NOT A BEST OPTION)
  3. If both are failed, just say "goodbye, I'm gonna use other website, asshole" to the owner.
  4. Don't buy anything or input your information on Cloudflare websites.
  5. Join to this ticket for discussion and development for TorButton patch: #24351

SAY NO TO CLOUDFLARE.

https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/reviews/


Makes using TOR bearable again!

Occasionally I use TOR for a few hours while browsing to to get a feel
for how it feels like to browse the web when you're not connected using
a (mostly) stable and (mostly) AAA broadband connection.
Until this extension arrieved: Terrible!
It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't
realize how mighty CloudFlare is until one spends some time using TOR :-(

Anyways, while this extension obviously doesn't address Cloudization at all
at least it drastically improves the experience when surfing with TOR!
And the was the point from the beginning wasn't it?
So thumbs for getting this to work! You've done a great job on this!

Rated 5 out of 5
by Alexander Schlarb
Last edited 5 months ago by cypherpunks (previous) (diff)

comment:28 in reply to:  27 Changed 5 months ago by nullius

Replying to cypherpunks:

Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.

[...well said...]

Makes using TOR bearable again!

Occasionally I use TOR for a few hours while browsing to to get a feel
for how it feels like to browse the web when you're not connected using
a (mostly) stable and (mostly) AAA broadband connection.
Until this extension arrieved: Terrible!
It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't
realize how mighty CloudFlare is until one spends some time using TOR :-(

The ironic part is, a CAPTCHA is an denial-of-service on two different levels: It denies service to connections which for any reason, including conscious choice, do not abjectly submit and jump through CAPTCHA hoops; and it denies wetware service, stealing away time from the life of a human being. By distributing its DOS across a claimed six million different websites, Cloudflare is an anti-human DDoS.

“CAPTCHA madness” long ago reached the point that I question whether anybody who fills out CAPTCHAs on demand be actually human. Who robotically obeys arbitrary orders to complete tedious tasks which would numb the mind of any human? Why, a robot!

Myself, I stopped Cloudflare’s DDoS against my limited lifetime by installing this extension in my Tor Browser:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

https://github.com/nym-zone/block_cloudflare_mitm_fx

Now, I don’t see any more Cloudflare CAPTCHAs. None! Never! Problem solved.

When will people grow some spine, and learn to “vote with their feet” (or their clicks)?

I also ban Gmail correspondence from my personal life. E-mailing me is a privilege, not a right; and even with PGP, Google gets all the metadata (date/time, social graph...).

Likewise, I don’t want a man-in-the-middle decrypting my TLS connections throughout some obscene proportion of my web sessions. A site uses Cloudflare? With very few, very limited exceptions, my answer is: Bye!

Privacy is important; and if the Tor Project desires to promote privacy, then they should encourage Cloudflare to throw as many CAPTCHAs as possible until Cloudflare destroys their customers’ traffic stats and user bases.

In my opinion, Cloudflare’s policy should be: CAPTCHAs for everybody! CAPTCHAs, day and night! CAPTCHAs for Tor, and non-Tor, too—minute-long CAPTCHAs, hour-long CAPTCHAs, CAPTCHAs sixscore times per day. Eventually, people would realize that when Cloudflare demands that you drive a “self-driving” car AI for Google, the only way to win is not to play. Only the sanity of those who refuse “CAPTCHA madness” can stop CAPTCHA madness.

comment:29 Changed 4 months ago by cypherpunks

Priority: LowVery High
Resolution: worksforme
Status: assignedclosed
Summary: Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!Cloudflare's Official "Privacy Pass" addon is great

comment:30 Changed 4 months ago by cypherpunks

Resolution: worksforme
Status: closedreopened
Summary: Cloudflare's Official "Privacy Pass" addon is greatCloudFlare Fuck YOU

If you really care about your privacy or internet anonymity, you should do:

I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.

comment:31 in reply to:  30 Changed 4 months ago by gk

Summary: CloudFlare Fuck YOUInclude Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!

Replying to cypherpunks:

If you really care about your privacy or internet anonymity, you should do:

I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.

comment:32 Changed 4 months ago by gk

Parent ID: #18361

comment:33 Changed 4 months ago by cypherpunks

Parent ID: #18361

GK, Why did you removed PID? Because you are Cloudflare employee's friend?

comment:34 Changed 4 months ago by cypherpunks

Keywords: cloudflare mitm added

comment:35 Changed 10 days ago by cypherpunks

Resolution: invalid
Status: reopenedclosed

Who cares?

comment:36 Changed 8 days ago by tom

Resolution: invalid
Status: closedreopened

Please don't change bug statuses.

Note: See TracTickets for help on using tickets.