Opened 9 months ago

Last modified 3 months ago

#24351 reopened enhancement

Block Global Active Adversary Cloudflare

Reported by: nullius Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: security, privacy, anonymity, mitm, cloudflare
Cc: fdsfgs@… Actual Points:
Parent ID: #18361 Points: 1000
Reviewer: Sponsor:

Description

#18361 and its comments adequately summarize the general problem with Cloudflare’s MITM attack on the Internet. I need not repeat, save to emphasize that when Tor Browser alleges it has a secure (TLS) connection, it is lying to the user if the connection runs through a known MITM.

A reasonable workaround is for Tor Browser to block all Cloudflare sites loaded through HTTPS, or at least warn the user when such a site is loaded. This can be done by detecting the non-standard CF-Ray: HTTP header.

I suggest that this security enhancement should be tied to the Security Slider. On High, all HTTPS connections which receive said response header should immediately terminate, with an error message given to the user. On Medium, the user should be warned and asked whether Tor Browser should proceed. On Low, where all manner of mischief is allowed by default (even non-TLS-loaded Javascript!), Cloudflare page loads may be permitted without warning. Users who run on the Low setting are begging to be pwned, anyway.

As an ancillary benefit, this feature will also obviate the specious reasoning behind demands to bundle untrusted third-party software with Tor Browser. See #24321.

Perhaps most visibly from a user experience and support perspective, this feature will also save users much wasted time solving pointless CAPTCHAs to visit sites which are mostly idiotic, anyway. This should result in reduced user complaints about network breakage deliberately caused by third parties outside the Tor Project’s control.

See also Debian bug: https://bugs.debian.org/831835

Child Tickets

Attachments (2)

1948092a067bd961b1b3d3d25e161cf9.jpg (54.7 KB) - added by cypherpunks 7 months ago.
mitm
block_cloudflare_mitm_attack-1.0.14.1-an+fx.xpi (65.4 KB) - added by cypherpunks 5 months ago.
Block Cloudflare MiTM Attack, v1.0.14.1 Signed

Download all attachments as: .zip

Change History (84)

comment:1 Changed 9 months ago by cypherpunks

I'm the person who created "madness" ticket, and you, sir, well writen!

Yes, please block Cloudflare once and for all. I'm expecting some kind of "Isecure connection" errorpage
to block further connection without user consent.

For example, when I visit "CloudflareMustDie.com",

  1. TBB will show "Insecure connection" errorpage.
  2. User will decide what to do - go back, try a cache, or ignore.

Here's my idea of errorpage design:
=====================================
Your connection is not secure

The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected to this website.

(Learn More)
[Go Back] [Connect anyway]
=====================================

(Learn More) is a link, to Tor documentation or wiki, to explain the cloudflare's MITM activity.
[Connect anyway] is a button. If the user click it, Show warning dialogue with 3 seconds timelock:

=====================================
This connection is MITMed. Are you sure you want to do this?

[No] [Yes(3)]
=====================================

And,

response header should immediately terminate, with an error message given to the user

Yes, the connection to CF site *should* be terminate. We should treat them like self-signed non-onion website
which is completely insecure.

This can be done by detecting the non-standard CF-Ray: HTTP header.

You could also look at SSL certificate's CN.
Most of them are "sni(.*)\.cloudflaressl\.com".

for sample:
https://www.unspam.com/ <--- cloudflare's before project company, ewww

P.S.
I use TBB everyday. I got hit by cloudflare and most of the time I go back and search for alternative website.
And if can't, I'll just open up normal browser to browse cloudflare-infected websites 'via VPN'.
I really hope TBB start kicking cloudflare. This will raise attention and the website owner MIGHT, MIGHT... add "T1" to whitelist.
Cloudflare could add "T1" to whitelist by default. They're so mean :'(

comment:2 Changed 9 months ago by cypherpunks

P.P.S.

http://blog.archive.is/post/150457886131/re-your-blog-post-of-september-14-2016-143

Eh... I actually tried to contact them at that time.
If you're angry like me, try to contact the website owner. Convince him to include "T1". If they don't respond, I always just leave that website.

Anyway, Cloudflare should be blocked by TBB, the privacy browser of the world. XO

comment:3 Changed 9 months ago by cypherpunks

User will decide what to do - go back, "try a cache", or ignore.

Oops. Here's an update of design. Sorry for multiple post!

=====================================
Your connection is not secure

The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected to this website.

(Learn More)
[Go Back] [Try alternative cache] [Connect anyway]
=====================================

[Try alternative cache] button will redirect you to Archive.Org.

e.g.

https://searx.ch/
==cache version===> https://web.archive.org/web/https://searx.ch/

comment:5 Changed 9 months ago by cypherpunks

HTTPS Cloudflare is MITMed.
HTTP Cloudflare is MITMed(proxied via company with zero TLS protection).

Cloduflare proxied websites must be blocked.

1) Block Cloudflare certificates as untrusted. Treat it as self-signed.
2) Block certificate if CN is "(.*)\.cloudflaressl\.com".
3) Block if "CF-Cache-Status:" or "CF-RAY:" header is found in the response.

If 1, 2, 3 is true | then | raise "Unsecure Connection" error.

comment:6 Changed 9 months ago by cypherpunks

=====================================

Your connection is not secure

The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected to this website.

(Learn More)
[Go Back] [Try alternative cache] [Connect anyway]
=====================================

[Try alternative cache] button will redirect you to...

​https:a) https:b) https:
searx.ch/
web.archive.org/web/https://searx.ch/
via.hypothes.is/​https://searx.ch/

comment:7 Changed 9 months ago by cypherpunks

Resolution: invalid
Status: newclosed

You can't tell unless you have access to a site owner's Cloudflare account whether they have full SSL with Cloudflare or whether Cloudflare is MiTMing them, so this doesn't seem possible.

comment:8 in reply to:  7 Changed 9 months ago by nullius

Resolution: invalid
Status: closedreopened

Replying to cypherpunks:

You can't tell unless you have access to a site owner's Cloudflare account whether they have full SSL with Cloudflare or whether Cloudflare is MiTMing them, so this doesn't seem possible.

