You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

326 lines
23KB

  1. Audience: General, people who stumble upon gnu.org
  2. 1924+/-395 words english
  3. 1028+/-395 words instead?
  4. 755 words rahisibhasha
  5. stab at french
  6. Version: 2019-05-29
  7. #########################################
  8. 大云墙 (Dà Yún qiáng)
  9. 大きな雲壁 (Ookina Kumo kabe)
  10. The Great Cloudwall
  11. by Jeff Cliff
  12. essistensa una reason you go to
  13. #########################################
  14. There is a reason that none of your favourite work has appeared on Tor since early 2016[15].
  15. That reason has lead to the discovery of a threat to the operation of the World Wide Web.
  16. Prerequisites:
  17. - The JavaScript Trap[47]
  18. - Understanding that Google is not to be trusted[45][46]
  19. - Nick Szabo: "Trusted Third Parties are Security Holes"[44][48]
  20. Cloudflare is a network service for turing tests its users use against visitors, which means that it frustrates attempts
  21. by users of its users to develop software to interact with their websites[3].
  22. This might seem strange at first - why would you need a program to access a web resource?
  23. But there's many things that work on the web like this, including RSS, streaming, chat, podcasts, and anti-virus definitions[57][58] which
  24. are completely broken by a CAPTCHA appearing mid stream[11].
  25. "We humans don't make HTTP requests, our machines to do it for us."
  26. This makes clear what is really being tested here - whether or not you have the right software stack in between you and
  27. Cloudflare.
  28. This is not hypothetical: Cloudflare is currently attempting to dictate which browsers users of their "protected"
  29. websites may use[60].
  30. {{expand}}
  31. Your right to use Free Software in this stack is at risk and could disappear at any moment.
  32. It also is extracting free labor from website users[35], in effect tricking humans into acting like robots in order to
  33. pass a test designed to see whether or not they are a robot. Worse, this labor is being used to train[62] Google's artificial intelligence, a very
  34. poor candidate for "friendly AI"[36]. Given unfriendly AI is an existential[43] risk[42] to mankind, avoiding this
  35. should be among the highest of priorities.
  36. This software stack includes human language: the CAPTCHAs are in English, leaving non-English speakers around the world
  37. at a disadvantage[13]. Attempts to fix this are bound by the fact that they also leak language information to
  38. Cloudflare[21].
  39. Furthermore, they use Google's reCaptcha for their turing test/"proof you are a human" challenge and Google is known as a part of NSA's PRISM surveillance project so they expose their website visitor's data to PRISM data collection.
  40. On its own, this is terrible bad but it's also worth pointing out how the reCAPTCHAs work. It isn't by whether or not you
  41. click on the correct icon (though that is a factor too) but also collect:
  42. > mouse movement, its slightness and straightness
  43. > page scrolls
  44. > time intervals between browser events
  45. > keystrokes
  46. > click location history tied to user fingerprint
  47. > device information
  48. > All these criteria are stored in the browser’s cookie and are processed by Google’s servers
  49. > It should be emphasized that there is DARPA technology to identify people by mouse movements and typing ​
  50. [23]
  51. This collection of data is likely illegal in regions where privacy is taken seriously (like the EU)[24].
  52. It is frustrating even when it works because you have to fill out 20 captchas on the off-chance that you succeed one time in
  53. twenty. So this is 95% censorship and 5% wasting users' time[5].
  54. More important, though, is that it starts to form a ratchet for web browser technology; the captchas are upgraded all the
  55. time and if you use an older browser, you risk being left behind even when it works.
  56. *How Cloudflare Threatens You*
  57. "When you fetch a page from a website that is served from Cloudflare, JavaScript has been injected on-the-fly into that
  58. page by Cloudflare. And they also plant a cookie that brands your browser with a globally-unique ID. This happens even if
  59. the website is using SSL and shows a cute little padlock in your browser" [10]
  60. - Cloudflare tracks you
  61. Even if your traffic is protected from onlookers, Cloudflare itself can see your traffic[6] because they are a MITM[14][31].
