Merge branch 'master' of http://notabug.org/themusicgod1/cloudflare-tor

NEWS.md

@@ -6,6 +6,40 @@ It's pretty bad as half the internet is behind Cloudflare."
 
 https://twitter.com/Skyfusion89/status/1101596592426151937
 
+*2019.02.27*
+
+* Cloudflare XSS bypass
+https://twitter.com/ameenmaali/status/1100536056372490241
+
+*2019.02.26*
+
+Take a look at Cloudflare's transparency report, "Some things we have never done" section.
+
+```
+Cloudflare has never terminated a customer or taken down content due to political pressure.*
+```
+
+If you're using SumatraPDF, you won't notice * is a link to https://www.cloudflare.com/cloudflare-criticism/ .
+Apparently they've terminated a political account.
+Do you think it's okay to make a false statement and hide a link to tiny asterisk?
+
+https://twitter.com/mattskala/status/1100479615389159424
+https://mstdn.io/@mattskala/101660051818948847
+
+*2019.02.24*
+
+```
+"Sites that respect their visitors do not resort to Cloudflare."
+"In some cases, for particular countries, having all traffic visible
+to the U.S.A can be a matter of life and death."
+```
+http://techrights.org/2019/02/17/the-cloudflare-trap/
+
+*2019.02.21*
+
+* CF defaults to HTTP connections for its customers
+https://g0v.social/@sheogorath/101404226960335320
+
 *2019.02.14*
 
 * "New Ranking Factor: MITMed or not"
@@ -14,19 +48,15 @@ https://searxes.danwin1210.me/
 *2019.02.08*
 
 * well written post, along with some causes for action in privacytools.io
-
 https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
 
 * another privacytools.io thread
-
 https://github.com/privacytoolsIO/privacytools.io/issues/711
 
 * Cryptome on CF's ability to deanonymize (2016)
-
 https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
 
 * bug report issued in wire webapp
-
 https://github.com/wireapp/wire-webapp/issues/5716
 
 *2019.02.01*

README.md

@@ -1,24 +1,47 @@
 # The Great Cloudwall
 
-"The Great Cloudwall" is [CloudFlare](https://www.cloudflare.com/), a world's largest MITM proxy.
+"The Great Cloudwall" is [CloudFlare](https://www.cloudflare.com/), the world's [largest](https://w3techs.com/technologies/history_overview/proxy) MITM proxy([reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy)).
+
 ![](image/cloudflaredearuser.png)
 
-It is called this in reference to the [Great Firewall of China](http://www.greatfirewallofchina.org/) which does a comparable job of filtering out *some* people from seeing web content(ie everyone in mainland china and some people outside) while at the same time those not affected to see a dratically different web, a web free of censorship of such images as ["tank man"](https://en.wikipedia.org/wiki/Tank_Man).
+It is called this in reference to the [Great Firewall of China](https://www.comparitech.com/privacy-security-tools/blockedinchina/) which does a comparable job of filtering out *some* people from seeing web content(ie everyone in mainland china and some people outside) while at the same time those not affected to see a dratically different web, a web free of censorship of such images as ["tank man"](https://en.wikipedia.org/wiki/Tank_Man).
 
-Cloudflare similarly prevents those in southeast asia and elsewhere who have poor internet connectivity from accessing the websites behind it(for example, they could be behind 7+ layers of NAT) unless they solve multiple image CAPTCHAs.
+![](image/onemorestep.jpg)
+
+Cloudflare similarly prevents those in southeast asia and elsewhere who have poor internet connectivity from accessing the websites behind it(for example, they could be behind 7+ layers of NAT) unless they solve multiple image CAPTCHAs. Cloudflare also has a massive [harassment problem](https://web.archive.org/web/20171024040313/http://www.businessinsider.com/cloudflare-ceo-suggests-people-who-report-online-abuse-use-fake-names-2017-5). [Tor users](https://www.torproject.org/) and [VPN users](https://airvpn.org/topic/23090-cloudflare-often-bans-my-ip-address/) are a victim.
+
+![](image/banvpn.jpg)
 
 This repository is a list of websites that are behind The Great Cloudwall, and also actively blocking Tor users.
 
