cloudflare-tor/what-to-do.md

8.3 KiB
Raw Blame History

What you can do to resist Cloudflare?
Website consumer
  • If the website you like is using Cloudflare, tell them not to use Cloudflare.

You are just helping corporate censorship and mass surveillance.

https://trac.torproject.org/projects/tor/ticket/24351

  • Try not to use their service. Remember you are being watched by Cloudflare.

  • Search for other website. There are many alternatives and opportunites on the internet!

  • If your browser is Firefox, use one of these add-ons.

Name Can Block Can Notify
Block Cloudflare MITM Attack Yes Yes
Block Cloudflare MITM Attack Yes Yes
Are links vulnerable to MITM? No Yes
Third-party Request Blocker (AMO) Yes Yes
Third-party Request Blocker Yes Yes
Detect Cloudflare No Yes
  • Convince your friends to use Tor Browser on the daily basis. Anonymity should be the standard of the open internet!
Website owner / Web developer
  • Do not use Cloudflare solution. You are loser if you fall to that easy solution. You can do better than that, right?

  • Install Web Application Firewall (such as OWASP) and Fail2Ban on your server and configure it properly.

  • Set up Tor Onion Service or I2P insite if you believe in freedom and welcome anonymous users.

  • Ask for advice from other Clearnet/Tor dual website operators and make anonymous friends! :)

Software user
  • If you use Debian GNU/Linux, or any derivative, subscribe to bug #831835. And if you can, help verify the patch, and help the maintainer come to the right conclusion on whether it should be accepted.

  • Always recommend Tor Browser for desktop and Tor Browser for Android, Orfox for smartphone. Other software's privacy is imperfect. This doesn't mean Tor browser is "perfect". There is no 100% secure nor 100% private on the internet and technology.

  • Don't want to use "Tor"? You can use Tor Browser without Tor, and this is the best option for you.

How?

  1. Download Tor Browser and launch it.
  2. Open Add-ons Manager (about:addons) and disable EVERYTHING but "Torbutton". Do NOT remove them.
  3. Open about:config and search "extensions.torbutton.usenontorproxy". Set it to "false".
  4. Go to Options, scroll down to "Network Proxy". Click "Settings" and select "No proxy".

Other guide: https://www.whonix.org/wiki/Tor_Browser_without_Tor#Disabling_Tor

Let's talk about other software's privacy...

"Mozilla Firefox" user
  • Don't use Firefox Nightly. It will send debug-level information to Mozilla servers without opt-out method. Mozilla servers are behing Cloudflare.

  • It is possible to prohibit Firefox to connect to Mozilla servers. Create a file "/distribution/policies.json". Mozilla's policy-templates guide.

"policies": { "WebsiteFilter": { "Block": [ "://.mozilla.com/", "://.mozilla.net/", "://.mozilla.org/", "://.firefox.com/", "://.thunderbird.net/", "://.cloudflare.com/" ] },

  • Report a bug on mozilla's tracker, telling them not to use Cloudflare/TRR. There was a bug report on bugzilla. Many people were posted their concern, however the bug was hidden by the admin last year.

  • To disable DOH, enter about:config?filter=network.trr in the address bar then set "network.trr.mode" to 5 to completely disable it. The value "5" means "Off by choice". (If you really need to use non-ISP DNS, consider using OpenNIC Tier2 DNS service.)

  • Tell us if you see this functionality start to creep up beyond Firefox Nightly into more stable versions of Firefox.

Action
  • Tell others around you about the dangers of Cloudflare. But don't talk with NSA employee; you'll be definitely marked... just kidding!

  • Help improve this repository, both the lists, the arguments against it and the details.

  • Document and make very public where things go wrong with Cloudflare (and similar companies), making sure to mention this repository when you do so

  • Get more people using Tor by default so they can experience the web from the perspective of different parts of the world.

  • Start groups, in social media and meatspace, dedicated to liberating the world from Cloudflare.

  • Where appropriate, link to these groups on this repository - this can be a place for coordinating working together as groups.

  • Start a coop that can provide a meaningful non corporate alternative to Cloudflare.

  • Let us know of any alternatives to help at least provide multiple layered defence against Cloudflare.

  • Try using globalist to maintain this list.

  • If you are in the United States of America and the website in question is a bank or an accountant, try to bring legal pressure under the GrammLeachBliley Act, or the Americans with DIsabilities Act and report back to us how far you get.

  • If the website is a government site, try to bring legal pressure under the 1st Amendment of the US Constitution.

  • If you are EU citizen, contact the website to send your personal information under the General Data Protection Regulation. If they refuse to give you your information, that's a violation of the law.

  • For companies that claim to offer service on their website try reporting them as "false advertising" to consumer protection organizations and BBB. Cloudflare websites are served by Cloudflare servers.

  • the ITU suggest in the US context that Cloudflare is starting to get big enough that antitrust law might be brought down upon them.