Either you are obfuscating, or you are technologically incompetent. Quick proof: Assume the opposite. If Cloudflare did not act as a MITM proxy with full, active access sufficient to read and modify TLS plaintext of all connections passing through them, then they would be unable to inject the HTTP headers which this bug proposes to detect for blocking. [Sequential dotted initials “Q.”, “E.”, “D.” forbidden by Trac spam filter.]

Cloudflare is a MITM, by design. That is the primary (only?) service they offer. It does not matter what the site’s service level with them is. From the connecting user-agent’s perspective (here apropos), it does not even matter if the site uses its so-called “keyless SSL” service to preserve secrecy of its long-term private keys. Cloudflare always, always has the symmetric key to the session; and within the ostensibly encrypted session, Cloudflare is by definition a Man-In-The-Middle which decrypts, modifies, and proxies the plaintext.

Why, it is exactly as if Cloudflare were designed as a mass surveillance tool! So, what rationalizations could be supposed for those who use their services, or ignore them as a global threat?

“But Cloudflare is a trustworthy provider of Internet infrastructure.” Then, why do we need TLS at all? Just make peering arrangements with trustworthy networks who agree to pass your packets only through trustworthy routers! TLS eliminates trust in the network: By design, TLS promises end-to-end encryption. Meaning, with the endpoint. By design, Cloudflare makes a mockery of this promise.

“But most sites are on third-party hardware, anyway.” Irrelevant: Cloudflare centralizes trust.

Without the Cloudflare MITM proxy, little-newbie-web-shop.com’s TLS is handled by cheap-shared-web-host.com; chic-trendy-cloud-buzzword-startup.com’s TLS is handled by AWS; at-risk-controversial-activism.org and high-security-bitcoin-services.com should (we hope) do all their crypto on hardware under their respective owners’ physical control. The site visitor is responsible for deciding which endpoints to trust with private information. (N.b.: Reading interests and “clicktrails” are private information.) When all these sites sign up for Cloudflare, then Cloudflare becomes the one-stop decryption shop. Do you trust Cloudflare to be the “secure” Internet, or some huge proportion thereof?

Centralizing trust has a much worse effect than allowing access to many individual sites: It creates a single point at which to perform mass dragnet surveillance. As of today, Cloudflare has access to the plaintext data of more TLS sessions to more endpoints than anybody else on Earth.[1] Here, the whole is more than the sum of the parts: They are in a position to track, tap, and link Internet activity across a wide range of sites. This is why they have been declared a Global Active Adversary.

If I were the NSA or another TLA, and I sat down to design a mass-interception network to MITM TLS on a large portion of the Internet, then the result would look exactly like Cloudflare. They are in a position where they in fact do intercept the communications of billions of people with millions of websites. That is not a hypothetical: It is a description of what they actually do—every day, right now. Then, they cross their fingers and promise to respect people’s privacy. “Trust us; we will make you ‘safer’.” Again—why use any encryption at all?

On that level, Cloudflare is even worse than “key escrow” or another backdoor would be. Since the 90s, advocates of “key escrow” have promised that if centrally trusted parties are allowed to keep a backdoor key, then that would really, truly only ever be used to intercept the communications of whatever they deem “bad guys”. (Pinky swear!) Cloudflare walks in through the front door, and takes the plaintext—all of it, without exception, for everybody whose connections pass through them.

And worst of all, the design of Cloudflare removes responsibility and decision-making power from the initiator of communications. End-users are fooled into believing they connect to many different sites—all of which run through a single chokepoint. The purpose of this bug is to mitigate that problem, in a web browser specifically designed for security, privacy, and unlinkability on an anonymity network.

“But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions, so we can protect you?

Cloudflare only exists because of criminal activity which can be otherwise defended against, and which should not be possible at all. They profit from fear of vigilante network censors, hold-your-site-hostage blackmailers, and Internet arsonists who simply enjoy setting things on fire for the “lulz”. The proper long-term solution to these problems involves serious technical work to make DDoS attacks more difficult to perform (and especially, harder to amplify). The proper short-term solution involves sysadmins working with competent hosts and upstream providers—just as is done by many sites which are not Cloudflare patsies customers. (I notice that torproject dot org, a controversial website, somehow manages to survive without Cloudflare.) Routing the TLS plaintext of millions of websites through a single MITM is not a solution.

Anyway, the reason why sites use Cloudflare is irrelevant. This bug is about user choice, informed decisions, and frankly, the honesty of the network. When I see the lock icon in Tor Browser, I take that as a guarantee that my connection is end-to-end encrypted. If a site uses Cloudflare, then the browser lock icon is a false promise. When I use Tor Browser to make a https connection, I also quite reasonably expect that it will terminate the connection with an error message if it detects any evidence whatsoever a MITM attack. In this sense, blocking or warning on detection of CF-RAY: is more reliable than, say, disallowing self-signed certificates: The latter could be the genuine certificate of a website configured by a doofus, or it could be a BadExit running sslstrip, or it could be network naughtiness by hackers (on the government payroll or otherwise). CF-RAY: is always the result of a definitional MITM attack by a Global Active Adversary.

In sum, “CAPTCHA madness” is the smallest problem with Cloudflare. Their design, their business model, their very existence is a threat to the privacy, security, and freedom of the Internet. Blocking Cloudflare is an eminently reasonable mitigation strategy for a web browser which bears the name, “Tor Browser”. Bug re-opened.


  1. Source: I just assume as much; but Cloudflare would brag about that, if restated in other words as on their homepage: “Cloudflare makes more than 6,000,000 Internet properties faster and safer.” Yes, they provide “secure CDN” service to more sites than anybody else. Do you know of anybody else who actively MITMs that many TLS endpoints?

comment:9 Changed 9 months ago by cypherpunks

@same guy,
Using cloudflare means all traffic route to cloudflare. This is not just about free HTTPS.
HTTP connection to cloudflare and HTTPS connection to cloudflare, both are fucked up.

"If you're using their free cache, proxy, certificate service, YOU ARE THE PRODUCT."

@nullius,
I have no argue with that - you wrote what I wanna write.

comment:10 Changed 9 months ago by cypherpunks

Cloudflare and Incapsula. Both HTTP/HTTPS connections to them needs to be blocked as MiTM attack against TBB.

https://www.incapsula.com/

Not many use Incapsula though. Most of their customers moved to Cloudflare because of price and popularity. And we the tor users are blocked to read their site. Such a shame LOL

comment:11 Changed 9 months ago by cypherpunks

Browser developer's ego incoming!

https://github.com/privacytoolsIO/privacytools.io/issues/364#issuecomment-346040970
hugoncosta
Can anyone confirm if CDNs decrypt https traffic or just pass it along?

https://github.com/MoonchildProductions/Pale-Moon/issues/1486#issuecomment-345980344
JustOff
Sorry, but this is utter nonsense.

