thought I committed this earlier
This commit is contained in:
anonymous
parent
6966e70d37
commit
473549788b
19
NEWS.md
19
NEWS.md
|
|
@ -1,3 +1,22 @@
|
|||
*2019.02.08*
|
||||
|
||||
* well written post, along with some causes for action in privacytools.io
|
||||
|
||||
https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
|
||||
|
||||
* another privacytools.io thread
|
||||
|
||||
https://github.com/privacytoolsIO/privacytools.io/issues/711
|
||||
|
||||
* Cryptome on CF's ability to deanonymize (2016)
|
||||
|
||||
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
|
||||
|
||||
* bug report issued in wire webapp
|
||||
|
||||
https://github.com/wireapp/wire-webapp/issues/5716
|
||||
|
||||
|
||||
*2019.02.01*
|
||||
|
||||
* The global internet is rotting from within, and
|
||||
|
|
|
|||
41
article.txt
41
article.txt
|
|
@ -4,8 +4,6 @@ Audience: General, people who stumble upon gnu.org
|
|||
755 words rahisibhasha
|
||||
stab at french
|
||||
|
||||
Website.
|
||||
|
||||
#########################################
|
||||
|
||||
大きい云墙
|
||||
|
|
@ -21,8 +19,7 @@ The Great Cloudwall
|
|||
by Jeff Cliff
|
||||
|
||||
*There is a reason that none of your favourite work intermittently on tor since
|
||||
early 2016[15]. That reason has lead to the discovery of a threat to the operation
|
||||
of the world wide web itself.*
|
||||
early 2016[15]. That reason has lead to the discovery of a threat to the operation of the world wide web itself.*
|
||||
|
||||
Prerequisites: The Javascript Trap[47], understanding that Google is not to be trusted[45][46], "Trusted Third Parties are Security Holes" - Nick Szabo[44][48]
|
||||
|
||||
|
|
@ -30,11 +27,16 @@ Cloudflare is a service for turing tests its users users, which means that
|
|||
it frustrates attempts by users of its users to develop software to interact
|
||||
with their websites[3]. This might seem strange at first - why would you need
|
||||
a program to access a web resource? But there's many things that work on the
|
||||
web like this, including RSS and podcasts which are completley broken by a
|
||||
web like this, including RSS, podcasts, and antivirus definitions[57][58] which are completley broken by a
|
||||
CAPTCHA appearing mid stream[11]. "We humans don't make HTTP requests,
|
||||
our machines to do it for us." makes clear what is really being tested here -
|
||||
whether or not you have the *right* software stack in between you and
|
||||
cloudflare. {{expand}}
|
||||
cloudflare.
|
||||
|
||||
This is not a hypothetical: Cloudflare is currently attempting to dictate
|
||||
which web browsers users of websites under cloudflare may use[60].
|
||||
|
||||
{{expand}}
|
||||
Your right to use Free Software in this stack is at risk, and could disappear
|
||||
at any moment.
|
||||
|
||||
|
|
@ -72,7 +74,7 @@ More important, though is it starts to form a ratchet for web browser technology
|
|||
"When you fetch a page from a website that is served from CloudFlare, Javascript has been injected on-the-fly into that page by CloudFlare. and they also plant a cookie that brands your browser with a globally-unique ID. ID. This happens even if the website is using SSL and shows a cute little padlock in your browser" [10]
|
||||
|
||||
- Cloudflare tracks you
|
||||
Even if your web browsing traffic is protected from onlookers, cloudflare itself because they are a MiTM[14][31] can see your traffic[6]. And if Cloudflare has MITM'd you, then so has the NSA[33].
|
||||
Even if your web browsing traffic is protected from onlookers, cloudflare itself because they are a MiTM[14][31] can see your traffic[6]. And if Cloudflare[53] has MITM'd you, then so has the NSA[33].
|
||||
"If a site uses Cloudflare, then the browser lock icon is a false promise."[14]
|
||||
"The short version, a rhetorical question: Would you trust a key escrow régime, in which an “authorized” entity was entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption chokepoint at which many communications are actually decrypted?"[34]
|
||||
in other words
|
||||
|
|
@ -153,7 +155,7 @@ to track online fraud and abuse.
|
|||
|
||||
The US Department of Homeland Security
|
||||
approached the developers in 2007-8[1][36] for access to their data, and they have
|
||||
been working with the US government and law enforcement ever since[1].
|
||||
been working with the US government[54] and law enforcement ever since[1].
|
||||
on HTTP GET requests:
|
||||
|
||||
Cloudflare has a history of shutting down open DNS and open NTP servers.
|
||||
|
|
@ -177,14 +179,16 @@ actually resolving the issue[29][30][32]
|
|||
- The more of the web is held within cloudflare the more pressure will be on
|
||||
websites not behind cloudflare
|
||||
- As of 2016, by cloudflare's own data tor was not as bad as normal internet connections.