  62. In addition, if Cloudflare[53] has intercepted your traffic(MITM), so has the NSA[33].
  63. "If a site uses Cloudflare, then the browser lock icon is a false promise."[14]
  64. "The short version, a rhetorical question: Would you trust a key escrow regime, in which an “authorized” entity was
  65. entrusted with the potential to decrypt all communications at will? If not, why would you trust a de facto mass decryption
  66. chokepoint at which many communications are actually decrypted?"[34]
  67. In other words,
  68. - They are in a position to track, tap, and link Internet activity across a wide range of sites. [14]
  69. - Cloudflare frustrates accessibility efforts[25][27][36]:
  70. "CAPTCHA remains the most problematic item indicated by respondents"
  71. Cloudflare is one of the largest, if not the largest source of unconsensual CAPTCHAS, making them quite possibly the
  72. biggest impediment in accessibility efforts worldwide.
  73. - Cloudflare makes using Tor frustrating by making efforts to become anonymous more difficult and making it more likely
  74. that people will use non-Tor connections for some or all of their web browsing. The problem is getting worse with time.
  75. [13]
  76. - It's not just Tor[19] but Tor users are the biggest group of people who've noticed it and are organizing against it so
  77. far.
  78. - In particular, the model of Project Honeypot depends on one IPv4 address, meaning one person. As IPv4 addresses become
  79. scarce, more and more ISPs (and whole countries[22]) are forced to use higher and higher levels of NAT. The result is that
  80. the kinds of treatment of Tor users by Cloudflare starts to be not just for Tor, but for all web users. "Tor is just being
  81. slightly ahead of what the IPv4 Internet is going to look like pretty soon."
  82. The next time a large group wakes up, millions of websites might be down (including critical ones) across a whole
  83. continent. This has actually happened already. [49]
  84. "It was made clear in the Snowden leaks that GCHQ, the NSA, etc. would like people to stop using Tor so I am sure they are
  85. very happy to see CF make general web browsing difficult and frustrating for ordinary users." [12]
  86. - Worse, Cloudflare makes using Tor *dangerous* because enabling JavaScript and images to deal with their system makes it
  87. likely that some people will enable JavaScript and images on other websites, which, even if Cloudflare wasn't threatening
  88. them, would. [9]
  89. - Cloudflare is capable of tracking users of its websites, and initial looks into its JavaScript/CAPTCHA seems to bear out
  90. that they are doing so.
  91. - Cloudflare can target individual users with JavaScript malware; since you typically wind up enabling their JavaScript
  92. to use websites, you fall into their trap. Because they track users, are giving, individualised code, and work directly
  93. with the US government/DHS, there's no reason why they can't tailor attacks to specific users.
  94. - Even if they aren't doing it yet, they are at any point one US government administration, one vulture capital funding
  95. purchase[26], or one internally rogue element away from executing JavaScript code on hundreds of millions of people's
  96. computers a "highly attractive" target[7] with no oversight. The code CAPTCHA itself protects attempts to detect such
  97. things from happening.
  98. - The way that Cloudflare is constructed means that even by accident, billions of people can be analyzed by their
  99. government[51] and have their access limited or completely cut off at the government's whim.
  100. *Background : How Cloudflare threatens the web*
  101. - Cloudflare is a MITM for the whole web
  102. - As of 3 years ago 10% of the top 25,000 websites used Cloudflare[2]
  103. - A billion people in china are restricted by the Great Firewall[8]. Anyone who goes so far as to circumvent that must then
  104. deal with the "Great Cloudwall" for accessing the open internet.
  105. - This is not just an individual problem, but fundamentally threatens the ecosystem of the web.
  106. Cloudflare is breaking the open internet one site at a time. The web is massively resilient - we can do without Stack
  107. Overflow, GNU.org or even Google but when a significant enough portion of websites use a single provider, there starts to
  108. be a systematic risk that if that single provider goes down, all of the websites behind it will be inaccessible. Worse, you
  109. won't be allowed to access it unless you have the right kind of US government approved credential, contingent, perhaps, on
  110. running software only they approve of.