Why these people don't understand how CLoudflare works?
They can't handle encrypted data. It must be decrypted to check data.

Cloudflare decrypt the incoming data, test it, (collect it), then reencrypt and send to original server(if "Full mode" ssl).

Now I hate Palemoon too. I'll tell this to other people. Ty Palemoon.

comment:12 Changed 9 months ago by cypherpunks

And also they tag EVERY SINGLE REQUEST with "RAY" ID. Every action you took on Cloudflare proxied sites are completely watched.

Are they, who defend Cloudflare, an exhibitionist or something? LOL...

comment:13 Changed 9 months ago by cypherpunks

Why is Mozilla ignoring Cloudflare's MiTM attack? This is a security issue that needs to be fix in Chrome and Firefox.

comment:15 Changed 9 months ago by cypherpunks

We need some official member's thought here.

@mikeperry, @arma, @gk, and so on.
Why are you allowing MITM attack? This browser's main topic should be "privacy". Come on, say something already.

Especially @mikeperry wrote a blog last year. You need to do this again, soon.
https://blog.torproject.org/trouble-cloudflare

comment:16 Changed 9 months ago by cypherpunks

Severity: NormalBlocker

from: debian's grave level

comment:17 Changed 9 months ago by cypherpunks

"The author of this post was able to prove pretty emphatically that whilst his connection to CloudFlare was solid, upstream of CloudFlare when they're connecting to The Pirate bay origin things were being MitM'd."

https://danwin1210.me/url.php?id=34935

comment:18 Changed 9 months ago by cypherpunks

This isn't the correct solution. The green icon only tells you that the exit and the server you're communicating to (Cloudflare in this case) is encrypted, and that's it. It shouldn't extend to how someone sets up their website, otherwise it opens a slippery slope: why not block all websites because all servers have the backdoor that is Intel Management Engine or AMD's Platform Security Processor? Why not block all onion services on the same ground? Also, good luck confusing most users by blocking a large portion of the web: w3techs.com/technologies/history_overview/proxy/all

(Yes, Cloudflare is evil and tries to pass as some kind of "anti-DDoSes hero" and with all their HN PR, this has no bearing on this however.)

comment:19 Changed 9 months ago by cypherpunks

Status: reopenedneeds_information

comment:20 in reply to:  16 Changed 9 months ago by nullius

Severity: BlockerMajor

The enthusiasm for solving this problem is commendable; but as a practical matter, I doubt that much could be achieved by throwing “Blocker” severity into the mundane workflow of bug management.

I suggest instead that it would be productive to raise awareness of this issue, answer the rather specious counterarguments which have been raised, and—write some code! “Cypherpunks write code.”

As for code: Does anyone interested in this bug have a starting idea for where to hook this feature into either Torbutton or Firefox? I’m main()ly a C wrangler, and not really familiar with the codebase of either. From an architectural standpoint, it would be wise to patch this by some means which could later be ported to other browsers, and/or lifted out into its own extension. That way, users of other browsers could ultimately benefit from our efforts here.

As for awareness: Even in tech circles, it seems that most people don’t even stop to think about how Cloudflare works, or what the implications could be. I suppose also that those who do, may simply shrug in resignation: Cloudflare is too big, too powerful; people are too apathetic about privacy and security. I say this based on my own experience. The “oh, duh!” moment came for me in 2015, when I was designing my own little hack on TLS and paused to wonder how Cloudflare does this. They decrypt everything. Of course. After that, I simply never spoke up about this, because it seemed that nobody cared.

On that last point, the responses on this bug have proved me wrong. I intend to respond to some of the points raised above. Also, I suggest we should carry on this discussion and get the word out—perhaps, organize in another venue. Tor should be activism-friendly; but this is a bug tracker and a Tor Browser bug, where I suggest we ought try to focus on how and why to fix this in Tor Browser. Beyond that—any takers?

(As for those those who like what I’ve written here: Feel free to copy and share, in whole or in part. Simply attribute to nullius (@) nym.zone. Thanks for actually giving a damn about this issue.)

comment:21 in reply to:  18 ; Changed 9 months ago by nullius

Replying to cypherpunks:

The green icon only tells you that the exit and the server you're communicating to (Cloudflare in this case) is encrypted, and that's it.

Incorrect. If that were the case, then anon-DH ciphersuites would be acceptable. Those are also securely 100% military-grade super-duper encrypted. “...and that’s it.”

The lock icon promises not only encryption, but also authentication of the endpoint and protection against MITM attacks. Among other guarantees.

It shouldn't extend to how someone sets up their website, otherwise it opens a slippery slope: why not block all websites because all servers have the backdoor that is Intel Management Engine or AMD's Platform Security Processor?

For the purposes of this bug, suggestions that some shadowy somebody may be using a hardware backdoor for the whole Internet do not equate to the certain knowledge that one clearly identified entity is in fact performing realtime decryption of all TLS connections to millions of websites right now.

(I’d be thrilled to see a workable solution proposed as for the problem you raise, or even a reasonable assessment of its scope. However, that is off-topic to this bug.)

Also, good luck confusing most users by blocking a large portion of the web:

Users are being confused right now. They are being scammed by a promise of a “secure” connection to a certain identified website. Instead, they are being silently provided a “secure” connection to Cloudflare. Not on one website, or even only a few, but across millions of websites. The aggregate effect is critical to understanding the mass-surveillance implications.

This bug is about solving user confusion, with warnings or errors as appropriate to different levels on the Security Slider.

comment:22 in reply to:  21 ; Changed 9 months ago by cypherpunks

Replying to nullius:

Replying to cypherpunks:

It shouldn't extend to how someone sets up their website, otherwise it opens a slippery slope: why not block all websites because all servers have the backdoor that is Intel Management Engine or AMD's Platform Security Processor?

For the purposes of this bug, suggestions that some shadowy somebody may be using a hardware backdoor for the whole Internet do not equate to the certain knowledge that one clearly identified entity is in fact performing realtime decryption of all TLS connections to millions of websites right now.

