Opened 9 months ago

Closed 4 months ago

Last modified 4 months ago

#24816 closed task (not a bug)

gk and yawning closing "Tor Browser is not your privacy browser, Non-goal: PRIVACY" ticket

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: #18361 Points:
Reviewer: Sponsor:

Description

Many people still don't understand why Cloudflare is a MITM point. They clearly didn't read all data.

https://www.torproject.org/projects/torbrowser/design/

Tor people, do you think #24351 is unnecessary to you? Do you accept MITM and refuse to fix padlock incorrect information?

Child Tickets

Change History (34)

comment:1 Changed 9 months ago by cypherpunks

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Severity: NormalMajor
Type: defecttask

comment:2 Changed 9 months ago by cypherpunks

Why are you firing single shots at Cloudflare only? Do you want to block *ALL* MiTMing CDNs as well? What impact would that have at usability?

Also, if this is as serious as you're making it look like, why aren't you dealing with this upstream? Where's the bugzilla report?

comment:3 Changed 9 months ago by cypherpunks

Replying to cypherpunks:

You must be cloudflare zoey! You've learned how to use cypherpunk multi-user account! Congrats!!

Why aren't you searching an issue before writing an useless comment to this ticket?
Here you go, lazy kid. Next time, do some research.

https://bugzilla.mozilla.org/show_bug.cgi?id=1426618

Last edited 9 months ago by cypherpunks (previous) (diff)

comment:4 in reply to:  3 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1426618

RESOLVED WONTFIX, but yeah, I support your initiative even if I don't think there's a chance that Mozilla will listen...

comment:5 in reply to:  4 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1426618

RESOLVED WONTFIX, but yeah, I support your initiative even if I don't think there's a chance that Mozilla will listen...

Only David Keeler is replying to this report. Other Mozilla employee didn't answer to this at this moment. He clearly closed this report without reading anything.

comment:6 in reply to:  5 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1426618

RESOLVED WONTFIX, but yeah, I support your initiative even if I don't think there's a chance that Mozilla will listen...

Only David Keeler is replying to this report. Other Mozilla employee didn't answer to this at this moment. He clearly closed this report without reading anything.

Your wording wasn't clear on that you sought to only suggest an option for labeling as insecure Cloudflare traffic that has been tempered and not their full-SSL offers.

comment:7 Changed 9 months ago by cypherpunks

LOL if I go to https://kproxy.com to visit https://github.com, should the browser inform me that my connection is insecure because kproxy is essentially MiTM? Of course not! So why should it do exactly that for sites behind kproxy, uh, I mean Cloudflare?

comment:8 Changed 9 months ago by cypherpunks

Also, in Tor Browser context, this penalizes HTTPS websites (even if they're behind Cloudflare and don't have Cloudflare's full SSL(TM) support) and puts them in the same rank as HTTP ones, which is--to say the least--unfair (the first one is at least resilient to exit node plaintext sniffing whereas the second isn't).

Last edited 9 months ago by cypherpunks (previous) (diff)

comment:9 in reply to:  7 Changed 9 months ago by cypherpunks

Replying to cypherpunks:

LOL if I go to https://kproxy.com to visit https://github.com, should the browser inform me that my connection is insecure because kproxy is essentially MiTM? Of course not! So why should it do exactly that for sites behind kproxy, uh, I mean Cloudflare?

You do realize you're connecting to KPROXY.COM right? Going beyond that isn't MITM because you do know your destination server is KPROXY.COM.

You ============ KPROXY.COM

The problem is Cloudflare websites. You never notice you are connecting to Cloudflare.

Expected result:
You ============ WTF.COM

Actual result:
You =====CF:)=== WTF.COM

comment:10 in reply to:  6 Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

https://bugzilla.mozilla.org/show_bug.cgi?id=1426618

RESOLVED WONTFIX, but yeah, I support your initiative even if I don't think there's a chance that Mozilla will listen...

Only David Keeler is replying to this report. Other Mozilla employee didn't answer to this at this moment. He clearly closed this report without reading anything.

Your wording wasn't clear on that you sought to only suggest an option for labeling as insecure Cloudflare traffic that has been tempered and not their full-SSL offers.

I didn't write that. Besides I never create an account on Mozilla because I hate it after Looking Glass incident. Why don't you write it to bugzilla yourself?

comment:11 in reply to:  8 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Also, in Tor Browser context, this penalizes HTTPS websites (even if they're behind Cloudflare and don't have Cloudflare's full SSL(TM) support) and puts them in the same rank as HTTP ones, which is--to say the least--unfair (the first one is at least resilient to exit node plaintext sniffing whereas the second isn't).

CLoudflare *is* exit node. Not unfair because Tor node and coudflare can read your data

comment:12 in reply to:  11 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

LOL if I go to https://kproxy.com to visit https://github.com, should the browser inform me that my connection is insecure because kproxy is essentially MiTM? Of course not! So why should it do exactly that for sites behind kproxy, uh, I mean Cloudflare?

You do realize you're connecting to KPROXY.COM right? Going beyond that isn't MITM because you do know your destination server is KPROXY.COM.

You ============ KPROXY.COM

The problem is Cloudflare websites. You never notice you are connecting to Cloudflare.

Expected result:
You ============ WTF.COM

Actual result:
You =====CF:)=== WTF.COM

In both cases, I, the IT specialist, can realize that KPROXY.com and CF (by looking at the headers with Ctrl+Shift+Q) are MiTM, but what about my grandma? You seem to be treating all FF and TB users are some non-nuanced populace.