  111. It is becoming a single point of failure for the internet. [39]
  112. Right now, there are alternative sources for, for example, the US constitution[17]. It is not unthinkable that Cloudflare
  113. is getting big enough to threaten even that.
  114. {FIX ME - make section clearer}
  115. "A.1 sometimes there are necessary websites for some degree of necessary. Government websites, public service, etc. How
  116. long until those are behind the "Great Cloudwall"?
  117. B: Not long. Our service is competitive and convenient. If public service websites choose to use our service for awesome
  118. DDoS protection, it's their choice."[36]
  119. - Cloudflare has already started down the slippery slope[52] of censoring websites. If they didn't have a stranglehold on
  120. people accessing the internet, it would not be a problem. They are big enough that censorship from Cloudflare is starting
  121. to be a systematic exclusion from the political process.
  122. "Cloudflare is perfect: it can implement censorship on the fly without anyone getting wise to it!"[40]
  123. - DNS[39]: given that they have become so systematically powerful, the next step to cementing their power is to attack
  124. DNS. Their 1.1.1.1 DNS server, like Google's 8.8.8.8, is marketed to people so that Cloudflare will still be able to see
  125. you're going to them even if you don't interact with websites "protected" by them. It gives them even more data to track you
  126. with.
  127. *Background : Where does Cloudflare come from?*
  128. Cloudflare comes from a project called "Project Honey Pot"[61], originally intended to track online fraud and abuse.
  129. "What was Project Honey Pot?
  130. 'A service that positions itself as some kind of a grassroot-y anti-spam registry, but in reality seems to be a pro-
  131. corporate law enforcement tool with the specific aim of entrapping and prosecuting spammers/phishing scammers in a way
  132. that’s friendly to the marketing industry.'"
  133. The US Department of Homeland Security approached the developers in 2007-8[1][36] for access to their data and they have
  134. been working with the US government[54] and law enforcement ever since[1].
  135. On HTTP GET requests:
  136. Cloudflare has a history of shutting down open DNS and open NTP servers.
  137. "It would be great if they allowed GET requests - for example - such requests should not and generally do not modify server
  138. side content. They do not do this - this breaks the web in so many ways, it is incredible. Using wget with Tor on a website
  139. hosted by CF is... a disaster. Using Tor Browser with it - much the same. These requests should be idempotent according to
  140. spec, I believe."
  141. {FIX ME - "critical of it"?}
  142. Cloudflare has a history of closing tickets that are critical of it without actually resolving the issue[29][30][32]
  143. "Cloudflare is based in a country with secret courts, secret police, and secret prisons that are above the law - and this
  144. secret government has characterized Cloudflare's data as extremely valuable"[28]
  145. "The CEO says, "Cloudflare's strength lies in the DATA it collects -- not in its CODE.'"[28]
  146. "The U.S. federal government is a Cloudflare customer."[28]
  147. "Cloudflare has never stated that a government agency did not install wiretapping equipment or software on the same
  148. premises as a Cloudflare server."[28]
  149. "Cloudflare has never indicated that the architecture of its content distribution network is resistant to warrantless
  150. mass surveillance."[28]
  151. "Cloudflare has given the Chinese government unprecedented censorship capability."[28]
  152. "Cloudflare has no intention to shut down as Lavabit did in order to protect the user from unlawful surveillance."[28]
  153. "Some Cloudflare customers are paying over 1 million dollars per year for an undisclosed service."[28]
  154. *"But Cloudflare is really necessary, the web is a nasty place"*
  155. - The more of the web is held within Cloudflare, the more pressure will be on websites not behind Cloudflare
  156. - As of 2016, by Cloudflare's own data, Tor was not as bad as normal internet connections.
  157. - People: "But we need Cloudflare to protect us from DDoS.”