Do you have any actual evidence that they intercepted these decrypted packets and used them for their own malicious goals, or those of other 3-letter entities? Otherwise this talk is pure gossip, and it belongs on tabloids of the DailyMail.

comment:23 in reply to:  22 Changed 9 months ago by nullius

Replying to cypherpunks:

Do you have any actual evidence that they intercepted these decrypted packets and used them for their own malicious goals, or those of other 3-letter entities? Otherwise this talk is pure gossip, and it belongs on tabloids of the DailyMail.

First off, I do have evidence that they “intercepted these decrypted packets”. That is how Cloudflare works, period. If you fail to comprehend this, then go back and reread this thread—or read Cloudflare’s own documentation—or for that matter, try learning how TLS actually works. Without full interception and decryption of each and every connection, it would impossible for them to scan application-layer requests for “attacks”, insert their own HTTP response headers, and return cache items from their own servers. Even with their misleadingly named “keyless SSL”, their diagrams make explicit that they hold the TLS session keys (symmetric keys) for all sessions (only in that case, not the server certificate private keys).

As for the rest:

Absence of evidence is not evidence of absence; and your proposition is diversionary, whereas the real issue is one of trust and of the promises made by TLS.

Fact: Cloudflare performs mass decryption, then says in essence, Trust us.

Evidently, you accept that. For comparison, would you accept key escrow? There is no “actual evidence” that police agencies would abuse that power, or that blackhats would steal the escrowed keys. (There is no such evidence, only because no such system has ever existed in the wild and at scale.) Also, reductio ad absurdum, would you accept centralized decryption of 100% of Web traffic? 90%? At what threshold would you deem such a power a threat in itself? Whom would you trust to have it?

You have no evidence that Cloudflare does not misuse this power, other than their solemn promise that they don’t. In other words, no “actual evidence”. But that is beside the point: Nobody should demand that level of trust, on today’s Internet, in today’s world. The creation of a mass-decryption chokepoint is implicitly malicious.

Sane people prefer to trust cryptographic algorithms. That is exactly why we have such things in the first place. Why even bother with TLS? Why not simply trust large, reputable companies to deliver packets without peeking at them?

comment:24 Changed 8 months ago by tokotoko

Cc: fdsfgs@… added

comment:25 Changed 8 months ago by cypherpunks

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

Test header data --> if cloudflare --> forcefully redirect to localhost(terminate connection)

comment:26 in reply to:  25 Changed 8 months ago by nullius

Replying to cypherpunks:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

Test header data --> if cloudflare --> forcefully redirect to localhost(terminate connection)

Thank you! “Cypherpunks write code.”

To facilitate further development, I have created a Github repository:

https://github.com/nym-zone/block_cloudflare_mitm_fx

My commit-signing PGP key fingerprint (also used for e-mail):
0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C

Please note well Issue #5, Refactor for future integration with other add-ons. I hope to use the Github repo to cultivate this idea, test the best means of achieving our goals, and then refactor out a patch which can be brought back to this Tor Browser bug for addition to Torbutton.

I am admittedly not much of a Javascript developer; but I can handle gritty maintenance tasks, and perhaps pick up some new Mozilla add-on skills along the way. Help is appreciated. Let this be the initial seed of a grassroots community response to the Cloudflare MITM threat!

comment:27 Changed 8 months ago by cypherpunks

@nullius

Thanks for creating a github repo. This add-on's license is WTFPL, so it's perfectly fine.
You can contact me from my website[1], but I prefer anonymous while contribution.

I'll create github account. Is it okay to publish your future/updated code under my
firefox account, or do you want access to add-on page?

[1] add-on website -> "cypherpunks" -> my other add-on -> homepage

comment:28 in reply to:  25 ; Changed 8 months ago by cypherpunks

Replying to cypherpunks:

You updated it quite a lot. It's version 1.0.2.1 now. "Your connection is not secure" is definitely what I wanted to see and this code or add-on must be included in Tor Browser.

Too bad your add-on require latest Firefox Quantum.

comment:29 Changed 8 months ago by cypherpunks

Resolution: user disappeared
Status: needs_informationclosed

comment:30 Changed 8 months ago by nullius

Resolution: user disappeared
Status: closedreopened

“The report of my death was an exaggeration.”

comment:31 Changed 8 months ago by cypherpunks

Resolution: invalid
Status: reopenedclosed

comment:32 in reply to:  31 Changed 8 months ago by nullius

Resolution: invalid
Status: closedreopened

What is this, bug management for toddlers? “Is bug!” “Is not!” “Is so!”

A technical fix is in development. I will update this bug when and as appropriate.

comment:33 Changed 8 months ago by cypherpunks

Cc: cypherpunks added
Milestone: website redesign
Priority: HighVery Low
Reviewer: gk
Severity: MajorTrivial
Sponsor: Sponsor5*
Status: reopenedneeds_information
Summary: Block Global Active Adversary CloudflareAllow Global Active Adversary Cloudflare
Version: Tor: unspecified

comment:34 Changed 8 months ago by cypherpunks

Summary: Allow Global Active Adversary CloudflareAllow Cloudflare and NSA to spy on your traffic

comment:35 Changed 8 months ago by gk

Milestone: website redesign
Reviewer: gk
Sponsor: Sponsor5*
Summary: Allow Cloudflare and NSA to spy on your trafficBlock Global Active Adversary Cloudflare
Version: Tor: unspecified

comment:36 Changed 8 months ago by cypherpunks

TBB team won't care. Block Cloudflare? This will break millions of websites! LOFL

comment:37 Changed 8 months ago by cypherpunks

Priority: Very LowHigh
Severity: TrivialMajor
Status: needs_informationnew

Reverting changes caused by #33. What the hell happened here?

comment:38 in reply to:  28 Changed 8 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Too bad your add-on require latest Firefox Quantum.

The latest update, 1.0.7 support Tor Browser.

comment:39 Changed 8 months ago by cloudflarezoey

Our users trust us for fast and secure websites. You can trust us.

Please contact us so we can assist you.

https://support.cloudflare.com/hc/en-us/requests/new

comment:40 Changed 8 months ago by cloudflarezoey

Resolution: invalid
Status: newclosed

comment:41 Changed 8 months ago by Dbryrtfbcbhgf

Resolution: invalid
Status: closedreopened

cloudflarezoey, stop closing bug reports for no reason.

comment:42 Changed 8 months ago by cloudflarezoey

Resolution: fixed
Status: reopenedclosed

no reason

No reason, huh?
Dbryrtfbcbhgf, we do not support our customer without ticket.

