summaryrefslogtreecommitdiffstats
path: root/cloudflare-philosophy.md
blob: ad87ccf2cd07daace1cd51e7bc2ddc47d00482f7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
# Productivity and safety through the CloudFlare! 
  
## Torblocks Philosophy 
 
1) Have fun!

2) What is the darknet if not the (parts of the?) net that doesn't like to be accessed?  That would make Cloudflare (and its competitors with similar business practices) and all their customers (ie everyone on this list) part of the dark net.

3) Read these tickets 
https://trac.torproject.org/projects/tor/ticket/18361
https://trac.torproject.org/projects/tor/ticket/24351
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831835

one guy, marek apparently from Clownflare, utters unapologetic remarks that should come as no surprise.
  "I will restrain myself and not comment on the political issues Jacob raised. I'll keep it technical."
  hey, in times of mass surveillance, technology is political. money is political. therefore Clownflare's policy is political. so?
  discussion is on. with "marek" and "jgrahamc" of Clownflare. last I looked they were unapologetic & attempting to snark Tor developers into building expensive client/Tor/TBB-side functionality to suit them. meanwhile stalling and offering minor workarounds (on the bright side, jgrahamc promised to make tor blocking optional for "free-" tier sites. (opt-out though)). 

BTW someone quickly wrote a (unhelpful & biased & not in-depth researched, rather "he said this and then the other guy said that" style) article about the discussion on the ticket for "TheRegister", which at first I couldn't read because it was behind ... TADA: a clownflare CAPTCHAwall. Luckily there's archive.is and they don't block that.

There's also the rather amusing fact that Tor trac bugtracker also required CAPTCHAs (which was commented on several times) and the less amusing fact that these came from freakin' Google.

3.1) Lies, damn lies and statistics
especially if you make up the "ground truth" to suit your own smear campaign ...
https://blog.torproject.org/blog/trouble-cloudflare
Cloudflare is a wilfully malicious actor, there can be no more doubt.

3.2) Unamed's take on the situation:

Praise the awesome wisdom of blocking Tor access to websites!!!
There must be some advantage. Something? Anything? Some rational explanation?
Especially curious: why have so many hacking / OS / security / internet freedom themed websites chosen to go dark?
Is it selection bias because only nerds contribute to the lists?

Let's see. FNORD FNORD FNORD

Torblocks make awesome sense because (imagined conversation)
A: what is Tor anyway? some kind of a darknet?
B: no, it's not. it's an anonymity tool. actually there are parts of the net that have chosen to go dark. want a hint?

A: who uses Tor anyway? everyone knows it's only for freaks and criminals.
B: that's not true. normal people use it too. as a precaution, if nothing else.

A: but you don't need Tor. you can access our site over the clearnet like everybody else.
B: who are you to judge? the internet is a dangerous place. by the way, turns out I can't access it over the clearnet either.

A: you must be up to no good. I don't trust you.
B: actually, I just want to read / contribute / buy / whatever it is, but not in plain sight. in fact, I just lost interest in your site. none of your competitors feel the need to bully Tor users, so it can't be necessary.
hah, at the risk of going off topic but since we're hopefully all privacy-minded here: actually a similar argument is valid (in fact even stronger, since clownflare does offer some measurable protection) against the idiotic spread of gratuitous CCTV recording in modern cities. training optical bugs on one's customers or passengers offers little objective protection for anyone. the main effect is to alienate privacy-minded people, degrade quality of life, offer a false sense of security to gullible people and the illusion of protection for the owner. as businesses that don't do it do just fine (and it presumably doesn't lower insurance fees), it can't be really necessary.

A.1 sometimes there are necessary websites for some degree of necessary.  Government websites, public service, etc.  How long until those are behind the great cloudwall ?  
B: Not long. Our service is competitive and convenient. If public service websites choose to use our service for awesome DDos protection, it's their choice.

A Don't you know it's inevitable that everything is going to be behind the great cloudwall?  Might as well get it over with.
B: Just wait until Microsoft takes up the challenge & enters the market. Then at least we can be SURE our data ends up with the NSA, where it belongs. How else can we expect them to know who to drone?

A: it is well known that no one with intent to cause damage, post spam or abuse can circumvent a tor block!1!!
B: actually, that's completely wrong. you'll end up inconveniencing good people too and nurturing a false sense of security.
B1: good thing no one on the clearnet ever posts abusive content, and everyone plays nice together in perfect harmony outside of the tor network

A: so what? if we can't sell your soul to ad networks, we don't want you as a customer. google would be cross and we'd lose revenue that we like to make on our visitor's backs!
B: that's more like it. but are you sure it makes that much of a difference?

A: traffic that would otherwise be used to serve a few pages over Tor can now be allocated to updating blocklists and serving cute error messages instead!!!!!
B: that must be it.