  158. Cloudflare: "That’s a nice site you have there. It would be a shame, such a shame, if anything happened to it. Why don’t
  159. you let us decrypt all your TLS sessions[59] so we can protect you?"[14]
  160. *I heard Cloudflare is working with Tor and all is good now?*
  161. - Just because you can't see the problem doesn't mean it's not there.
  162. - This is not true. Their websites still CAPTCHA their users, same as ever, and news agencies across the political spectrum
  163. screwed up stories about how the 'problem is fixed'. [18]
  164. - It's actually worse, though[17], if we couldn't see it[60] - it was easy to get a lot of riled up Tor users to understand
  165. that Cloudflare was their adversary. It's a lot harder to convince people who are not blocked from their websites, today,
  166. why giving systematic control over the world wide web might be a bad thing tomorrow.
  167. "Right now, Cloudflare says it monitors nearly 1/5 of all Internet visits. An astounding claim for a company most people
  168. haven’t even heard of"[40]
  169. - But they are now doing more to track users and threaten the anonymity of Tor users.
  170. - Cloudflare is one of a couple of large network providers that are capturing the vast majority of digital communications,
  171. effectively creating private networks the size of the modern internet that are competitive with and not subject to the
  172. same kinds of scrutiny and regulation as the internet[58].
  173. *What if we shut down Cloudflare and migrate all websites out of them?*
  174. We're probably going to have the same problem with another company very soon. Just as when suddenly Microsoft no longer had
  175. a monopoly on software, we didn't get rid of the problem of proprietary software, there's a couple of problems that, if we
  176. don't solve them, something like Cloudflare is roughly inevitable as a consequence:
  177. *Cloudflare DNS*
  178. "DNS[50] is around, servers are insecure, proper end-to-end crypto isn't the norm hence MITM goes unnoticed, anonymity is an edge case, routing lacks built-in resiliency to disruption, we're always going to have actors building a business model around cobbling together superficial, overapproximating mitigations."[20]
  179. *Mozilla and Cloudflare*
  180. "At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names
  181. from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to
  182. read everyone's DNS requests."
  183. Sharing DNS requests with Cloudflare represents mozilla having a security hole, straight to the Cloudflare (and probably:
  184. the NSA).
  185. *What can you do?*
  186. Learn more about Cloudflare and make sure the people around you know about Cloudflare. Use Tor by default to be more
  187. exposed to the blocks. Go to the anti-Cloudflare collaboration repository[41] and make sure websites you use aren't
  188. "protected", and if they are, contact the people who run the website requesting that they no longer use Cloudflare. Get
  189. involved!
  190. References
  191. [1] crimeflare. Is CloudFlare a honey pot? https://web.archive.org/web/20170721161127/http://www.crimeflare.us/honeypot.html
  192. [2] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:15
  193. [3] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:21
  194. [5] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:28
  195. [6] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:30
  196. [7] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:32
  197. [8] ioerror. Issues with corporate censorship and mass surveillance. https://www.bloomberg.com/quicktake/great-firewall-of-china
  198. [9] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:51
  199. [10] crimeflare. Is CloudFlare a honey pot? https://web.archive.org/web/20170721161127/http://www.crimeflare.us/honeypot.html
  200. [11] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:59
  201. [12] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:66
  202. [13] mikeperry. The Trouble with CloudFlare. https://blog.torproject.org/trouble-cloudflare
  203. [14] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24351#comment:8
  204. [15] Unknown. Google+ https://plus.google.com/105395547687614433866/posts/G9nnQBnLtjp
  205. [16] Unknown. Google+ https://plus.google.com/105395547687614433866/posts/XnQryQ7hR9G
  206. [17] msmach. Cloudflare Ends CAPTCHAs For Tor Users https://it.slashdot.org/comments.pl?sid=12641622&cid=57348584
  207. [18] msmach. Cloudflare Ends CAPTCHAs For Tor Users https://it.slashdot.org/comments.pl?sid=12641622&cid=57388544