Please contact us so we can assist you.

​​https://support.cloudflare.com/hc/en-us/requests/new

comment:43 in reply to:  42 Changed 8 months ago by nullius

Resolution: fixed
Status: closedreopened

Quoting for proper context, Dbryrtfbcbhgf:

cloudflarezoey, stop closing bug reports for no reason.

Now, replying to cloudflarezoey:

no reason

No reason, huh?
Dbryrtfbcbhgf, we do not support our customer without ticket.

Please contact us so we can assist you.

​​https://support.cloudflare.com/hc/en-us/requests/new

This is not a Cloudflare site. I am not your “customer”; and I think I can safely declare, neither is anybody else desires a resolution to this ticket. And that much is obvious. Do you have any idea how stupid it sounds for you to direct people to file a Cloudflare support ticket about Cloudflare’s behaviour as a global active adversary?

Moreover, this is not a Cloudflare bug tracker. Stop closing bugs for no reason. Just stop it.

comment:44 in reply to:  39 Changed 8 months ago by nullius

With apologies for the bugspam caused by earlier arbitrary ticket-closing shenanigans, I must highlight this:

Replying to cloudflarezoey:

Our users trust us for fast and secure websites. You can trust us.

Please contact us so we can assist you.

https://support.cloudflare.com/hc/en-us/requests/new

“You can trust us.” Assuming that cloudflarezoey is truly an employee of Cloudflare, this perfectly encapsulates the problem with Cloudflare.

No, I do NOT trust you. And I shouldn’t need to! The raison d’être for cryptographic protocols such as TLS is to obviate the need for trust: Trust the numbers, trust the maths, and trust nobody.

Interposing a MITM into billions of TLS connections to millions of different websites creates a trust-based Internet. A trust-based Internet is inherently untrustworthy. Ideal would be a trustless Internet. Applied cryptography in the form of TLS does not quite achieve that, but it can make a huge step in that direction.

Aside: I long ago learned a reliable social heuristic known to all responsible, mature adults: Any stranger who answers wariness by explicitly saying “trust me” is trying to do something bad. If you have children, you should teach them this rule for their own safety. Trustworthy people earn trust by their behaviour. Con artists, criminals, liars, seducers, swindlers, and other politicians more oft than not say, “Trust me!”

Anyway, it is not as if I have not already covered the Cloudflare “trust us” bug on this ticket; I will consider this a confirmation of validity of this bug and parent #18361:

On 2017-11-20 at 21:55:53, nullius said:

Then, they cross their fingers and promise to respect people’s privacy. “Trust us; we will make you ‘safer’.” Again—why use any encryption at all?

On 2017-11-29 at 04:31:01, nullius said:

Fact: Cloudflare performs mass decryption, then says in essence, Trust us.

On 2017-12-27 at 04:31:54, cloudflarezoey said:

You can trust us.

comment:45 Changed 8 months ago by cypherpunks

Discussion:

How do we implement this new function to "Tor Button"?
https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

How about:

Tor Browser Security Settings

Low (default)

Do nothing (as default description says).
Cloudflared websites will greet you captcha, and you are not sure the website is
using Cloudflare or not.

Medium

Cloudflare websites's title and favicon are changed, so the user can notice it.
(from add-on's settings: "Don't show warning message; just change title and favicon")

High

Show a warning message on MiTMed websites.
User can create a whitelist, but it will be purged each time the user click "New Identity"
or restart the Tor Browser.

comment:46 in reply to:  45 Changed 8 months ago by nullius

General comment before I reply: Sites which do not themselves use Cloudflare may embed third-party content from a Cloudflared site. By analogy to the http/https divide, it is a sort of “mixed content” situation. This introduces additional complexity into the design requirements.

Replying to cypherpunks:

Low (default)

Do nothing (as default description says).
Cloudflared websites will greet you captcha, and you are not sure the website is
using Cloudflare or not.

Seems the least-pessimal way. Users who surf on “Low” are already privacy/security suicidal, anyway.

I think also, the vast majority of users (unfortunately) would never see the effect of this change. Whether you consider that a bug or a feature depends on your perspective; I think it’s a bug. The set of users who actually takes two clicks to change the Security Slider is probably almost identical with the set of those who know what “MITM” means.

Medium

Cloudflare websites's title and favicon are changed, so the user can notice it.
(from add-on's settings: "Don't show warning message; just change title and favicon")

I myself would want the option to either warn or block at this level. At least, I would want the option to block “mixed content” as referred to above; if I visit a top-level https site which itself is not Cloudflared, then I do not want Javascript, third-party cookies, etc. potentially passing unencrypted through Cloudflare.

Perhaps a case could be made that the default should be to warn in the simple cases, and warn or block with error in case of “mixed content”. If that last be not the default, it should be at least an option. Though I am well aware that “add an option” is considered bad design, Torbutton does much of its Security Slider work through about:config entries, anyway. It would suffice for me if those were provided, and would persist through changes of the slider to/from a given setting.

High

Show a warning message on MiTMed websites.
User can create a whitelist, but it will be purged each time the user click "New Identity"
or restart the Tor Browser.

I think Cloudflare (including “mixed content” Cloudflare) should be unequivocally blocked on the High setting, except on explicitly whitelisted sites. There could not be many complaints from this. The High setting already breaks much of the Web—even including Wikipedia.[0] Who surfs the Web on High? I know that I do. Who else?


  1. Mathematical equations rendered in SVG show up as gibberish text fallback bizarrely formatted in ways which break up the text; and Wikipedia’s image fallbacks are not loaded. Fixing this requires either dropping the security slider to Medium (thus enabling Javascript), or enabling SVG by manually twiddling an about:config setting while in High mode. I can’t get the PNG fallbacks to load. I should probably file a separate bug about this; but the point hereof is, if nobody noticed that in the past few years, then very few people (including TBB devs) ever surf with the slider on “High”.

comment:47 Changed 8 months ago by cypherpunks

Medium
Cloudflare websites's title and favicon are changed, so the user can notice it.
(from add-on's settings: "Don't show warning message; just change title and favicon")

I myself would want the option to either warn or block at this level.