-* [Domains using Cloudflare](splits/)
+
+List
+* [Domains using Cloudflare](split/)
 * [Non-Cloudflare but filtering/blocking tor users](https://notabug.org/themusicgod1/non-cloudflare-tor-hostile)
 
+Information
+* [Padlock icon indicates a secure SSL connection established w MitM-ed](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831835)
+* [Block Global Active Adversary Cloudflare](https://trac.torproject.org/projects/tor/ticket/24351)
+* [Problem with CloudFlare](https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544)
+
+
 There are more details of why what they are doing is wrong available [here](cloudflare-philosophy.md).
 Also see [Frequently Asked Questions](faq.md).
 
+
+![What did YOU do to stop CF?](image/stopcf.jpg)
+
 # What can you do?
 
-* See [our list of recommended actions](what-to-do.md)
-* Update the list: [List instructions](instructions.md)
+* Read [our list of recommended actions](what-to-do.md) and share it with your friends
+* Update the Cloudflare domain list: [List instructions](instructions.md)
+* Add WTF-Cloudflare news to [NEWS.md](NEWS.md)
+* Search something on [Searxes Tor](http://searxes.nmqnkngye4ct7bgss4bmv5ca3wpa55yugvxen5kz2bbq67lwy6ps54yd.onion/) or [clearnet](https://searxes.danwin1210.me/) (this will help collecting Searxes' "MITM domains")
+* Take a look at [add-on code](ismitmlink/) (how to use "MITM test API")
+* Subscribe to an ![](image/feed.png) RSS feed: "[The Great Cloudwall News](https://searxes.danwin1210.me/collab/open/getrss.php?q=tmg1news)" or follow ![](image/mstdn.jpg) [crimeflare@botsin.space](https://botsin.space/@crimeflare)
+
+
+![WTF](image/wtfcf.jpg)
 
 There are other lists, but this one is one where every entry on the list a human being has actually tried
 to go to, and has been blocked.
@@ -28,7 +51,7 @@ Human is not a robot.
 * [Sites using cloudflare](https://github.com/pirate/sites-using-cloudflare) by pirate
 
 WARNING:
-Github.com is hostile to Tor users. If you create an account on Github via Tor, your account will be automatically
+Github.com is very hostile to Tor users. If you create an account on Github via Tor, your account will be automatically
 flagged for spam and will be deleted. See "List of services blocking Tor" for details.
 
 # Who uses this list?

bcma/README.md

@@ -0,0 +1,5 @@
+This is a source code of BCMA's "*Block Cloudflare MITM Attack*".
+
+PRs are welcome.
+
+AMO: https://addons.mozilla.org/en-US/firefox/addon/bcma/

cloudflare_owned_NS.txt

@@ -0,0 +1,56 @@
+abby.ns.cloudflare.com
+adrian.ns.cloudflare.com
+albert.ns.cloudflare.com
+alex.ns.cloudflare.com
+alla.ns.cloudflare.com
+amber.ns.cloudflare.com
+amy.ns.cloudflare.com
+andy.ns.cloudflare.com
+anna.ns.cloudflare.com
+art.ns.cloudflare.com
+athena.ns.cloudflare.com
+austin.ns.cloudflare.com
+ben.ns.cloudflare.com
+bob.ns.cloudflare.com
+chan.ns.cloudflare.com
+cody.ns.cloudflare.com
+darwin.ns.cloudflare.com
+dee.ns.cloudflare.com
+dina.ns.cloudflare.com
+drew.ns.cloudflare.com
+ed.ns.cloudflare.com
+elinore.ns.cloudflare.com
+emma.ns.cloudflare.com
+foo.ns.cloudflare.com
+fred.ns.cloudflare.com
+gail.ns.cloudflare.com
+glen.ns.cloudflare.com
+guy.ns.cloudflare.com
+ian.ns.cloudflare.com
+igor.ns.cloudflare.com
+jeff.ns.cloudflare.com
+jerry.ns.cloudflare.com
+jill.ns.cloudflare.com
+jim.ns.cloudflare.com
+josh.ns.cloudflare.com
+kate.ns.cloudflare.com
+kip.ns.cloudflare.com
+leah.ns.cloudflare.com
+lee.ns.cloudflare.com
+leia.ns.cloudflare.com
+lex.ns.cloudflare.com
+matt.ns.cloudflare.com
+melinda.ns.cloudflare.com
+nina.ns.cloudflare.com
+norm.ns.cloudflare.com
+pam.ns.cloudflare.com
+paul.ns.cloudflare.com
+pete.ns.cloudflare.com
+rick.ns.cloudflare.com
+rob.ns.cloudflare.com
+rose.ns.cloudflare.com
+seth.ns.cloudflare.com
+sofia.ns.cloudflare.com
+terin.ns.cloudflare.com
+theo.ns.cloudflare.com
+zoe.ns.cloudflare.com

