Opened 3 years ago
Last modified 14 months ago
#24321 reopened task
Review Cloudflare's Official "Privacy Pass" addon to evaluate inclusion in Tor Browser
| Reported by: | cypherpunks | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | cloudflare, mitm |
| Cc: | nullius@…, fdsfgs@…, dmr, jlongworth | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description (last modified by )
https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/
This addon is a design intended to reduce the captcha burden from Cloudflare on users.
PETS 2018 paper:
https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf
Child Tickets
| Ticket | Status | Owner | Summary | Component |
|---|---|---|---|---|
| #33452 | new | tbb-team | Ensure that the PrivacyPass extension is able to get passes (if installed) | Applications/Tor Browser |
Change History (41)
comment:1 Changed 3 years ago by
| Cc: | nullius@… added |
|---|
comment:2 Changed 3 years ago by
Against.
Of all the people that get to run code as an addon in my browser, it's hard to think of people I trust less than Cloudflare.
Edit: All the people that worked there that I trusted left I think.
comment:3 follow-ups: 6 10 Changed 3 years ago by
The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?
comment:4 Changed 3 years ago by
Too many websites use Cloudflare for FREE SSL and Cache. No other online service provide this level, for FREE, zero dollars! That's why they use Cloudflare and they won't change that easily. Piracy site use Cloudflare to hide their IP too.
Cloudflare can collect information what IP goes to what cloudflared website. This will bring enough information to make online profile of the user. With Google's captcha API combined, non-Tor users are always fucked up. And Tor users like us can't read cloudflared websites.
comment:6 Changed 3 years ago by
Replying to cypherpunks:
The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?
Yes, sorry, I am aware of that. And that’s not the first time this has come up here; compare ticket:18361#comment:190 and following. It highlights the scope of the problem, really.
archive.is did click a whitelist checkbox, which made this CAPTCHA “sporadic” rather than “always”.
comment:7 Changed 3 years ago by
| Parent ID: | → #18361 |
|---|
This is a duplicate of #18361, or at best its child bug. See ticket:18361#comment:241 as proposed solution by jgrahamc (Cloudflare’s CTO) to #18361. (Note: Does not actually fix the problem.)
comment:9 Changed 3 years ago by
I agree, Cloudflare captchas have been much much lesser in frequency these 8 months with the Tor Browser so I don't even see the usefulness of this...
comment:10 Changed 3 years ago by
Replying to cypherpunks:
The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?
Don't go to archive.is use their archive.fo instead. Or use https://via.hypothes.is/https://archive.fo (you'll need to refresh the page when it's capturing the page in the "Loading...")
comment:11 Changed 3 years ago by
https://www.reddit.com/r/TOR/comments/7e2joe/endless_captchas_privacy_pass_doesnt_help/
Here's an example of a user who tripped into Cloudflare's rabbithole.
Write a blog to inform the "newbie" user like him to stop using that add-on.
comment:12 follow-up: 38 Changed 3 years ago by
comment:13 Changed 3 years ago by
Suggestion: Instead of using some ad hoc “pass” scheme to distinguish “good” from “bad” traffic, Cloudflare and Tor Browser should both implement an Internet Standard, RFC 3514. If Tor Browser may consider implementing such a feature, should I open a new bug for this?
N.b. that this suggested implementation does not eliminate CAPTCHAs. Rather, it turns so-called “challenges” into an in-browser currency whilst snookering the user into serving as a mechanical Turk. Thus, it is perhaps the worst form of micropayments ever conceived. As a more general issue, users should be educated on the current market value of their time and “Attention Required!” attention performing mind-numbingly boring tasks on behalf of computers: The new masters, whom humans are hatched to serve.
comment:14 Changed 2 years ago by
| Cc: | fdsfgs@… added |
|---|
comment:15 Changed 2 years ago by
| Priority: | Very High → Low |
|---|---|
| Severity: | Critical → Normal |
comment:16 Changed 2 years ago by
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:17 Changed 2 years ago by
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Can you please stop closing random tickets? Thanks!
comment:18 Changed 2 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | reopened → closed |
comment:19 Changed 2 years ago by
| Resolution: | wontfix |
|---|---|
| Status: | closed → reopened |
Please stop closing random bugs, thanks.
