article.txt 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286
  1. Audience: General, people who stumble upon gnu.org
  2. 1924+/-395 words english
  3. 1028+/-395 words instead?
  4. 755 words rahisibhasha
  5. stab at french
  6. #########################################
  7. 大云墙 (Dà Yún qiáng)
  8. 大きな雲壁 (Ookina Kumo kabe)
  9. with Jeff Cliff
  10. essistensa una reason you go to
  11. #########################################
  12. The Great Cloudwall
  13. by Jeff Cliff
  14. *There is a reason that none of your favourite work intermittently on tor since
  15. early 2016[15]. That reason has lead to the discovery of a threat to the operation of the world wide web itself.*
  16. Prerequisites: The Javascript Trap[47], understanding that Google is not to be trusted[45][46], "Trusted Third Parties are Security Holes" - Nick Szabo[44][48]
  17. Cloudflare is a service for turing tests its users users, which means that
  18. it frustrates attempts by users of its users to develop software to interact
  19. with their websites[3]. This might seem strange at first - why would you need
  20. a program to access a web resource? But there's many things that work on the
  21. web like this, including RSS, podcasts, and antivirus definitions[57][58] which are completley broken by a
  22. CAPTCHA appearing mid stream[11]. "We humans don't make HTTP requests,
  23. our machines to do it for us." makes clear what is really being tested here -
  24. whether or not you have the *right* software stack in between you and
  25. cloudflare.
  26. This is not a hypothetical: Cloudflare is currently attempting to dictate
  27. which web browsers users of websites under cloudflare may use[60].
  28. {{expand}}
  29. Your right to use Free Software in this stack is at risk, and could disappear
  30. at any moment.
  31. It also is extracting free labour from website users[35], in effect tricking human beings to act like robots in order to defeat a test designed to test whether they are a robot, worse: this labour is going towards training a company that is a poor candidate for friendly AI[36]. Given unfriendly AI is an existential[43] risk[42], this should be among the highest priority things to avoid.
  32. This software stack includes human language: the CAPTCHAs are in english, making non-english speakers around the world at a disadvantage[13]. Attempts to fix this are bound by the fact that they also leak language information to cloudflare[21]
  33. Furthermore they use Google ReCaptcha for their turing
  34. test/CAPTCHA, and Google is part of PRISM, so they expose PRISM data collection
  35. to users of their websites.
  36. Which on its own is bad, but also worth pointing out how the ReCAPTCHAs work:
  37. it isn't by whether or not you click on the right icon or not(though that, is
  38. a factor too), but also
  39. > mouse movement, its slightness and straightness
  40. > page scrolls
  41. > time intervals between browser events
  42. > keystrokes
  43. > click location history tied to user fingerprint
  44. > All these criteria, are stored in the browser’s cookie. These criteria are processed by Google’s server
  45. > It should be emphasized, that there is a DARPA technology to identify people by mouse movements and typing ​
  46. [23]
  47. This collection of data is likely illegal in regions like the EU where privacy is taken seriously[24]
  48. It is frustrating even when it works, because you have to fill out 20 captchas
  49. on the off chance that you get through 1 time in 20. So this is 95% censorship
  50. 5% wasting of users time[5].
  51. More important, though is it starts to form a ratchet for web browser technology - the captchas are upgraded all the time, and if you use an older web browser you risk being left behind even if it works now.
  52. *How Cloudflare threatens You*
  53. "When you fetch a page from a website that is served from CloudFlare, Javascript has been injected on-the-fly into that page by CloudFlare. and they also plant a cookie that brands your browser with a globally-unique ID. ID. This happens even if the website is using SSL and shows a cute little padlock in your browser" [10]
  54. - Cloudflare tracks you
  55. Even if your web browsing traffic is protected from onlookers, cloudflare itself because they are a MiTM[14][31] can see your traffic[6]. And if Cloudflare[53] has MITM'd you, then so has the NSA[33].
  56. "If a site uses Cloudflare, then the browser lock icon is a false promise."[14]
  57. "The short version, a rhetorical question: Would you trust a key escrow régime, in which an “authorized” entity was entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption chokepoint at which many communications are actually decrypted?"[34]
  58. in other words
  59. - They are in a position to track, tap, and link Internet activity across a wide range of sites. [14]
  60. - Cloudflare frustrates accessibility efforts[25][27][36]:
  61. "CAPTCHA remains the most problematic item indicated by respondents"
  62. Cloudflare is one of the largest, if not the largest source of unconsensual CAPTCHAS, making them quite possibly the biggest impediment in accessibility efforts worldwide.