instructions.md

@@ -1,16 +1,19 @@
-## Instructions for pull requests
+# Instructions
+--------------
 
+## Website is using Cloudflare
 
 | List name | Description |
 | -------- | -------- |
-| cloudflare_CIDR_v4.txt     | Cloudflare IP Range (IPv4)     |
-| cloudflare_CIDR_v6.txt     | Cloudflare IP Range (IPv6)     |
-| cloudflare_domains.txt     | The list of cloudflare-proxied domains (without cloudflare_owned_domains)     |
-| /split/cloudflare(X).txt     | split files     |
+| /split/cloudflare(X).txt     | Split files (base domain)     |
+| ex_cloudflare_users.txt     | Domains which used Cloudflare in the past, not anymore     |
+| cloudflare_CIDR_v4.txt     | IPv4 CIDR owned by Cloudflare     |
+| cloudflare_CIDR_v6.txt     | IPv6 CIDR owned by Cloudflare     |
+| cloudflare_range_v4.txt | IPv4 range owned by Cloudflare |
+| cloudflare_owned_ASN.txt     | AS network owned by Cloudflare    |
+| cloudflare_owned_NS.txt     | Name Server owned by Cloudflare    |
 | cloudflare_owned_domains.txt     | Domains owned by Cloudflare     |
 | cloudflare_owned_onions.txt     | Tor .onions owned by Cloudflare     |
-| cloudflare_owned_ASN.txt     | AS network owned by Cloudflare    |
-| ex_cloudflare_users.txt     | Domains which used Cloudflare in the past, not any more     |
 