Replying to cypherpunks:

Replying to cypherpunks:

Also, in Tor Browser context, this penalizes HTTPS websites (even if they're behind Cloudflare and don't have Cloudflare's full SSL(TM) support) and puts them in the same rank as HTTP ones, which is--to say the least--unfair (the first one is at least resilient to exit node plaintext sniffing whereas the second isn't).

CLoudflare *is* exit node. Not unfair because Tor node and coudflare can read your data

This is just wrong, the Tor node won't look at your traffic which is great since in the past it would've been able to just do that, thank you Cloudflare and eastdakota for protecting Tor users!

comment:13 Changed 9 months ago by cypherpunks

thank you Cloudflare and eastdakota for protecting Tor users!

Are you joking? They hate Tor users.
https://blog.cloudflare.com/the-trouble-with-tor/

comment:14 in reply to:  12 ; Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

LOL if I go to https://kproxy.com to visit https://github.com, should the browser

CLoudflare *is* exit node. Not unfair because Tor node and coudflare can read your data

This is just wrong, the Tor node won't look at your traffic which is great since in the past it would've been able to just do that, thank you Cloudflare and eastdakota for protecting Tor users!

This is just wrong, Cloudflare look at your traffic, just like bad Tor exits which running sslstrip or proxy.

comment:15 in reply to:  14 Changed 9 months ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

Replying to cypherpunks:

LOL if I go to https://kproxy.com to visit https://github.com, should the browser

CLoudflare *is* exit node. Not unfair because Tor node and coudflare can read your data

This is just wrong, the Tor node won't look at your traffic which is great since in the past it would've been able to just do that, thank you Cloudflare and eastdakota for protecting Tor users!

This is just wrong, Cloudflare look at your traffic, just like bad Tor exits which running sslstrip or proxy.

So you have statement T_1: "With Cloudflare basic SSL a Tor exit wont look at your plaintext traffic" and statement T_2: "Cloudflare may look at your traffic with basic SSL", do you realize that T_2 has no epistemological bearing on statement T_1?

comment:16 Changed 9 months ago by cypherpunks

Cloudflare is a MITM point

So is the Tor network.
That's the point.

[users] clearly didn't read all data

They cannot be expected to.
The interface should be self-instructing.
The interface should educate users on the functionality the Tor network.
It does neither of these things.
This is by design.

Last edited 9 months ago by cypherpunks (previous) (diff)

comment:17 Changed 9 months ago by cypherpunks

Resolution: duplicate
Status: newclosed

garbage ticket

comment:18 Changed 9 months ago by cypherpunks

Parent ID: #24351

comment:19 Changed 9 months ago by stupidregistration

Parent ID: #18361
Resolution: duplicate
Status: closedreopened

Interesting. Class, keep discuss.

(I didn't know this ticket until I read this in mailing list)
https://lists.torproject.org/pipermail/tor-talk/2018-January/043892.html

comment:20 Changed 9 months ago by stupidregistration

IMO cypherpunks 14 and cypherpunks 15 are both wrong. Cloudflare is a free service. Website owner use their service in exchange of visitor's information. U.S. government asked Cloudflare to share their data in the past.

So MiTM? Yes. Not MiTM? Yes. Cloudflare is just a insecure reverse nginx proxy.

comment:21 Changed 9 months ago by cypherpunks

Reminder than Comment:16, posted by cypherpunks, was edited by "cypherpunks" to remove speech.
It used to read:

Tor is a honeypot for peedos and snitches.
Tor is used to drone niggers.

I will add to this list:
Tor is a gommunist tool of control.
From the time-sync, to the interface, to the controller, it has been designed to regulate how people access the internet and share information.

comment:22 Changed 9 months ago by cypherpunks

Resolution: duplicate
Status: reopenedclosed

We already have #18361 and #24321. Closing this as duplicate.

comment:23 Changed 8 months ago by gk

To all of you who feel the urge to reopen this bug again, please resist and keep this bug closed, thanks.

comment:24 Changed 8 months ago by cypherpunks

Resolution: duplicate
Status: closedreopened

As I wrote in the mailing list, Tor is a trap.

comment:25 Changed 8 months ago by cypherpunks

Resolution: duplicate
Status: reopenedclosed

comment:26 Changed 8 months ago by cypherpunks

Resolution: duplicate
Status: closedreopened

Duplicate of what?

comment:27 Changed 8 months ago by cypherpunks

Resolution: duplicate
Status: reopenedclosed

We already have #18361 and #24321. Closing this as duplicate.

comment:28 Changed 8 months ago by gk

cypherpunks: as I said in comment:23 stop reopening this ticket.

comment:29 Changed 8 months ago by yawning

Closed #24893 as a duplicate.

comment:30 Changed 8 months ago by cypherpunks

Resolution: duplicate
Status: closedreopened
Summary: Tor Browser is not your privacy browser, Non-goal: PRIVACYgk and yawning closing "Tor Browser is not your privacy browser, Non-goal: PRIVACY" ticket

Not duplicate

comment:31 Changed 4 months ago by cypherpunks

Resolution: invalid
Status: reopenedclosed

comment:32 Changed 4 months ago by cypherpunks

Resolution: invalid
Status: closedreopened

comment:33 in reply to:  23 Changed 4 months ago by gk

Resolution: not a bug
Status: reopenedclosed

Replying to gk:

To all of you who feel the urge to reopen this bug again, please resist and keep this bug closed, thanks.

That's the third time I am saying this, leave this ticket closed. "gk and yawning closing "Tor Browser is not your privacy browser, Non-goal: PRIVACY" ticket" is not a bug.

comment:34 Changed 4 months ago by cypherpunks

Can one lock a thread in trac? Or better just tell qbi to delete this ridiculous slanderous ticket.

Note: See TracTickets for help on using tickets.