  63. - Cloudflare makes Tor frustrating, making efforts to become anonymous more
  64. difficult and making it more likely that people will use non-tor connections
  65. for some or all of their web browsing traffic. The problem is getting worse[13] with time
  66. - It's not just Tor[19], but tor users are the biggest group of people who've noticed it, and organizing against it so far.
  67. - in particular, the model of Project Honeypot depends on one (ipv4) IP address meaning one person. As IPv4 addresses become scarce, more and more ISPs(and whole countries[22]) are forced to use higher and higher levels of NAT. The result is, the kinds of treatment of tor users by cloudflare starts to be not just for tor, but for all web users. "Tor is just being slightly ahead of what the IPv4 Internet is going to look like pretty soon."
  68. And the next time a large group wakes up it might be millions of websites being down (including critical ones) across a whole continent, which has happened already[49]
  69. "It was made clear in the Snowden leaks that GCHQ, the NSA etc would like people to stop using Tor, so I am sure they are very happy to see CF make general web browsing difficult and frustrating for ordinary users."[12]
  70. - Worse, Cloudflare makes using tor *dangerous* because enabling javascript and images to deal with their system makes it likely that some people will enable javascript and images on other websites, which even if Cloudflare wasn't threatening them, would.[9]
  71. - Cloudflare is capable of tracking users of its websites, and initial looks
  72. into its javascript/CAPTCHA seems to bear out that they are doing so.
  73. - Cloudflare can target individual users with javascript malware, since you usually wind up enabling their javascript to use websites you fall into their javascript trap. Since they track users, and are giving users per-user specific code and work directly with the US government/DHS there's no reason why they can't tailor attacks to users for them.
  74. - Even if they aren't doing it yet, they are at any point one US government administration, one vulture capital funding purchase[26], or one internally rogue element away from executing javascript code on hundreds of millions of people's computers a "highly attractive" target[7] with no oversight. The code CAPTCHA itself protects attempts to detect such things from happening.
  75. - The way that Cloudflare is constructed means that even by accident, billions of people can be MiTMd by their government[51], and can have their access cut at the government's whim.
  76. *Background : How Cloudflare threatens the web*
  77. - Cloudflare is a MiTM for the whole web
  78. - as of 3 years ago 10% of the top 25,000 websites used cloudflare[2]
  79. - A billion people in china are restricted by the Great Firewall[8], anyone who
  80. goes so far as to circumvent that must then deal with the Great Cloudwall for accessing
  81. - This is not just an individual problem,
  82. but fundamentally threatens the ecosystem of the web
  83. CloudFlare is breaking the web one site at a time. The web is massively
  84. resilient - we can do without StackOverflow, GNU.org or even Google. But
  85. when a significant enough portion of websites all use one provider there starts
  86. to be a systematic risk that if that one provider goes down, all of the websites
  87. behind it will be inacessible. Or worse: you won't be allowed to access it
  88. unless you have the right kind of US government approved credential, contingent
  89. perhaps on running software that only they approve of.
  90. It is becoming a single point of failure for the internet[39]
  91. Right now there are alternative sources for, for example the US constitution[17]. But it's not unthinkable that Cloudflare is getting big enough to threaten that.
  92. "A.1 sometimes there are necessary websites for some degree of necessary. Government websites, public service, etc. How long until those are behind the great cloudwall ?
  93. B: Not long. Our service is competitive and convenient. If public service websites choose to use our service for awesome DDos protection, it's their choice."[36]
  94. - Cloudflare has already started down the slippery slopep[52] of censoring websites.
  95. While if they didn't have a stranglehold on people accessing the world wide web
  96. would not be a problem. But they are big enough that censorship form
  97. cloudflare is starting to be a systematic exclusion from the political process.
  98. "CloudFlare is perfect: it can implement censorship on the fly, without anyone getting wise to it!"[40]
  99. - DNS[39]: given that they have become so systematically powerful, the next step to
  100. cementing their power is to attack DNS. Their 1.1.1.1 DNS server, like Google's 8.8.8.8, is marketed to people so that even for websites who *don't* use cloudflare, cloudflare will still be able to see you're going to them, further data for them to track you with.
  101. *Background : Where does Cloudflare come from?*
  102. Cloudflare comes from a project called Project Honey Pot, originally intended
  103. to track online fraud and abuse.
  104. "What was Project Honey Pot?
  105. " a service that positions itself as some kind of a grassroot-y antispam registry, but in reality seems to be a pro-corporate law enforcement tool with the specific aim of entrapping and prosecuting spammers/phishing scammers in a way that’s friendly to the marketing industry ""
  106. The US Department of Homeland Security
  107. approached the developers in 2007-8[1][36] for access to their data, and they have
  108. been working with the US government[54] and law enforcement ever since[1].