 
 1) How to detect Cloudflare
@@ -20,69 +23,35 @@
 
 2) How to add your data
 
-1. Log in to notabug.org.
-2. Click "Fork" button. (top-left corner)
+1. Log in to *notabug.org*.
+2. Click "*Fork*" button. (top-left corner)
 3. Edit text file.
-4. Click Double-arrow button to create a new pull request.
-
-
-
-*( below could use some rewrite )*
+4. Click *Double-arrow* button to create a *new pull request*.
 
 ```
+IMPORTANT: Please add only "Base Domain"
 
-2) Some sites use custom page CloudFlare unit.
-The only way to detect it is to find CloudFlare JavaScript, or Ray ID as a CAPTCHA in its source code.
+    if "community.example.com" is using Cloudflare
+        add "example.com"
 
+    if "www.example.co.uk" is using Cloudflare
+        add "example.co.uk"
 
-3) Some websites use other companies with the CloudFlare business model
-
-add them to [non-cloudflare-list](https://notabug.org/themusicgod1/non-cloudflare-tor-hostile) ( formerly TorBlocker Hall of Shame Part I)
-
-This is a collection of websites that ban Tor exits, other than through Cloudflare (e.g. showing access denied pages, systematic timing out connections, ...).
-
-(See #6 for format)
-
-
-4) Find a website that has been removed from Cloudflare(possibly due to our
-protest?)  Remove it from the list it is on and add it to ex-cloudflare-tor.txt
-
-However!  Please sample different exits before doing this.  It might have
-merely whitelisted a single exit node.  ( It is slightly more difficult to
-control which exit you use - if there are tickets in bug trackers to
-enable making this easier please mention them here )
-
-(See #6 for format)
-
-5) Find a website that outright blocks tor users and is confirmed Cloudflare?
-
-Add to cloudflare-tor-hostile-list.txt
-
-(See #6 for format)
-
-
-6) List format:
-
-(A domain should only ever be on one of the lists on this project.  If you find
-it on two, please help keep list accurate by removing it from one of the two
-lists.)
-
-   {base domain} [<- elegant comment (s) ] [ tags ] 
- 
-Tags:
-
-( helpful to group sites, if we assume that this project is aimed to the black list to make any actions that get results. 
-For example, free software projects w / ClownFucked web pages can be viewed similarly by "anti-function" tags on various free software directories )
-
-    * NEEDSREVIEWp = someone should review the comments/go to this website and report back to us
-
-    * FLOSSp = free libre software project with open source
-
-    * CFA(action) = action is one of "boycott", "discouragedonations", "petition", "legalaction" followed by a URL if possible
-
-    * INSTANTp = service denial is instant/deferred
- 
-    * COMMERCIALp(type) = type is one of "true", "false"
-
+    if "example.net" is using Cloudflare
+        add "example.net"
 
+... to /split/cloudflare_e.txt
 ```
+
+3) If the website *no longer using Cloudflare*, *remove* it from /split/ list and *add* to "[ex_cloudflare_users.txt](https://notabug.org/themusicgod1/cloudflare-tor/src/master/ex_cloudflare_users.txt)".
+
+
+--------------
+
+## Website is NOT using Cloudflare (& blocking you)
+
+Some websites use other companies with the CloudFlare business model.
+
+Add them to [non-cloudflare-list](https://notabug.org/themusicgod1/non-cloudflare-tor-hostile/) (formerly "*TorBlocker Hall of Shame Part I*")
+
+This is a collection of websites that ban Tor exits, other than through Cloudflare(e.g. showing access denied pages, systematic timing out connections, ...).

ismitmlink/LICENSE.txt

@@ -1,9 +1,21 @@
-OSI Approved License Logo
+The MIT License
 
-Copyright 2019 Maslin Bossé
+Copyright (c) 2019 Maslin Bossé
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ismitmlink/META-INF/manifest.mf

@@ -1,26 +0,0 @@
-Manifest-Version: 1.0
-
-Name: bg.js
-Digest-Algorithms: MD5 SHA1 SHA256
-MD5-Digest: OBQ4NPzmtRz7SkYLY2WMqA==
-SHA1-Digest: PYd/WXm+69bZUzZ5qmlDQao7wj0=
-SHA256-Digest: 1Vp9fbokr9to22h8zNbz8H3M9WIbEscVpvsUNgVdYlA=
-
-Name: cs.js
-Digest-Algorithms: MD5 SHA1 SHA256
-MD5-Digest: pehkupzmo2Ixdt7Q68HAPA==
-SHA1-Digest: s+CvdyHvxxa2rpcYdfU2vWTLOVc=
-SHA256-Digest: XHy7dueo5NAeaW3bJk1TAUKnPoqduHEJujbs0/AP//g=
-
-Name: manifest.json
-Digest-Algorithms: MD5 SHA1 SHA256
-MD5-Digest: v5awKiN/PL3zsCJSWElfGQ==
-SHA1-Digest: Bn8tbrcrML8tXh3Ol2DFIp3q1Hk=
-SHA256-Digest: +pPySnm5SraoO/eGR+8rl/YYJwX1UmofcBgDNNUGi2Q=
-
-Name: icons/32.png
-Digest-Algorithms: MD5 SHA1 SHA256
-MD5-Digest: 1TJN3KA5ktXGXU6E+e5Hdg==
-SHA1-Digest: YqHDBsNcYxB3WHZsVdoS5762NmY=
-SHA256-Digest: XlHfAMRaSBShv6gm2dLkSq91JBr3V1GK3tXJ578ef9s=
-

ismitmlink/META-INF/mozilla.sf

@@ -1,5 +0,0 @@
-Signature-Version: 1.0
-MD5-Digest-Manifest: fTcYSTNIMUsCDHgUA2ZP5Q==
-SHA1-Digest-Manifest: 0Rl4MIkrg3zYRWxdlfeD2+yM1gM=
-SHA256-Digest-Manifest: WxsHr+ZLaRbnGB6m5UdLXtIqhI/XC2SMzMhSbgLfq8s=
-