I think "warning" is enough for this "medium" level.
"Block" is for the "High" level, just IMO.

Next, what text should be added to TorButton's level description?

Tor Browser Security Settings
Low: (not changed)
Medium: "The title and icon is changed in MITM proxied websites."
High: "MITM proxied websites are blocked. Whitelist is not permanent."


if nobody noticed that in the past few years, then very few people
(including TBB devs) ever surf with the slider on “High”.

Wikipedia's math webpage, right? I know and I don't care about it.
I use TorButton's high level all the time, and the level descrption
clearly states:

"Some font rendering features are disabled"

It's a trade-off. Or maybe someone can fix it.

comment:48 Changed 7 months ago by cypherpunks

Resolution: wontfix
Status: reopenedclosed

Tor Browser is not your privacy browser. Privacy is not Anonymity.
Look, no one care your stupid add-on or discussion. If Tor-Team or other Tor coder do care
they will write a comment already. No comment means not interested.

comment:49 Changed 7 months ago by cypherpunks

Cc: cypherpunks removed
Parent ID: #18361

comment:50 Changed 7 months ago by cypherpunks

Parent ID: #18361
Resolution: wontfix
Status: closedreopened

Tor Browser is not your privacy browser

Isn't Tor Browser for privacy *and* anonymity?

If Tor-Team or other Tor coder do care they will write a comment

If they think this ticket is a garbage, they will close this ticket already.

Last edited 7 months ago by cypherpunks (previous) (diff)

comment:51 in reply to:  50 Changed 7 months ago by nullius

Ah, cypherpunks, you barely beat me to it. I should like to add:

At 2017-12-19T00:12:38Z, nullius:

What is this, bug management for toddlers? “Is bug!” “Is not!” “Is so!”

Stop closing bug reports for no reason. It only makes pointless bugspam in the mailbox of everybody who follows the bug; and it changes nothing.

Also, replying to cypherpunks:

Tor Browser is not your privacy browser. Privacy is not Anonymity.

I think that you’re in the wrong place. “Tor Browser is not your privacy browser.” I doubt that the Tor Browser team would be thrilled to add this statement to their advertising or the Tor Browser design documentation. If you disagree, then please open a separate bug to add the statement “Tor Browser is not your privacy browser” or “Non-goal: PRIVACY” to https://www.torproject.org/projects/torbrowser/design/ . It’s offtopic in this bug.

I observe that by implication, you admit that Cloudflare is destructive to privacy, and that a “privacy browser” should take countermeasures against Cloudflare.

As for the conflation of privacy and anonymity, the two are certainly related; and each is a prerequisite to the other. Per the terminology used by researchers, I prefer unlinkability to “anonymity” and will use that term here. If a centralized mass-decryption chokepoint, which violates privacy in the small, could observe enough of your TLS sessions to link them together through a tiny bit of unique information you leak at each site, then you lose “anonymity” by definition. Whereas unlinkability is necessary to privacy in the large: An entity which can link your online activities can track them under a single identity, and watch everything you do. Defending against this last is the Tor Project’s raison d’être.

Changed 7 months ago by cypherpunks

mitm

comment:52 Changed 7 months ago by cypherpunks

https://trac.torproject.org/projects/tor/raw-attachment/ticket/24351/1948092a067bd961b1b3d3d25e161cf9.jpg

comment:53 Changed 7 months ago by cypherpunks

Even tho Cloudflare has a MiTM problem for *some* customers, it's not the right time to make such a proposal when we're still struggling with basic usability for a lot of sites, including a lot of sites behind Cloudflare's back.

comment:54 in reply to:  53 Changed 7 months ago by cypherpunks

Replying to cypherpunks:

Even tho Cloudflare has a MiTM problem for *some* customers,

What do you mean *some*? This must be fixed because the browser's padlock is inaccurate. If you don't care TLS secure connection, go download Mozilla Firefox. You're not belong here.

we're still struggling with basic usability for a lot of sites, including a lot of sites behind Cloudflare's back.

That's origin server's problem. Go blame to website owner, not here.

comment:55 Changed 7 months ago by cypherpunks

NO MITM
User ============================= Origin

MITM
User ======= Cloudflare ========== Origin
                 ^
       [https:// added and removed here!]



"Cloudflare is CDN" is bullshit. They are "reverse proxy".
CDN is for STATIC content.
Last edited 7 months ago by cypherpunks (previous) (diff)

comment:56 Changed 7 months ago by akrey

Cloudflare is not a man in the middle. Cloudflare is authorized to provide the SSL termination for origin, by origin.

Do you say that tbb should block sites because their internal setup is insecure (and yes, cloudflare is part of that 'internal setup')?

Should tbb also block sites that run on rented cloud machinery, because they are inherently insecure, and subvertible by the hosting companies?

Should tbb also block google-analytics, for obvious reasons?

comment:57 in reply to:  56 ; Changed 7 months ago by cypherpunks

Replying to akrey:

Cloudflare is not a man in the middle. Cloudflare is authorized to provide the SSL termination for origin, by origin.

And I, as the user, didn't want Cloudflare to read my data.
I agree to the terms and conditions of CLOUDFLARED.COM but I didn't agree to CLOUDFLARE.
Read Firfox Focus Github issue. The "user" must have a right to decide access or not access to the website. Not you.

Do you say that tbb should block sites because their internal setup is insecure (and yes, cloudflare is part of that 'internal setup')?

At least raise a warning that the website is proxied by the company like Cloudflare.
This is a MITM. If you disagree, read Wikipedia.

Should tbb also block sites that run on rented cloud machinery, because they areinherently insecure, and subvertible by the hosting companies?

Are you nuts? Read Wikipedia before you write anything.

Should tbb also block google-analytics, for obvious reasons?

What the fuck? You are clearly misleading.

comment:58 in reply to:  57 Changed 7 months ago by gk

Replying to cypherpunks:

Replying to akrey:

Cloudflare is not a man in the middle. Cloudflare is authorized to provide the SSL termination for origin, by origin.

And I, as the user, didn't want Cloudflare to read my data.
I agree to the terms and conditions of CLOUDFLARED.COM but I didn't agree to CLOUDFLARE.
Read Firfox Focus Github issue. The "user" must have a right to decide access or not access to the website. Not you.