A: outsourcing this to a third party blocklist supplier (or a man in the middle such as clownflare) has the added benefit of centralizing web blocking decisions. surely that's a good thing.
B: You're welcome to check our transparency report: before that vanished behind a CAPTCHAwall, the number of NSLs served by US KGB used to be something between 0 and 249. Cloudflare, no stranger to unwitting irony, has decided to hide its transparency report behind a damp cloudy opaque CAPTCHA fogwall so who knows?

A: is your website just for you or for more people?
B: works for me

You see, it all makes sense.

Imagined conversation with clownflare management. Dunno if it's entirely fair: there seem to be some genuinely Tor-friendly tech people on their payroll. Anyway, it reflects my perception of clownflare management not giving a shit (the problem started appearing in 2014). So sue me, corporate dinosaurs.
A: Care to comment on this Tor captcha business?
C: We're committed to providing best possible service for our customers.

A: You call that service, breaking half the web?
C: It ain't broken, it's a feature. By the way, paying customers (not the ones we lure with so-called free plans, in the Sillycon-Valley meaning of that word) can turn it off.

A: Your captcha's don't even work.
C: Yes, they do.

A: Let's agree to disagree on that one. At least it's a nice reminder of your man in the middle position. Otherwise we might forget that a sizeable fraction of TLS connection terminate at your place.
C: Tough. We have to do it, though, because of DDOS.

A: Yeah, right. You can handle shitloads of traffic, but have to fuck with Tor, which represents a tiny fraction of all the packets that arrive?
C: Clownflare is committed to a free and open internet. And we're so big, we can just sit it out. We're a wannabe Sillycon Valley giant. You are just fly shit to us. By the way, we foster research on internet freedom. And it's not Clownflare, it's "Cloud"flare. as in "Clouded judgment".

A: I can see we're getting somewhere.

point being that they cannot get away with claiming lack of awareness. this is deliberate or so boneheaded as to be indistinguishable from deliberate action. of course they know. they have people well up the hierarchy who know. not fixing this was/is a decision that was made by people inside this corporation.

B: Has anyone ever successfully DDOS'd anything from within tor? outside of hidden services maybe how much unused bandwidth do exit nodes even have?  Clearnet botnets have way more bandwidth and if the threat model is DDOS we should be calling them out on
tor loud and clear.
The ticket on Tor trac offers some insight. It seems to be about forum spam (the "threat scores" originate with "Project Honey Pot", which labors under the drastic oversimplifying assumption that maintaining long term IP based address scores is somehow a sensible approach - invalidated by communal exit nodes of all stripes and colors and even carrier-grade NATs, as people have pointed out) port scans (how the hell is that abuse? run a public server and expect a "safe space" no matter how bad your security? seriously it's hard to understand why someone who needs to be protected from port scans wants to run their own domain on their own fucking servers. there's lots of hosters that will expertly & gladly solve these problems in-house), SQL injections (again, responsiblity of the guys who made the website!!!) and so on.

4) The wikimedia way

Even as a registered user in good standing, exemption from the Tor block has to be requested through a bureaucratic process (even though Wikipedia is "not a bureaucracy") and will be granted under exceptional circumstances only. I completely fail to see the rationale. this is probably an artefact of  the blocking system they use to bar anonymous vandals from editing  Wikipedia, viz. the unblocking process might be messy to perform, behind  the scenes, I don't know. The upshoot for me as a user is that they regard Tor use as  "exceptional" and not a normal thing. The result is that errors I notice on Wikipedia pages while using TBB go uncorrected. They even block paid vpn servers as "open proxies". Seems like they just do not want help. Because in times of NSA they should expect that clever people hide from spying. Precisely. It's a crying shame, though. Maybe the wikipedia of the future will use gnunet-git/freenet/i2p-lafs based backend. I will never donate to wikimedia again unless they come up with a concept for letting users contribute over Tor and other banned proxy networks (not "exceptionally", but casually) OR hell freezes over. Until then, I don't feel they deserve the money. Dear Jimmy, figure this one out first. There's gotta be a good way. This isn't "security". WORST OF ALL, It doesn't even stop rotten people from manipulating Wikipedia. It's not helpful. OK?
Has anyone seen the greenstadt(?) talk on the value of anonymous contributions yet?

5) Unfortunately the CAPTCHA they use is [NSA/](https://www.facebookcorewwwi.onion/jeff.cliff/posts/10154477661637909)Google's.  This poses multiple problems.
For starters, this CAPTCHA does not always work(especially for those with accessability issues), and when it doesn't work there is viritually no way for them to complain.

6) The CAPTCHA's support of languages is very limited, which makes it impossible for those who do not speak whatever default language to access to the content they are looking for. It's also troublesome to the survival of languages worldwide. 