ismitmlink/README.md

@@ -0,0 +1,5 @@
+This is a source code of Maslin Bossé's "*Are links vulnerable to MITM?*".
+
+PRs are welcome.
+
+AMO: https://addons.mozilla.org/en-US/firefox/addon/are-links-vulnerable-to-mitm/

ismitmlink/bg.js

@@ -26,7 +26,7 @@ browser.runtime.onMessage.addListener((request, sender, sendResponse) => {
 	if (request && sender) {
 		if (mymemory[request] != undefined) {
 			let rlt = mymemory[request];
-			if (Object.keys(mymemory).length > 800) {
+			if (Object.keys(mymemory).length > 20000) {
 				let cnt = 1;
 				for (let t in mymemory) {
 					if (cnt > 10) {

ismitmlink/cs.js

@@ -1,5 +1,5 @@
 if (document.body) {
-	if (!['searxes.danwin1210.me', 'searxes.nmqnkngye4ct7bgss4bmv5ca3wpa55yugvxen5kz2bbq67lwy6ps54yd.onion'].includes(location.hostname)) {
+	if (!['searxes.danwin1210.me', 'searxes.nmqnkngye4ct7bgss4bmv5ca3wpa55yugvxen5kz2bbq67lwy6ps54yd.onion', 'searxes.cyb'].includes(location.hostname)) {
 		let cs = (function () {
 			let s = document.createElement('style');
 			document.head.appendChild(s);
@@ -7,8 +7,9 @@ if (document.body) {
 		})();
 		if (cs) {
 			cs.insertRule("a[data-mitm]{text-decoration-line:line-through !important;text-decoration-color:red !important;text-decoration-style:double !important}", 0);
+			cs.insertRule("a[data-mitm]::after{content:'[MITM!]';font-weight:bold}", 1);
 		}
-		let asked = [location.hostname, 'searxes.danwin1210.me'];
+		let asked = [location.hostname, 'searxes.danwin1210.me', 'searxes.nmqnkngye4ct7bgss4bmv5ca3wpa55yugvxen5kz2bbq67lwy6ps54yd.onion', 'searxes.cyb'];
 		document.querySelectorAll("a[href^='http://']:not([data-mitm]),a[href^='https://']:not([data-mitm]),a[href^='//']:not([data-mitm])").forEach(a => {
 			let aF = (new URL(a.href)).hostname;
 			if (!/^(.*)\.(onion|i2p|invalid|test|local|localhost|([0-9]{1,3}))$/.test(aF) && !asked.includes(aF)) {

ismitmlink/manifest.json

@@ -2,7 +2,7 @@
    "manifest_version": 2,
    "name": "Are links vulnerable to MITM attack?",
    "description": "Scan FQDN using Searxes' API",
-   "version": "1.0.1",
+   "version": "1.0.2",
    "author": "Maslin Bossé",
    "permissions": [],
    "icons": {

what-to-do.md

@@ -1,14 +1,64 @@
-##### What you can do to resist Cloudflare?
+# What you can do to resist Cloudflare?
 
+![](image/matthew_prince.jpg) < [Matthew Prince (@eastdakota)](https://twitter.com/eastdakota)
+
+"*I’d suggest this was armchair analysis by kids – it’s hard to take seriously.*" ([source](https://www.theguardian.com/technology/2015/nov/19/cloudflare-accused-by-anonymous-helping-isis))
+
+------------
 
 
 ######  Website consumer
 
 - If the website you like is using Cloudflare, tell them not to use Cloudflare.
 