Do you say that tbb should block sites because their internal setup is insecure (and yes, cloudflare is part of that 'internal setup')?

At least raise a warning that the website is proxied by the company like Cloudflare.
This is a MITM. If you disagree, read Wikipedia.

Should tbb also block sites that run on rented cloud machinery, because they areinherently insecure, and subvertible by the hosting companies?

Are you nuts? Read Wikipedia before you write anything.

Should tbb also block google-analytics, for obvious reasons?

What the fuck? You are clearly misleading.

Cypherpunk: please stay civilized. This is our bug tracker.

comment:59 Changed 7 months ago by stupidregistration

comment:60 in reply to:  56 Changed 7 months ago by nullius

Bug reporter here.

Replying to akrey:

Cloudflare is not a man in the middle. Cloudflare is authorized to provide the SSL termination for origin, by origin.

The short version, a rhetorical question: Would you trust a key escrow régime, in which an “authorized” entity was entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption chokepoint at which many communications are actually decrypted? Apropos this ticket, by analogy, would you trust a web browser which displayed a lock icon promising the confidentiality, integrity, and authentication of key-escrowed communications?

The longer version:

As I’ve said elsewhere, Cloudflare is sui generis. There is not even one other entity on Earth today who has realtime “authorized” decrypt access to the scope and nature of traffic which passes through Cloudflare. Billions of connections to millions of different websites!

The mass-surveillance potential should be obvious. Officially, Cloudflare does respond to government inquiries, as they are required to by U.S. law; this is no different from any other U.S. entity, except for the huge difference in the scope of data which Cloudflare has available to it. Unofficially, they could do anything they want with the data they glean from mass-decryption; and this imposes the requirement of trust on what’s supposed to be a protocol which is built on the adage, “trust the algorithms”.

Also, you are looking at this question from the wrong perspective. Tor Browser does not exist for the purpose of permitting whatever may be “authorized” by origins; indeed, as referenced below, Tor Browser takes extensive measures to deliberately break many things “authorized” by origins. Tor Browser’s job is to protect the user’s privacy, not to serve websites. As such, Tor Browser should protect users against having a large proportion of their HTTPS Web use silently, invisibly decrypted by a single centralized entity.

Really, it’s a matter of user choice and the user’s authorization. I think I have made it clear in my prior comments, I do not wish to prevent users from accessing Cloudflared sites. Rather, the lock icon should stop lying to users—and users should be given an informed choice of whether they wish to permit Cloudflare to read their traffic, with appropriate default settings for different Security Slider levels. Just as users can also override certificate verification and accept the self-signed certificate of a MITM running sslstrip, I urge the motto, “Mechanism, not policy.”

And yes, by definition, Cloudflare are a man in the middle: They silently decrypt, read/modify, and re-encrypt the TLS connection between two endpoints. Be that not a MITM, then what is? I put this as a secondary point, because quibbling over definitions gets nowhere; the substance of this bug is in the nature of what Cloudflare does.

Now, the remainder of your arguments seem to posit that given many problems, the multiplicity of problems is reason to do nothing about the biggest one:

Do you say that tbb should block sites because their internal setup is insecure (and yes, cloudflare is part of that 'internal setup')?

Please name even one other other singular “internal setup” which, whether compromised or not, has full access to the traffic of billions of visitors to millions of different websites.

Should tbb also block sites that run on rented cloud machinery, because they are inherently insecure, and subvertible by the hosting companies?

Please name even one “cloud” provider which hosts a comparable breadth, depth, and apparent diversity of sites to those which have their traffic decrypted by Cloudflare.

Should tbb also block google-analytics, for obvious reasons?

Are you trying to add to my wishlist?

Seriously, Tor Browser already puts considerable effort into prevention of third-party cross-origin linking:

https://www.torproject.org/projects/torbrowser/design/#identifier-linkability

(Also the subsequent section about cross-origin fingerprinting.)

It is my desire with this bug that Tor Browser should take much simpler measures to help users protect themselves against a known mass-attack on TLS.

comment:61 Changed 7 months ago by cypherpunks

Resolution: worksforme
Status: reopenedclosed
Summary: Block Global Active Adversary CloudflareSupport Global Active Adversary Cloudflare

comment:62 Changed 7 months ago by cypherpunks

Priority: HighVery High
Resolution: worksforme
Severity: MajorCritical
Status: closedreopened
Summary: Support Global Active Adversary CloudflareFuck Global Active Adversary Cloudflare

1 CloudFlare is not doing MiTM. MiTM is unauthorized. CF is authorized intermediary. It is authorized by both websites owners (who have explicitly made staps to use it), and website users (who agree with websites' ToS in order to use it).
2 Padlock icon is about TLS connection trustworthyness, not about trustworthyness of the server it connects to. IMHO CF TLS connection settings are the ones of the best I ever saw.
3 TP needs to cooperate with Cloudflare in order to create really privacy-preserving solution. No cooperation on surveillance. TP needs to develop an own solution and suggest CloudFlare to allow access to the users using it. If they disagree without giving sufficient technical reason, or if they delay the answer for too long (TP must mention this), TP should contact all major mass media and say "CloudFlare is f*cking b*st*rds who wanna spy on everyone! Their denial to use our solution is because of it, they couldn't name any privacy flaw in it, but they denied to use it. There is no other explanation rather than a will for espionage!"

comment:63 Changed 7 months ago by cypherpunks

It is authorized by both websites owners (who have explicitly made staps to use it),
and website users (who agree with websites' ToS in order to use it)

Not all people read long TOS. You can find many people who didn't realize how Cloudflare works in technical way, JUST LIKE YOU.
"And website users" is incorrect. Not all websites have TOS. For example, this trac.torproject.org. Where's TOS? I didn't agree to anything!
Another problem is I did not allow Cloudflare to read anything. They are silently standing between me and website owner, who signed up CF for FREE, $0, COMODO HTTPS certificate.
WhatTheFuckEver, by Wikipedia's DEFINITION, this is clearly called "MITM ATTACK".
Don't like it? Edit Wikipedia.

comment:64 in reply to:  62 Changed 7 months ago by nullius

Priority: Very HighHigh
Severity: CriticalMajor
Summary: Fuck Global Active Adversary CloudflareBlock Global Active Adversary Cloudflare

Well, well. I turn my back for three seconds...