comment:20 Changed 2 years ago by
| Milestone: | → Deliverable-Mar2011 |
|---|---|
| Sponsor: | → Sponsor8-must |
| Status: | reopened → needs_information |
| Version: | → Tor: 0.3.2.3-alpha |
comment:21 Changed 2 years ago by
| Reviewer: | → gk |
|---|---|
| Summary: | Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness! → Let's use Cloudflare's Official "Privacy Pass" addon! |
comment:22 Changed 2 years ago by
| Milestone: | Deliverable-Mar2011 |
|---|---|
| Owner: | tbb-team deleted |
| Reviewer: | gk |
| Sponsor: | Sponsor8-must |
| Status: | needs_information → assigned |
| Summary: | Let's use Cloudflare's Official "Privacy Pass" addon! → Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness! |
| Version: | Tor: 0.3.2.3-alpha |
comment:23 Changed 2 years ago by
| Owner: | set to tbb-team |
|---|
comment:24 Changed 2 years ago by
| Parent ID: | #18361 |
|---|
comment:25 Changed 2 years ago by
Our add-on is open source. You can trust us.
Please contact us so we can assist you.
comment:26 Changed 2 years ago by
| Parent ID: | → #18361 |
|---|
comment:27 follow-up: 28 Changed 2 years ago by
Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.
Tor devs, why not write about Cloudflare in your blog already?
Other anonymous users, stop using this add-on.
If you use this, YOU ARE TRADING YOUR PRIVACY, AND CLOUDFLARE CAN IDENTIFY YOU
EVEN WHEN YOU VISIT OTHER CLOUDFLARED WEBSITE!!
This add-on send "token"(like passport in real life) in background to
Cloudflare server, when add-on detect "HTTP 403" and Cloudflare-specific header.
It scan all website's response, and it's using multiple listener(which is unnecessary).
Adding this add-on to your browser may seriously degrade your browsing speed.
If you really care about your privacy or internet anonymity, you should do:
- Ask the website owner to stop using Cloudflare and pick alternative method such as WAF module.
- Ask the website owner to add "T1" to Cloudflare's whitelist(NOT A BEST OPTION)
- If both are failed, just say "goodbye, I'm gonna use other website, asshole" to the owner.
- Don't buy anything or input your information on Cloudflare websites.
- Join to this ticket for discussion and development for TorButton patch: #24351
SAY NO TO CLOUDFLARE.
https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/reviews/
Makes using TOR bearable again! Occasionally I use TOR for a few hours while browsing to to get a feel for how it feels like to browse the web when you're not connected using a (mostly) stable and (mostly) AAA broadband connection. Until this extension arrieved: Terrible! It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't realize how mighty CloudFlare is until one spends some time using TOR :-( Anyways, while this extension obviously doesn't address Cloudization at all at least it drastically improves the experience when surfing with TOR! And the was the point from the beginning wasn't it? So thumbs for getting this to work! You've done a great job on this! Rated 5 out of 5 by Alexander Schlarb
comment:28 Changed 2 years ago by
Replying to cypherpunks:
Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.
[...well said...]
Makes using TOR bearable again!
Occasionally I use TOR for a few hours while browsing to to get a feel
for how it feels like to browse the web when you're not connected using
a (mostly) stable and (mostly) AAA broadband connection.
Until this extension arrieved: Terrible!
It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't
realize how mighty CloudFlare is until one spends some time using TOR :-(
The ironic part is, a CAPTCHA is an denial-of-service on two different levels: It denies service to connections which for any reason, including conscious choice, do not abjectly submit and jump through CAPTCHA hoops; and it denies wetware service, stealing away time from the life of a human being. By distributing its DOS across a claimed six million different websites, Cloudflare is an anti-human DDoS.
“CAPTCHA madness” long ago reached the point that I question whether anybody who fills out CAPTCHAs on demand be actually human. Who robotically obeys arbitrary orders to complete tedious tasks which would numb the mind of any human? Why, a robot!
Myself, I stopped Cloudflare’s DDoS against my limited lifetime by installing this extension in my Tor Browser:
https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/
https://github.com/nym-zone/block_cloudflare_mitm_fx
Now, I don’t see any more Cloudflare CAPTCHAs. None! Never! Problem solved.