-> You are just helping corporate censorship and mass surveillance.
-> 
-> https://trac.torproject.org/projects/tor/ticket/24351
+```
+"Ask and it will be given to you; seek and you will find; knock and the door will be opened to you."
+```
+
+If you don't ask for it, website owner never know this problem. Example below. [Successful example](https://counterpartytalk.org/t/turn-off-cloudflare-on-counterparty-co-plz/164/5). Raise your voice.
+
+```
+You are just helping corporate censorship and mass surveillance.
+https://trac.torproject.org/projects/tor/ticket/24351
+```
+
+```
+Your web page is in the privacy-abusing private walled-garden of CloudFlare.
+See https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
+```
+
+- Take some time to read website's privacy policy. It must explain what the "Cloudflare" is, 
+and ask for permission to share your(user) data with CF. Failure to do so will result in the breach of trust 
+and the website in question should be avoided.
+
+An acceptable privacy policy example is [here](https://archive.is/bDlTz) (look at "Subprocessors" > "Entity Name")
+
+```
+I've read your privacy policy and I cannot find the word "Cloudflare".
+I refuse to share data with you if you continue to feed my data to Cloudflare.
+See https://notabug.org/themusicgod1/cloudflare-tor/src/master/README.md
+```
+
+For example, [Liberland Jobs](https://archive.is/daKIr) [privacy policy](https://docsend.com/view/feiwyte) says:
+
+![](image/cfwontobey.jpg)
+
+... is not going to happen.
+Cloudflare have their own "privacy policy", and there's no way to hear customer's privacy policy needs.
+Cloudflare [loves doxxing people](https://www.reddit.com/r/GamerGhazi/comments/2s64fe/be_wary_reporting_to_cloudflare/).
+
+Here's a good example for website's signup form.
+AFAIK, zero website do this. Will you trust them?
+
+```
+By clicking “Sign up for XYZ”, you agree to our terms of service and privacy statement.
+You also agree to share your data with Cloudflare and also agrees to cloudflare's privacy statement.
+If Cloudflare leak your information, it's not our fault. [*]
+
+[ Sign up for XYZ ] [ I disagree ]
+```
+[*] https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/
+
 
 - Try not to use their service. Remember you are being watched by Cloudflare.
 
@@ -16,23 +66,35 @@
 
 - If your browser is Firefox, use one of these add-ons.
 
-| Name | Can Block | Can Notify |
-| -------- | -------- | -------- |
-| [Block Cloudflare MITM Attack](https://addons.mozilla.org/en-US/firefox/addon/bcma/)     | **Yes**     | **Yes**     |
-| [Block Cloudflare MITM Attack](https://trac.torproject.org/projects/tor/attachment/ticket/24351/block_cloudflare_mitm_attack-1.0.14.1-an%2Bfx.xpi)     | **Yes**     | **Yes**     |
-| [Are links vulnerable to MITM?](https://addons.mozilla.org/en-US/firefox/addon/are-links-vulnerable-to-mitm/)     | No     | **Yes**     |
-| [Third-party Request Blocker (AMO)](https://addons.mozilla.org/en-US/firefox/addon/tprb/)     | **Yes**     | **Yes**     |
-| [Third-party Request Blocker](https://searxes.danwin1210.me/collab/___go.php?go=get_tprb0&prf=nab)     | **Yes**     | **Yes**     |
-| [Detect Cloudflare](https://addons.mozilla.org/en-US/firefox/addon/detect-cloudflare/)     | No     | **Yes**     |
+| Name | Developer | Support | Can Block | Can Notify |
+| -------- | -------- | -------- | -------- | -------- |
+| [Block Cloudflare MITM Attack](https://addons.mozilla.org/en-US/firefox/addon/bcma/) | Project BCMA | [Link](https://notabug.org/themusicgod1/cloudflare-tor/src/master/bcma) |**Yes**     | **Yes**     |
+| [Block Cloudflare MITM Attack](https://trac.torproject.org/projects/tor/attachment/ticket/24351/block_cloudflare_mitm_attack-1.0.14.1-an%2Bfx.xpi) | nullius | [Link](https://github.com/nym-zone/block_cloudflare_mitm_fx) | **Yes**     | **Yes**     |
+| [Are links vulnerable to MITM?](https://addons.mozilla.org/en-US/firefox/addon/are-links-vulnerable-to-mitm/) | Maslin Bossé | [Link](https://notabug.org/themusicgod1/cloudflare-tor/src/master/ismitmlink) | No     | **Yes**     |
+| [Third-party Request Blocker (AMO)](https://addons.mozilla.org/en-US/firefox/addon/tprb/) | Searxes #Addon | [Link](https://searxes.danwin1210.me/) | **Yes**     | **Yes**     |
+| [TPRB](https://searxes.danwin1210.me/collab/tprb0/get_tprb0.php) | Sw | [Link](http://searxes.nmqnkngye4ct7bgss4bmv5ca3wpa55yugvxen5kz2bbq67lwy6ps54yd.onion/collab/___go.php?go=sw) | **Yes**     | **Yes**     |
+| [Detect Cloudflare](https://addons.mozilla.org/en-US/firefox/addon/detect-cloudflare/) | Frank Otto | [Link](https://github.com/traktofon/cf-detect) | No     | **Yes**     |
 