This is a serious problem, which will require serious effort to solve. That can be achieved with sound arguments and shipping code—most of all, by being right. Neither gratuitous metadata changes nor gratuitous profanity solves anything, and both are inappropriate for a bug tracker.

(Passing through in a hurry. I perhaps may have a few more words later as for the prior comments.)

comment:65 Changed 7 months ago by cypherpunks

Points: 100

comment:66 Changed 7 months ago by cypherpunks

Points: 1001000

comment:67 Changed 6 months ago by jchevali

In my opinion, I understand what is being asked, but I don't think it should be part of Tor. If someone is so concerned about Cloudflare and other CDN's, he could develop a new browser extension outside of Tor, then recommend it for use by Tor users. Of course, it will have to run "invisibly", or that would add to the Tor user's online fingerprint.

And while on the issue of fingerprints, there is of course Key Pinning and other mechanisms to ensure authenticity of a site (e.g., https://www.grc.com/fingerprints.htm). However most sites on Cloudflare aren't visible outside Cloudflare. So how could one retrieve its fingerprint? And how could one manage connecting directly to the site? (when in fact, if Cloudflare manages the site's DNS, you won't have a way to get to it unless you know the address).

You couldn't even do it by way of elimination, by excluding Cloudflare's fingerprints, because Cloudflare-issued certificates use a multiplicity of fingerprints.

And besides, the use of CF-Ray sounds flimsy. It's probably a weak point in the proposal, because if a malicious MITM wanted do do his job by stealth, he'd take care of not announcing it by means of CF-Ray in the first place. So are you going to stop CDN impersonations that "give themselves away", but not CDN impersonations that don't give themselves away?

And how you'd detect other CDN's? What headers do they use? Why single out Cloudflare?

I think the only solution is getting oneself round the idea that, as cypherpunks writes, "The green icon only tells you that the exit and the server you're communicating to (Cloudflare in this case) is encrypted, and that's it." I know it's hard to get our heads around the idea. But soon, it won't be that hard, because all browsers will start demanding encryption and flag up anything not encrypted as insecure, and then every page will have green icons. Soon, green icons won't mean anything (unless someone is so naive to think that all of a sudden, with the advent of generalized, pervasive encryption, the whole internet has turned "safe").

So it's a question of user education, and if someone has a problem with a specific implementation, e.g., Cloudflare's, start an online campaign to warn people about it, which it's in everyone's right to do, as long as it does it correctly.

Tor's specific function(s) and what it's trying to achieve doesn't mean that it would or should get under its banner defending other causes, even if they seem related. It's a question of scope and limitation, and I think it's ok where it is.

comment:68 Changed 6 months ago by cypherpunks

Yo folks, the issue is really simple when using some good old naive set theory:

https://web.archive.org/web/20180211202044if_/https://i.stack.imgur.com/DLTSj.png

  • The set A consists of those elements which can see the plaintext with a website setup with Cloudflare but with Full SSL.
  • The set B consists of those elements which can see the plaintext with a website setup with Cloudflare but with basic SSL (i.e. Cloudflare MiTM).
  • The set C consists of those elements which can see the plaintext with a website setup with Cloudflare but without any SSL.

From that it is clear that B is NOT equal to C, and so equating them by treating the two situations as the same is just plaintext wrong.

comment:69 in reply to:  68 Changed 6 months ago by cypherpunks

You're ignoring metadata.

comment:70 Changed 5 months ago by cypherpunks

To comment:68
Wrong. In Cloudflare full SSL they still re-encrypt everything at their end before passing on the data. Cloudflare is always able to decrypt. Even in their "keyless" mode where don't have the private keys but are given decryption capabilities. Also, traffic between CF and server is plaintext in basic SSL.

basic SSL: Plaintext between CF and server
full SSL: Cloudflare can see all traffic but it is encrypted on the net

comment:71 in reply to:  70 Changed 5 months ago by cypherpunks

Replying to cypherpunks:
Still doesn't refute the premises and deductions present in that post.

comment:72 Changed 5 months ago by cypherpunks

Mozilla deleted the add-on "Block Cloudflare MiTM Attack".
According to the developer, the add-on was taken down by these 2 people:

Andreas Wagner
https://addons.mozilla.org/en-US/firefox/user/theone/

erosman
https://addons.mozilla.org/en-US/firefox/user/azbb/

Shame on both who support Cloudflare.

Changed 5 months ago by cypherpunks

Block Cloudflare MiTM Attack, v1.0.14.1 Signed

comment:73 Changed 5 months ago by cypherpunks

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/
"Page not found. Sorry, but we can't find anything at the address you entered."

I've attached the last known add-on.

comment:74 Changed 5 months ago by cypherpunks

According to the developer, the add-on was taken down by these 2 people:

Make it to https://www.reddit.com/r/firefox I'm sure you can come to some resolution by making some noise. (But don't engage in conspiracy-mindedness)

comment:75 Changed 5 months ago by cypherpunks

Update:
And this person, who removed last 1.0.14.1 after few minutes.
Mozilla is controlled by idiots.

Philipp Kewisch
https://addons.mozilla.org/en-US/firefox/user/kewisch/
https://twitter.com/pkewisch/
https://kewisch.wordpress.com/

comment:76 Changed 4 months ago by cypherpunks

and anyone else listening in on the Internet, can see every site you visit and every app you use
We think that’s gross.

Cloudflare is trolling. Stop trusting them!

https://via.hypothes.is/https://1.1.1.1

Cloudflare start using 1.1.1.1 which is a default value of Cisco network electronics.
Cloudflare is a liar. If you don't pay it, you are their product.

Tell your friends!

comment:78 Changed 4 months ago by cypherpunks

Searxes is flagging Cloudflare websites for now

comment:80 in reply to:  79 Changed 4 months ago by cypherpunks

Replying to 4chanuser:

https://boards.4chan.org/g/thread/65641909/and-this-is-why-4chan-https-doesnt-matter

:)

Who cares about some useless pointless image sharing "board" website anyway.

comment:81 Changed 3 months ago by cypherpunks

Resolution: user disappeared
Status: reopenedclosed

Piece of shit ticket and useless add-on. Nullius is dead

comment:82 Changed 3 months ago by cypherpunks

Resolution: user disappeared
Status: closedreopened
Note: See TracTickets for help on using tickets.