  109. on HTTP GET requests:
  110. Cloudflare has a history of shutting down open DNS and open NTP servers.
  111. "It would be great if they allowed GET requests - for example - such requests should not and generally do not modify server side content. They do not do this - this breaks the web in so many ways, it is incredible. Using wget with Tor on a website hosted by CF is... a disaster. Using Tor Browser with it - much the same. These requests should be idempotent according to spec, I believe."
  112. Cloudflare has a history of closing tickets that are critical of it without
  113. actually resolving the issue[29][30][32]
  114. " Cloudflare is based in a country with secret courts, secret police and secret prisons that are above the law -- and this secret government has characterized Cloudflare's data as extremely valuable"[28]
  115. "The CEO says "Cloudflares strength lies in the DATA it collects -- not in its CODE."[28]
  116. "The U.S. federal government is a Cloudflare customer"[28]
  117. "Cloudflare has never stated that a government agency did not install wiretapping equipment or software on the same premises as a Cloudflare server"[28]
  118. "Cloudflare has never indicated that the architecture of its content distribution network is resistant to warrantless mass surveillance"[28]
  119. "Cloudflare has given the Chinese government unprecedented censorship capability"[28]
  120. "Cloudflare has no intention to shut down as Lavabit did in order to protect the user from unlawful surveillance"[28]
  121. "Some Cloudflare customers are paying over 1 million dollars per year for an undisclosed service"[28]
  122. *But Cloudflare is really necessary, the web is a nasty place*
  123. - The more of the web is held within cloudflare the more pressure will be on
  124. websites not behind cloudflare
  125. - As of 2016, by cloudflare's own data tor was not as bad as normal internet connections.
  126. - "But we need Cloudflare to protect from DDoS.” Hey, that’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t you let us decrypt all your TLS sessions[59], so we can protect you?"[14]
  127. *I heard Cloudflare is working with tor and all is good now?*
  128. - just because you can't see the problem doesn't mean it's not there anymore.
  129. - This is not true. Their websites still CAPTCHA their users, same as ever, and
  130. news agencies across the political spectrum screwed up stories about how the 'problem is fixed'[18]
  131. - it's actually worse, though[17] if we couldn't see it[60] - it was easy to get a
  132. lot of riled up tor users to understand that cloudflare was their adversary.
  133. it's a lot harder to convince people who are not blocked from their websites,
  134. today, why giving systematic control over the world wide web might be a bad thing tomorrow.
  135. "Right now CloudFlare says it monitors nearly 1/5 of all Internet visits. An astounding claim for a company most people haven’t even heard of"[40]
  136. - But they are now doing more to track users and threaten the anonymity of the
  137. users of the tor network.
  138. - Cloudflare is one of a couple of large network providers that are capturing
  139. the vast majority of digital communications, effectively creating private
  140. networks the size of the modern internet that are competitive with and not
  141. subject to the same kinds of scrutiny and regulation as the internet[58].
  142. * What if we shut down cloudflare and migrate all websites out of them?*
  143. We're probably going to have the same problem with another company, very soon.
  144. Just as when suddenly Microsoft no longer had a monopoly on software we didn't
  145. get rid of the problem of proprietary software, there's a couple of problems
  146. that if we don't solve them, something like Cloudflare is roughly inevitable
  147. as a consequence:
  148. *Cloudflare DNS*
  149. "DNS[50] is around, servers are insecure, proper end-to-end crypto isn't the norm hence MITM goes unnoticed, anonymity is an edge case, routing lacks built-in resiliency to disruption, we're always going to have actors building a bus.ness model around cobbling together superficial, overapproximating mitigations."[20]
  150. *Mozilla and Cloudflare*
  151. ". At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests. "
  152. Sharing DNS requests with cloudflare represents mozilla having a security hole, straight to the Cloudflare (and probably: the NSA).
  153. *What can you do?*
  154. Learn more about cloudflare, and make sure the people around you know about cloudflare. Use tor by default to be more exposed to the blocks. Go to the anti-cloudflare collaboration repository[41] and make sure websites you use don't use them, and if they do, contact the people who run the website requesting that they no longer use cloudflare. Get involved!