 
 - Convince your friends to use [Tor Browser](https://www.torproject.org/) on the daily basis. Anonymity should be the standard of the open internet!
 
-
+------------
 
 ######  Website owner / Web developer
 
-- Do not use Cloudflare solution. You are loser if you fall to that easy solution. You can do better than that, right?
+![](image/cfisnotanoption.jpg)
+
+- Do not use Cloudflare solution.  You can do better than that, *right*?
+
+- Want more customers? You know what to do. Hint is "above line".
+
+![](image/anonexist.jpg)
+
+- Using Cloudflare will increase chances of an outage. Visitors can't access to your website if your server is down  *or Cloudflare is down*. Did you really think [Cloudflare never go down](https://www.ibtimes.com/cloudflare-down-not-working-sites-producing-504-gateway-timeout-errors-2618008)? Another [sample](https://twitter.com/Jedduff/status/1097875615997399040).
+
+- Using Cloudflare to proxy your "API service" will harm your customer. A customer called you and said "I can't use your API anymore", and you have no idea what is going on. Cloudflare can silently block your customer. [Do you think it is okay](https://twitter.com/Skyfusion89/status/1101596592426151937)?
+
+- Do you need HTTPS certificate? Use "[Let's Encrypt](https://letsencrypt.org/)" or just buy it from CA company.
 
 - Install Web Application Firewall (such as OWASP) and Fail2Ban on _your_ server and configure it _properly_.
 
@@ -40,7 +102,7 @@
 
 - Ask for advice from other [Clearnet/Tor dual website operators](https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor) and make anonymous friends! :)
 
-
+------------
 
 ######  Software user
 
@@ -48,10 +110,20 @@
 
 - Always recommend [Tor Browser](https://www.torproject.org/) for desktop and [Tor Browser for Android](https://play.google.com/store/apps/details?id=org.torproject.torbrowser_alpha)~~, [Orfox](https://guardianproject.info/apps/orfox/)~~ for smartphone. Other software's privacy is imperfect. This doesn't mean Tor browser is "perfect". There is no 100% secure nor 100% private on the internet and technology.
 
+- Don't want to use "Tor"? You can use Tor Browser without Tor, and this is the best option for you.
+
+> **How?**
+> 1. Download [Tor Browser](https://www.torproject.org/) and launch it.
+> 2. Open Add-ons Manager (about:addons) and *disable* EVERYTHING but "*Torbutton*". **Do NOT *remove* them**.
+> 3. Open about:config and search "*extensions.torbutton.use_nontor_proxy*". Set it to "*true*".
+> 4. Go to Options, scroll down to "*Network Proxy*". Click "*Settings*" and select "*No proxy*".
+> 5. Close Tor Browser.
+> 
+> Other guide is [here](https://www.whonix.org/wiki/Tor_Browser_without_Tor#Disabling_Tor).
+
 
 Let's talk about _other software's privacy_...
 
-
 - If you really need to use Firefox, pick "[Firefox ESR](https://www.mozilla.org/en-US/firefox/organizations/)". ESR is developed for company and organizations, thus _some_ spyware code is disabled by default. Portable version is [here](https://portableapps.com/apps/internet/firefox-portable-esr).
 
