Block Global Active Adversary Cloudflare
Now this is simply too funny to resist posting here.
Yes, please block Cloudflare once and for all. I’m expecting some kind of “Isecure connection” errorpage
to block further connection without user consent.
For example, when I visit “CloudflareMustDie.com”,
TBB will show “Insecure connection” errorpage.
User will decide what to do - go back, try a cache, or ignore.
Here’s my idea of errorpage design:
Your connection is not secure
The owner of CloudflareMustDie.com is using Cloudflare on their website.
To protect your privacy from being attacked, Tor Browser has not connected to this website.
[Go Back] [Connect anyway]
(Learn More) is a link, to Tor documentation or wiki, to explain the cloudflare’s MITM activity.
[Connect anyway] is a button. If the user click it, Show warning dialogue with 3 seconds timelock:
This connection is MITMed. Are you sure you want to do this?
Either you are obfuscating, or you are technologically incompetent. Quick proof: Assume the opposite. If Cloudflare did not act as a MITM proxy with full, active access sufficient to read and modify TLS plaintext of all connections passing through them, then they would be unable to inject the HTTP headers which this bug proposes to detect for blocking. [Sequential dotted initials “Q.”, “E.”, “D.” forbidden by Trac spam filter.]
Cloudflare is a MITM, by design. That is the primary (only?) service they offer. It does not matter what the site’s service level with them is. From the connecting user-agent’s perspective (here apropos), it does not even matter if the site uses its so-called “keyless SSL” service to preserve secrecy of its long-term private keys. Cloudflare always, always has the symmetric key to the session; and within the ostensibly encrypted session, Cloudflare is by definition a Man-In-The-Middle which decrypts, modifies, and proxies the plaintext.
Why, it is exactly as if Cloudflare were designed as a mass surveillance tool! So, what rationalizations could be supposed for those who use their services, or ignore them as a global threat?
“But Cloudflare is a trustworthy provider of Internet infrastructure.” Then, why do we need TLS at all? Just make peering arrangements with trustworthy networks who agree to pass your packets only through trustworthy routers! TLS eliminates trust in the network: By design, TLS promises end-to-end encryption. Meaning, with the endpoint. By design, Cloudflare makes a mockery of this promise.
“But most sites are on third-party hardware, anyway.” Irrelevant: Cloudflare centralizes trust.
Without the Cloudflare MITM proxy, little-newbie-web-shop.com’s TLS is handled by cheap-shared-web-host.com; chic-trendy-cloud-buzzword-startup.com’s TLS is handled by AWS; at-risk-controversial-activism.org and high-security-bitcoin-services.com should (we hope) do all their crypto on hardware under their respective owners’ physical control. The site visitor is responsible for deciding which endpoints to trust with private information. (N.b.: Reading interests and “clicktrails” are private information.) When all these sites sign up for Cloudflare, then Cloudflare becomes the one-stop decryption shop. Do you trust Cloudflare to be the “secure” Internet, or some huge proportion thereof?
Centralizing trust has a much worse effect than allowing access to many individual sites: It creates a single point at which to perform mass dragnet surveillance. As of today, Cloudflare has access to the plaintext data of more TLS sessions to more endpoints than anybody else on Earth. Here, the whole is more than the sum of the parts: They are in a position to track, tap, and link Internet activity across a wide range of sites. This is why they have been declared a Global Active Adversary.
If I were the NSA or another TLA, and I sat down to design a mass-interception network to MITM TLS on a large portion of the Internet, then the result would look exactly like Cloudflare. They are in a position where they in fact do intercept the communications of billions of people with millions of websites. That is not a hypothetical: It is a description of what they actually doevery day, right now. Then, they cross their fingers and promise to respect people’s privacy. “Trust us; we will make you ‘safer’.” Againwhy use any encryption at all?
On that level, Cloudflare is even worse than “key escrow” or another backdoor would be. Since the 90s, advocates of “key escrow” have promised that if centrally trusted parties are allowed to keep a backdoor key, then that would really, truly only ever be used to intercept the communications of whatever they deem “bad guys”. (Pinky swear!) Cloudflare walks in through the front door, and takes the plaintextall of it, without exception, for everybody whose connections pass through them.
And worst of all, the design of Cloudflare removes responsibility and decision-making power from the initiator of communications. End-users are fooled into believing they connect to many different sitesall of which run through a single chokepoint. The purpose of this bug is to mitigate that problem, in a web browser specifically designed for security, privacy, and unlinkability on an anonymity network.