  155. [1] https://web.archive.org/web/20170721161127/http://www.crimeflare.us/honeypot.html
  156. [2] https://trac.torproject.org/projects/tor/ticket/18361#comment:15
  157. [3] https://trac.torproject.org/projects/tor/ticket/18361#comment:21
  158. [5] https://trac.torproject.org/projects/tor/ticket/18361#comment:28
  159. [6] https://trac.torproject.org/projects/tor/ticket/18361#comment:30
  160. [7] https://trac.torproject.org/projects/tor/ticket/18361#comment:32
  161. [8] https://www.bloomberg.com/quicktake/great-firewall-of-china
  162. [9] https://trac.torproject.org/projects/tor/ticket/18361#comment:51
  163. [10] https://web.archive.org/web/20170721161127/http://www.crimeflare.us/honeypot.html
  164. [11] https://trac.torproject.org/projects/tor/ticket/18361#comment:59
  165. [12] https://trac.torproject.org/projects/tor/ticket/18361#comment:66
  166. [13] https://blog.torproject.org/trouble-cloudflare
  167. [14] https://trac.torproject.org/projects/tor/ticket/24351#comment:8
  168. [15] https://plus.google.com/105395547687614433866/posts/G9nnQBnLtjp
  169. [16] https://plus.google.com/105395547687614433866/posts/XnQryQ7hR9G
  170. [17] https://it.slashdot.org/comments.pl?sid=12641622&cid=57348584
  171. [18] https://it.slashdot.org/comments.pl?sid=12641622&cid=57388544
  172. [19] https://trac.torproject.org/projects/tor/ticket/18361#comment:90
  173. [20] https://trac.torproject.org/projects/tor/ticket/18361#comment:112
  174. [21] https://trac.torproject.org/projects/tor/ticket/18361#comment:132
  175. [22] https://trac.torproject.org/projects/tor/ticket/18361#comment:141
  176. [23] https://trac.torproject.org/projects/tor/ticket/18361#comment:147
  177. [24] https://trac.torproject.org/projects/tor/ticket/18361#comment:160
  178. [25] https://trac.torproject.org/projects/tor/ticket/18361#comment:175
  179. [26] https://trac.torproject.org/projects/tor/ticket/18361#comment:183
  180. [27] https://trac.torproject.org/projects/tor/ticket/18361#comment:231
  181. [28] https://trac.torproject.org/projects/tor/ticket/18361#comment:236
  182. [29] https://trac.torproject.org/projects/tor/ticket/18361#comment:255
  183. [30] https://trac.torproject.org/projects/tor/ticket/23141
  184. [31] https://trac.torproject.org/projects/tor/ticket/24351#comment:20
  185. [32] https://trac.torproject.org/projects/tor/ticket/24351#comment:44
  186. [33] https://trac.torproject.org/projects/tor/ticket/24351#comment:52
  187. [34] https://trac.torproject.org/projects/tor/ticket/24351#comment:60
  188. [35] https://trac.torproject.org/projects/tor/ticket/24321#comment:13
  189. [36] https://notabug.org/themusicgod1/cloudflare-tor/src/master/cloudflare-philosophy.md
  190. [37] https://toot.cafe/@peter/99398584471715976
  191. [39] https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/
  192. [40] http://exiledonline.com/isucker-big-brother-internet-culture/
  193. [41] http://notabug.org/themusicgod1/cloudflare-tor
  194. [42] https://wiki.lesswrong.com/wiki/Unfriendly_artificial_intelligence
  195. [43] https://www.visionofearth.org/future-of-humanity/existential-risks/what-is-an-existential-risk/
  196. [44] http://twitter.com/nickszabo4
  197. [45] https://www.gnu.org/proprietary/malware-google.en.html
  198. [46] https://stallman.org/google.html
  199. [47] https://www.gnu.org/philosophy/javascript-trap.html
  200. [48] https://nakamotoinstitute.org/trusted-third-parties
  201. [49] https://www.slashgeek.net/2016/05/17/cloudflare-is-ruining-the-internet-for-me/
  202. [50] https://www.quora.com/How-likely-is-it-that-CloudFlare-is-an-NSA-operation/answer/Hamid-Sarfraz
  203. [51] https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98
  204. [52] http://pleroma.oniichanylo2tsi4.onion/notice/1563
  205. [53] https://github.com/mozilla-mobile/focus-android/issues/1743#issuecomment-351555735
  206. [54] https://lists.torproject.org/pipermail/tor-talk/2018-January/043889.html
  207. [55] https://www.eff.org/document/crypto-wars
  208. [56] http://forums.clamwin.com/viewtopic.php?t=4915
  209. [57] http://lists.clamav.net/pipermail/clamav-users/2018-November/thread.html
  210. [58] https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf
  211. [59] https://github.com/ghacksuserjs/ghacks-user.js/issues/310#issuecomment-351913412
  212. [60] https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460413259