  208. [19] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:90
  209. [20] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:112
  210. [21] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:132
  211. [22] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:141
  212. [23] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:147
  213. [24] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:160
  214. [25] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:175
  215. [26] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:183
  216. [27] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:231
  217. [28] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:236
  218. [29] ioerror. Issues with corporate censorship and mass surveillance. https://trac.torproject.org/projects/tor/ticket/18361#comment:255
  219. [30] gk. Cloudflare breaks loading the chat. https://trac.torproject.org/projects/tor/ticket/23141
  220. [31] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24351#comment:20
  221. [32] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24351#comment:44
  222. [33] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24351#comment:52
  223. [34] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24351#comment:60
  224. [35] nullius. Block Global Active Adversary Cloudflare. https://trac.torproject.org/projects/tor/ticket/24321#comment:13
  225. [36] Anonymous. Cloudflare philosophy. https://codeberg.org/crimeflare/cloudflare-tor/src/master/cloudflare-philosophy.md
  226. [37] Peter O'Shaughnessy. Screen Reader User Survey Results #7. https://toot.cafe/@peter/99398584471715976
  227. [39] ungeich. A new feature in Firefox https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/
  228. [40] Yasha Levine. iSucker: Big Brother Internet Culture http://exiledonline.com/isucker-big-brother-internet-culture/
  229. [41] Anonymous. The Great Cloudwall. http://codeberg.org/crimeflare/cloudflare-tor
  230. [42] lesswrong wiki. Unfriendly artificial intelligence https://wiki.lesswrong.com/wiki/Unfriendly_artificial_intelligence
  231. [43] Ben Harack. What is an existential risk? https://www.visionofearth.org/future-of-humanity/existential-risks/what-is-an-existential-risk/
  232. [44] Nick Szabo. Twitter http://twitter.com/nickszabo4
  233. [45] FSF. Google's Software is Malware https://www.gnu.org/proprietary/malware-google.en.html
  234. [46] Richard Stallman. Reasons not to use Google https://stallman.org/google.html
  235. [47] Richard Stallman. The JavaScript Trap https://www.gnu.org/philosophy/javascript-trap.html
  236. [48] Nick Szabo. Trusted Third Parties are Security Holes. 2001. https://nakamotoinstitute.org/trusted-third-parties
  237. [49] slashgeek. CloudFlare is ruining the internet (for me) https://www.slashgeek.net/2016/05/17/cloudflare-is-ruining-the-internet-for-me/
  238. [50] Hamid Sarfraz. How likely is it that CloudFlare is an NSA operation? https://www.quora.com/How-likely-is-it-that-CloudFlare-is-an-NSA-operation/answer/Hamid-Sarfraz
  239. [51] Karthik Balakrishnan. Airtel is sniffing and censoring CloudFlare’s traffic in India and CloudFlare doesn’t even know it. https://medium.com/@karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98
  240. [52] http://pleroma.oniichanylo2tsi4.onion/notice/1563
  241. [53] StopMITMInt. Add an option to stop trusting Cloudflare certificate https://github.com/mozilla-mobile/focus-android/issues/1743#issuecomment-351555735
  242. [54] goody2shoes. Block Global Active Adversary Cloudflare https://lists.torproject.org/pipermail/tor-talk/2018-January/043889.html
  243. [55] EFF. The Crypto Wars https://www.eff.org/document/crypto-wars
  244. [56] http://forums.clamwin.com/viewtopic.php?t=4915
  245. [57] November 2018 Archives by thread http://lists.clamav.net/pipermail/clamav-users/2018-November/thread.html
  246. [58] https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf
  247. [59] Thorin-Oakenpants. let's talk about our little buddy cloudflare. https://github.com/ghacksuserjs/ghacks-user.js/issues/310#issuecomment-351913412
  248. [60] ghost. What do you think about Cloudflare? https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460413259
  249. [61] Unspam Technologies, Inc. https://projecthoneypot.org/
  250. [62] TechRader. Captcha if you can: how you’ve been training AI for years without realising it https://www.techradar.com/news/captcha-if-you-can-how-youve-been-training-ai-for-years-without-realising-it