7) clownflare vs. non clownflare (homespun or other 3rd party blocklists e.g. against forum spam which overblock tor)

  "Overall there seem to be far fewer sites that impede (reading, not posting!) access via Tor  without Cloudflare than with Cloudflare. It is of course still a deeply flawed and misguided (and clueless, as the stupid little messages about  "security reasons" or "viruses" (how cute ...) etc. show) policy, but unlike Cloudflare which has its tendrils everywhere and MITMs large swathes of the web for the NSA, small-scale blocking alone probably wouldn't drive a lot of would-be casual Tor users back into the arms of mass surveillance. Nevertheless it's annoying and site owners should rethink their approach."

6.1) at least we have technical people marginally friendly to tor within cloudfare...whatever company inevitably buys out/replaces cloudfare we're going to be in rougher shape.  What can we do now to save pain later?

change the architecture of the web ...

7) it's censorship and sabotage, plain and simple

(from cloudflare-tor discussion at bottom of pad: once I wrote "Q: Tor blocks amount to (collateral, in -hopefully- rare cases deliberate) censorship (corporate censorship in the Cloudflare case) against users of a network which is amongst other things a censorship circumvention tool. How twisted is that!? I think I'll set up another etherpad for anti-Cloudflare rants (or open pro- contra- debates and fact checking on the role of Cloudflare and their ilk regarding monopolies, surveillance, analytics, censorship, data ownership (just take a passing look at their official policy, you'll see what I mean) and so on) so we can keep this one neutral ... I'm really angry.". now, wanting to substantiate that with an excerpt of their data use terms, was denied request for https://www.cloudflare.com/terms/ . essentially making my other point on my behalf. stupid, stupid corporate dinosaur ...).

nevertheless, the cloudflare captcha walls serve as a nice reminder of their MitM position. if a corporation gets the power to sabotage a sizeable fraction of the web, that's not good.
  
8.1) Thinking more about jgrahamc's "We have a simple need: our customers pay us to protect their web sites from DoS" -- which we may as well accept as true, since in practice that is what happens. Given that, and that DDOS is speech[6][7]  it's pretty clear that they are a censorship vendor at least on that level.  Their customers are paying them to "protect" them from their customer's speech.  We can call a spade a spade.

Might even call it a sustained DDOS attack on readers, ironically. Distributed? Check. Denial of service? Check.


9) Also its a bit rich to have to prove to robots that we're "not robots". Humans should make machines work, not vice versa.
fits amazon's actual business model perfectly  
* Also robots take the test whether we want to or not.  As pointed out in the original thread, User agents end up taking the test for us anyway.  There is no situation where a human is taking the test that Cloudfare actually cares about, it's turtles all the way down 
if I wanted to run a SPAM outfit, I'd find a way to pay humans to do the captchas if OCR can't solve them with enough success chance - I hear this is commonly done. millions and millions of people accept such jobs for want of better alternatives - or build a piece of malware or web trickery to re-route captchas. there goes their main argument.

9) This CAPTCHA trains Google's AI, effectively forcing human beings to train an AI.   That AI was is owned by a company that in the past made robots that are designed to kill people(ie Boston Dynamics was purchased by Google, and that is their intent, however Google sold Boston Dynamics in 2017).  Even though Google may or may not make Asimov-incompatible[2] robots post 2017, Google still can be counted on to be a poor candidate for friendly AI[3]

Unfriendly AI[4] is an existential risk[5] to mankind and these CAPTCHAs are making it *more* likely that this risk will actually come to be by training.

The data kraken stops at nothing to collect ever more input to fuel and hone its dangerous fake "artificial intelligence". 
It is gobbling up our future byte for byte (while claiming to be doing it because it knows best (TM) what's good for everyone). That's a moral yes.

I don't think that the artificial intelligence need stay fake, if it still even is.  

This is training unfriendly AI, byte by byte Either way, it's extracting labor from humans. One should avoid feeding the data monster[1]. 
Better still: avoid feeding it *correct* data. 

Google could yet be made to choke on its own omnivorous virulent data voracity.