|
||||
- "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions, so we can protect you?"[14]
|
||||
- "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions[59], so we can protect you?"[14]
|
||||
|
||||
*I heard Cloudflare is working with tor and all is good now?*
|
||||
|
||||
- just because you can't see the problem doesn't mean it's not there anymore.
|
||||
|
||||
- This is not true. Their websites still CAPTCHA their users, same as ever, and
|
||||
news agencies across the political spectrum screwed up stories about how the 'problem is fixed'[18]
|
||||
- it's actually worse, though[17] that we can't see it - it was easy to get a
|
||||
|
||||
- it's actually worse, though[17] if we couldn't see it[60] - it was easy to get a
|
||||
lot of riled up tor users to understand that cloudflare was their adversary.
|
||||
it's a lot harder to convince people who are not blocked from their websites,
|
||||
today, why giving systematic control over the world wide web might be a bad thing tomorrow.
|
||||
|
|
@ -194,6 +198,11 @@ today, why giving systematic control over the world wide web might be a bad thin
|
|||
- But they are now doing more to track users and threaten the anonymity of the
|
||||
users of the tor network.
|
||||
|
||||
- Cloudflare is one of a couple of large network providers that are capturing
|
||||
the vast majority of digital communications, effectively creating private
|
||||
networks the size of the modern internet that are competitive with and not
|
||||
subject to the same kinds of scrutiny and regulation as the internet[58].
|
||||
|
||||
* What if we shut down cloudflare and migrate all websites out of them?*
|
||||
|
||||
We're probably going to have the same problem with another company, very soon.
|
||||
|
|
@ -202,6 +211,8 @@ get rid of the problem of proprietary software, there's a couple of problems
|
|||
that if we don't solve them, something like Cloudflare is roughly inevitable
|
||||
as a consequence:
|
||||
|
||||
*Cloudflare DNS*
|
||||
|
||||
"DNS[50] is around, servers are insecure, proper end-to-end crypto isn't the norm hence MITM goes unnoticed, anonymity is an edge case, routing lacks built-in resiliency to disruption, we're always going to have actors building a bus.ness model around cobbling together superficial, overapproximating mitigations."[20]
|
||||
|
||||
*Mozilla and Cloudflare*
|
||||
|
|
@ -263,5 +274,11 @@ Learn more about cloudflare, and make sure the people around you know about clou
|
|||
[50] https://www.quora.com/How-likely-is-it-that-CloudFlare-is-an-NSA-operation/answer/Hamid-Sarfraz
|
||||
[51] https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98
|
||||
[52] http://pleroma.oniichanylo2tsi4.onion/notice/1563
|
||||
|
||||
|
||||
[53] https://github.com/mozilla-mobile/focus-android/issues/1743#issuecomment-351555735
|
||||
[54] https://lists.torproject.org/pipermail/tor-talk/2018-January/043889.html
|
||||
[55] https://www.eff.org/document/crypto-wars
|
||||
[56] http://forums.clamwin.com/viewtopic.php?t=4915
|
||||
[57] http://lists.clamav.net/pipermail/clamav-users/2018-November/thread.html
|
||||
[58] https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf
|
||||
[59] https://github.com/ghacksuserjs/ghacks-user.js/issues/310#issuecomment-351913412
|
||||
[60] https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460413259
|
||||
|
|
|
|||
|
|
@ -198,7 +198,15 @@ in a way that’s friendly to the marketing industry "
|
|||
|
||||
http://exiledonline.com/isucker-big-brother-internet-culture/
|
||||
|
||||
20) Followup / Further research:
|
||||
20)
|
||||
|
||||
How, technically, does Cloudflare deanonymize tor users?
|
||||
|
||||
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
|
||||
https://trac.torproject.org/projects/tor/ticket/18361#comment:147
|
||||
|
||||
|
||||
21) Followup / Further research:
|
||||
|
||||
See also
|
||||
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
|
||||
|
|
@ -222,7 +230,7 @@ https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block
|
|||
https://support.cloudflare.com/hc/en-us/articles/200170056-What-is-CloudFlare-s-Babysic-Security-Level-
|
||||
https://support.cloudflare.com/hc/en-us/articles/200170116-What-do-the-Threat-Scores-mean-
|
||||
|
||||
21) Sources
|
||||
22) Sources
|
||||
|
||||
[1] http://themusicgod1.deviantart.com/art/the-great-cloudwall-1-595382698
|
||||
|
||||
|
|
|
|||
|
|
@ -57642,6 +57642,7 @@ privacystudio.eu
|
|||
privacytax.com
|
||||
privacy-tools.com
|
||||
privacytools.com
|
||||
privacyTools.io
|
||||
privacytools.io
|
||||
privacytools.org
|
||||
privacywanted.com
|
||||
|
|
|
|||
Loading…
Reference in New Issue