When will people grow some spine, and learn to “vote with their feet” (or their clicks)?
I also ban Gmail correspondence from my personal life. E-mailing me is a privilege, not a right; and even with PGP, Google gets all the metadata (date/time, social graph...).
Likewise, I don’t want a man-in-the-middle decrypting my TLS connections throughout some obscene proportion of my web sessions. A site uses Cloudflare? With very few, very limited exceptions, my answer is: Bye!
Privacy is important; and if the Tor Project desires to promote privacy, then they should encourage Cloudflare to throw as many CAPTCHAs as possible until Cloudflare destroys their customers’ traffic stats and user bases.
In my opinion, Cloudflare’s policy should be: CAPTCHAs for everybody! CAPTCHAs, day and night! CAPTCHAs for Tor, and non-Tor, too—minute-long CAPTCHAs, hour-long CAPTCHAs, CAPTCHAs sixscore times per day. Eventually, people would realize that when Cloudflare demands that you drive a “self-driving” car AI for Google, the only way to win is not to play. Only the sanity of those who refuse “CAPTCHA madness” can stop CAPTCHA madness.
comment:29 Changed 2 years ago by
| Priority: | Low → Very High |
|---|---|
| Resolution: | → worksforme |
| Status: | assigned → closed |
| Summary: | Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness! → Cloudflare's Official "Privacy Pass" addon is great |
comment:30 follow-up: 31 Changed 2 years ago by
| Resolution: | worksforme |
|---|---|
| Status: | closed → reopened |
| Summary: | Cloudflare's Official "Privacy Pass" addon is great → CloudFlare Fuck YOU |
If you really care about your privacy or internet anonymity, you should do:
I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.
comment:31 Changed 2 years ago by
| Summary: | CloudFlare Fuck YOU → Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness! |
|---|
Replying to cypherpunks:
If you really care about your privacy or internet anonymity, you should do:
I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.
comment:32 Changed 2 years ago by
| Parent ID: | #18361 |
|---|
comment:33 Changed 2 years ago by
| Parent ID: | → #18361 |
|---|
GK, Why did you removed PID? Because you are Cloudflare employee's friend?
comment:34 Changed 2 years ago by
| Keywords: | cloudflare mitm added |
|---|
comment:36 Changed 2 years ago by
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Please don't change bug statuses.
comment:37 Changed 23 months ago by
| Cc: | dmr added |
|---|
comment:38 Changed 23 months ago by
| Description: | modified (diff) |
|---|---|
| Summary: | Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness! → Review Cloudflare's Official "Privacy Pass" addon to evaluate inclusion in Tor Browser |
Replying to cypherpunks:
https://lists.torproject.org/pipermail/tor-dev/2017-November/012627.html
Quoting that email from gk here:
bancfc at openmailbox.org:
Hi. Are there any plans to include Privacy Pass addon in Tor Browser by default? Privacy Pass is the result of some great work by Ian and his team at University of Waterloo to spare Tor users the torture of solving infinite captchas from Cloudflare.[0][1]
That's not decided yet. We are still reviewing the extension in a Tor
Browser context.
Georg
[0] https://privacypass.github.io/team/
[1] https://blog.cloudflare.com/privacy-pass-the-math/
Based on that, changing the ticket title to reflect the task more appropriately. Moving some of the title into the ticket body, to keep that context.
comment:39 Changed 23 months ago by
| Description: | modified (diff) |
|---|
Adding the "Privacy Pass" PETS 2018 paper to description.
comment:40 Changed 15 months ago by
| Cc: | jlongworth added |
|---|---|
| Parent ID: | #18361 |
| Priority: | Very High → Medium |
Please don’t. All of the following reasons are valid, and any would be sufficient to close this bug WONTFIX:
(Any apparent ire in the foregoing is not directed at Privacy Pass itself. It looks like a neat idea. It needs crypto experts to hammer on it for awhile. Then, sane sites may have more options for filtering the limited subset of requests which have high abuse potential. Ire is directed at Cloudflare, the Net’s single largest MITM security hole, which needs to die in a fire. “IMO.”)