From 473549788bc282b8121d1819134a3e5860a1b10d Mon Sep 17 00:00:00 2001 From: anonymous Date: Sun, 17 Feb 2019 20:01:19 -0500 Subject: [PATCH] thought I committed this earlier --- NEWS.md | 19 +++++++++++++++++++ article.txt | 41 ++++++++++++++++++++++++++++------------ cloudflare-philosophy.md | 12 ++++++++++-- split/cloudflare_p.txt | 1 + 4 files changed, 59 insertions(+), 14 deletions(-) diff --git a/NEWS.md b/NEWS.md index 4d6d4e0..fd91678 100644 --- a/NEWS.md +++ b/NEWS.md @@ -1,3 +1,22 @@ +*2019.02.08* + +* well written post, along with some causes for action in privacytools.io + +https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544 + +* another privacytools.io thread + +https://github.com/privacytoolsIO/privacytools.io/issues/711 + +* Cryptome on CF's ability to deanonymize (2016) + +https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm + +* bug report issued in wire webapp + +https://github.com/wireapp/wire-webapp/issues/5716 + + *2019.02.01* * The global internet is rotting from within, and diff --git a/article.txt b/article.txt index e2b17a0..9000f42 100644 --- a/article.txt +++ b/article.txt @@ -4,8 +4,6 @@ Audience: General, people who stumble upon gnu.org 755 words rahisibhasha stab at french -Website. - ######################################### 大きい云墙 @@ -21,8 +19,7 @@ The Great Cloudwall by Jeff Cliff *There is a reason that none of your favourite work intermittently on tor since -early 2016[15]. That reason has lead to the discovery of a threat to the operation -of the world wide web itself.* +early 2016[15]. That reason has lead to the discovery of a threat to the operation of the world wide web itself.* Prerequisites: The Javascript Trap[47], understanding that Google is not to be trusted[45][46], "Trusted Third Parties are Security Holes" - Nick Szabo[44][48] @@ -30,11 +27,16 @@ Cloudflare is a service for turing tests its users users, which means that it frustrates attempts by users of its users to develop software to interact with their websites[3]. This might seem strange at first - why would you need a program to access a web resource? But there's many things that work on the -web like this, including RSS and podcasts which are completley broken by a +web like this, including RSS, podcasts, and antivirus definitions[57][58] which are completley broken by a CAPTCHA appearing mid stream[11]. "We humans don't make HTTP requests, our machines to do it for us." makes clear what is really being tested here - whether or not you have the *right* software stack in between you and -cloudflare. {{expand}} +cloudflare. + +This is not a hypothetical: Cloudflare is currently attempting to dictate +which web browsers users of websites under cloudflare may use[60]. + +{{expand}} Your right to use Free Software in this stack is at risk, and could disappear at any moment. @@ -72,7 +74,7 @@ More important, though is it starts to form a ratchet for web browser technology "When you fetch a page from a website that is served from CloudFlare, Javascript has been injected on-the-fly into that page by CloudFlare. and they also plant a cookie that brands your browser with a globally-unique ID. ID. This happens even if the website is using SSL and shows a cute little padlock in your browser" [10] - Cloudflare tracks you -Even if your web browsing traffic is protected from onlookers, cloudflare itself because they are a MiTM[14][31] can see your traffic[6]. And if Cloudflare has MITM'd you, then so has the NSA[33]. +Even if your web browsing traffic is protected from onlookers, cloudflare itself because they are a MiTM[14][31] can see your traffic[6]. And if Cloudflare[53] has MITM'd you, then so has the NSA[33]. "If a site uses Cloudflare, then the browser lock icon is a false promise."[14] "The short version, a rhetorical question: Would you trust a key escrow régime, in which an “authorized” entity was entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption chokepoint at which many communications are actually decrypted?"[34] in other words @@ -153,7 +155,7 @@ to track online fraud and abuse. The US Department of Homeland Security approached the developers in 2007-8[1][36] for access to their data, and they have -been working with the US government and law enforcement ever since[1]. +been working with the US government[54] and law enforcement ever since[1]. on HTTP GET requests: Cloudflare has a history of shutting down open DNS and open NTP servers. @@ -177,14 +179,16 @@ actually resolving the issue[29][30][32] - The more of the web is held within cloudflare the more pressure will be on websites not behind cloudflare - As of 2016, by cloudflare's own data tor was not as bad as normal internet connections. -- "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions, so we can protect you?"