11) 

TIP: to access sites that block tor completely, try using a web archiving service like https://archive.org/web/ (awesome and reliable, but honors robots.txt) or https://archive.is/ (relatively new, run by someone anonymous, does NOT honor robots.txt so it will work with more sites) Nice ... they are officially a museum and thus exempt from some copyright restrictions. Bwahaha ... What also works is startpage.com / ixquick.com "open via proxy" function for a great many pages, for reading it is great but external links get broken and posting is out of question. Or use Tor -> VPN or Tor -> open proxy if the need arises to truly Access a website.
Workaround for the impatient  Instead of looking at archived website versions use ixquick.com / startpage.com: They offer a proxy service for search results, apparently returning 403 for some websites. some websites return 403 to them, which is to be expected.
TIP2: Use another proxy between tor and reluctant websites. Usable proxies include https://proxy-nl.hide.me/ and https://www.vpnbook.com/webproxy. thx

12) What can a website do to become more tor friendly user friendly, really?

a) lift the stupid block

b) set up an onion
http://j7652k4sod2azfu6.onion/p/leurity, but it's conflating securty and protectionism. It is, in point of fact, neither. It's prevention of access by the unwashed masses, thus it is the elitism that only the middle class can hope for -- that which is not elite but bears its veneer. That veneer of the gated community. It is as protected as it is grey and faceless. The cookie cutter designs of the securitized state of exception we're all being tossed into.

c) at least be honest and change the HTTP code to 451 or 406 "Not Acceptable" coz that's what tor blocks are ...

14) We want to implement CloudFlare real security, ie one that is not based on a IP-filter

This might be impossible, since Cloudflare itself is the security hole.
Trusted Third Parties are Security Holes[8].

15) Accessibility!

https://toot.cafe/@peter/99398584471715976

16) Cloudflare's reasons for taking websites down so far

http://pleroma.oniichanylo2tsi4.onion/notice/1563

17) Cloudflare is cooperating with the RIAA to silence people the RIAA doesn't like.

https://torrentfreak.com/cloudflare-and-riaa-agree-on-tailored-site-blocking-process-180501/

If they'll do it for the RIAA they'll do it for the MPAA/IFPI/ICE/IIPA/ACE/...

18) I have a great idea!  Let's use Cloudflare for everyone's DNS.

This is a bad idea. https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

19) Where did this cloudflare thing come from, anyway?

" CloudFlare’s CEO Matthew Prince made a weird, glib admission that he decided to start the company only after the 
Department of Homeland Security gave him a call in 2007 and suggested he take the technology behind Project Honey Pot 
one step further…"

What was Project Honey Pot?

" a service that positions itself as some kind of a grassroot-y antispam registry, but in reality seems to be a 
pro-corporate law enforcement tool with the specific aim of entrapping and prosecuting spammers/phishing scammers 
in a way that’s friendly to the marketing industry "

"CloudFlare is perfect: it can implement censorship on the fly, without anyone getting wise to it!"

http://exiledonline.com/isucker-big-brother-internet-culture/

20)

How, technically, does Cloudflare deanonymize tor users?

"Cloudflare needs access to files, microphone/audio and the media database, what the name of your WiFi is, all the known WiFi networks as well as mobile data settings.  All this to provide a VPN that proxies everything through 1.1.1.1 as the DNS."
https://weeaboo.space/objects/323a4b45-6e40-44f0-9108-77245638df7e

50 packets per click on the captcha, realtime, enough for full deanonymization
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm

> mouse movement, its slightness and straightness
> page scrolls
> time intervals between browser events
> keystrokes
> click location history tied to user fingerprint
> All these criteria, are stored in the browser’s cookie. These criteria are processed by Google’s server
> It should be emphasized, that there is a DARPA technology to identify people by mouse movements and typing ​
https://trac.torproject.org/projects/tor/ticket/18361#comment:147


21) Followup / Further research:

See also
https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor
(the purpose of this pad is to provide a more dynamic list)

Tor ticket on broader issues (found it convenient):
 
 https://trac.torproject.org/projects/tor/ticket/18361
 
It is likely that many of the civil society organizations listed on this page
as the CloudFlare "partners with reference to" use CloudFlare.

   https://www.cloudflare.com/galileo/
   ( https://archive.is/hoLuI )

Cloudflare support pages on the topic:


https://support.cloudflare.com/hc/en-us/articles/200170096-How-do-I-turn-the-CloudFlare-captcha-challenge-page-off-
https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor-theCisne
https://support.cloudflare.com/hc/en-us/articles/200170056-What-is-CloudFlare-s-Babysic-Security-Level-
https://support.cloudflare.com/hc/en-us/articles/200170116-What-do-the-Threat-Scores-mean-

22) Sources

[1] http://themusicgod1.deviantart.com/art/the-great-cloudwall-1-595382698

[2] http://www.youtube.com/watch?v=r3yIarp3J2o

[3] https://when.google.met.wikileaks.org/

[4] https://wiki.lesswrong.com/wiki/Unfriendly_artificial_intelligence

[5] https://www.visionofearth.org/future-of-humanity/existential-risks/what-is-an-existential-risk/

[6] http://www.theguardian.com/commentisfree/2013/jan/22/paypal-wikileaks-protesters-ddos-free-speech

[7] https://twitter.com/haq4good/status/703315998523396096

[8] http://nakamotoinstitute.org/trusted-third-parties/