 - Remember, Mozilla is [using Cloudflare service](https://www.robtex.com/dns-lookup/www.mozilla.org). They're also using [Cloudflare's DNS service on their product](https://www.theregister.co.uk/2018/03/21/mozilla_testing_dns_encryption/) D'oh!
@@ -64,16 +136,16 @@ Let's talk about _other software's privacy_...
 
 - Brave Browser [whitelist Facebook/Twitter trackers](https://www.bleepingcomputer.com/news/security/facebook-twitter-trackers-whitelisted-by-brave-browser/).
 
+- Microsoft Edge lets Facebook [run Flash code behind users' backs](https://www.zdnet.com/article/microsoft-edge-lets-facebook-run-flash-code-behind-users-backs/).
 
+------------
 
 ###### "Mozilla Firefox" user
 
 - Don't use Firefox Nightly. It will send debug-level information to Mozilla servers without opt-out method. Mozilla servers are [behing Cloudflare](https://www.digwebinterface.com/?hostnames=www.mozilla.org%0D%0Amozilla.cloudflare-dns.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers=).
 
-- It is possible to prohibit Firefox to connect to Mozilla servers. Create a file "/distribution/policies.json". Mozilla's [policy-templates guide](https://github.com/mozilla/policy-templates/blob/master/README.md).
+- It is possible to prohibit Firefox to connect to Mozilla servers. Create a file "/distribution/policies.json". Mozilla's [policy-templates guide](https://github.com/mozilla/policy-templates/blob/master/README.md). Keep in mind this trick might stop working in later version because Mozilla likes to whitelist themselves. Use firewall and DNS filter to block them completely.
 
-> {
->   "policies": {
 >     "WebsiteFilter": {
 > 		"Block": [
 > 		"*://*.mozilla.com/*",
@@ -84,16 +156,21 @@ Let's talk about _other software's privacy_...
 > 		"*://*.cloudflare.com/*"
 > 		]
 >     },
-> ...
-> }
+
 
 - ~~Report a bug on mozilla's tracker, telling them not to use Cloudflare/TRR.~~ There was a bug report on bugzilla. Many people were posted their concern, however the bug was hidden by the admin last year.
 
-- To disable DOH, enter about:config?filter=network.trr in the address bar then set "network.trr.mode" to 5 to completely disable it. The value "5" [means "Off by choice"](https://gist.github.com/bagder/5e29101079e9ac78920ba2fc718aceec). (If you really need to use non-ISP DNS, consider using [OpenNIC Tier2 DNS service](https://wiki.opennic.org/start).)
+- To disable DOH, enter *about:config?filter=network.trr* in the address bar then set "*network.trr.mode*" to 5 to completely disable it. The value "5" [means "Off by choice"](https://gist.github.com/bagder/5e29101079e9ac78920ba2fc718aceec).
+
+![](image/firefoxdns.jpg)
+
+- If you really need to use non-ISP DNS, consider using [OpenNIC Tier2 DNS service](https://wiki.opennic.org/start).
+
+![](image/opennic.jpg)
 
 - Tell us if you see [this functionality](https://ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/) start to creep up beyond Firefox Nightly into more stable versions of Firefox.
 
-
+------------
 
 ######  Action
 
@@ -101,7 +178,7 @@ Let's talk about _other software's privacy_...
 
 - Help improve this repository, both the lists, the arguments against it and the details.
 
-- Document and make very public where things go wrong with Cloudflare (and similar companies), making sure to mention this repository when you do so
+- Document and make very public where things go wrong with Cloudflare (and similar companies), making sure to mention this repository when you do so ;)
 
 - Get more people using Tor by default so they can experience the web from the perspective of different parts of the world.
 
@@ -123,4 +200,11 @@ Let's talk about _other software's privacy_...
 
 - For companies that claim to _offer service on their website_ try reporting them as "_false advertising_" to consumer protection organizations and BBB. Cloudflare websites are served by Cloudflare servers.
 
-- the [ITU](https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf) suggest in the US context that Cloudflare is starting to get big enough that antitrust law might be brought down upon them.
+- The [ITU](https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf) suggest in the US context that Cloudflare is starting to get big enough that antitrust law might be brought down upon them.
+
+------------
+
+### Now, what did you do today?
+
+
+![](image/stopcf.jpg)