[14] +- "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions[59], so we can protect you?"[14] *I heard Cloudflare is working with tor and all is good now?* - just because you can't see the problem doesn't mean it's not there anymore. + - This is not true. Their websites still CAPTCHA their users, same as ever, and news agencies across the political spectrum screwed up stories about how the 'problem is fixed'[18] -- it's actually worse, though[17] that we can't see it - it was easy to get a + +- it's actually worse, though[17] if we couldn't see it[60] - it was easy to get a lot of riled up tor users to understand that cloudflare was their adversary. it's a lot harder to convince people who are not blocked from their websites, today, why giving systematic control over the world wide web might be a bad thing tomorrow. @@ -194,6 +198,11 @@ today, why giving systematic control over the world wide web might be a bad thin - But they are now doing more to track users and threaten the anonymity of the users of the tor network. +- Cloudflare is one of a couple of large network providers that are capturing +the vast majority of digital communications, effectively creating private +networks the size of the modern internet that are competitive with and not +subject to the same kinds of scrutiny and regulation as the internet[58]. + * What if we shut down cloudflare and migrate all websites out of them?* We're probably going to have the same problem with another company, very soon. @@ -202,6 +211,8 @@ get rid of the problem of proprietary software, there's a couple of problems that if we don't solve them, something like Cloudflare is roughly inevitable as a consequence: +*Cloudflare DNS* + "DNS[50] is around, servers are insecure, proper end-to-end crypto isn't the norm hence MITM goes unnoticed, anonymity is an edge case, routing lacks built-in resiliency to disruption, we're always going to have actors building a bus.ness model around cobbling together superficial, overapproximating mitigations."[20] *Mozilla and Cloudflare* @@ -263,5 +274,11 @@ Learn more about cloudflare, and make sure the people around you know about clou [50] https://www.quora.com/How-likely-is-it-that-CloudFlare-is-an-NSA-operation/answer/Hamid-Sarfraz [51] https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98 [52] http://pleroma.oniichanylo2tsi4.onion/notice/1563 - - +[53] https://github.com/mozilla-mobile/focus-android/issues/1743#issuecomment-351555735 +[54] https://lists.torproject.org/pipermail/tor-talk/2018-January/043889.html +[55] https://www.eff.org/document/crypto-wars +[56] http://forums.clamwin.com/viewtopic.php?t=4915 +[57] http://lists.clamav.net/pipermail/clamav-users/2018-November/thread.html +[58] https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf +[59] https://github.com/ghacksuserjs/ghacks-user.js/issues/310#issuecomment-351913412 +[60] https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460413259 diff --git a/cloudflare-philosophy.md b/cloudflare-philosophy.md index 5725df0..896f263 100644 --- a/cloudflare-philosophy.md +++ b/cloudflare-philosophy.md @@ -198,7 +198,15 @@ in a way that’s friendly to the marketing industry " http://exiledonline.com/isucker-big-brother-internet-culture/ -20) Followup / Further research: +20) + +How, technically, does Cloudflare deanonymize tor users? + +https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm +https://trac.torproject.org/projects/tor/ticket/18361#comment:147 + + +21) Followup / Further research: See also https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor @@ -222,7 +230,7 @@ https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block https://support.cloudflare.com/hc/en-us/articles/200170056-What-is-CloudFlare-s-Babysic-Security-Level- https://support.cloudflare.com/hc/en-us/articles/200170116-What-do-the-Threat-Scores-mean- -21) Sources +22) Sources [1] http://themusicgod1.deviantart.com/art/the-great-cloudwall-1-595382698 diff --git a/split/cloudflare_p.txt b/split/cloudflare_p.txt index 990001b..79e749a 100644 --- a/split/cloudflare_p.txt +++ b/split/cloudflare_p.txt @@ -57642,6 +57642,7 @@ privacystudio.eu privacytax.com privacy-tools.com privacytools.com +privacyTools.io privacytools.io privacytools.org privacywanted.com