[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] do Cloudfare captchas ever work?

Thanks Çağıl,
I'll have to ponder some of your comments.
On other points, some highly advanced users may have to jump in & comment.

On certain points you made (it seems), it's absolutely trivial for Cloudfare or any entity operating on a large number of sites, to track Tor / TBB users - across domains - on every site visited, that the tracking entity also monitors?

That assumes and / or implies several things (in Tor Browser).
1. You allow cookies AND 3rd party cookies, on many / most sites visited.
2. You rarely clear those cookies.
3. You never clear browser cache, except at shutdown.
4. You rarely, if ever, use the TBB new identity feature, during a single session.

5. TBB allows other non-cookie tracking methods (beacons, what ever) to be set AND allows them to be read *across all domains visited.* On #4, did I misunderstand the TBB design document, and misunderstand the discussion that Mike Perry (I believe) had on this list, about cross domain tracking not being allowed?

6. A multi site tracker (CDN, Google, NSA) can read TBB all cached content. Or, perhaps only the cached content that they set in TBB (but across all domains)?

If everything you say is true (if I understand), then any major tracker can know most of the sites you've been to & exactly what you did at each one (because of the cross domain tracking that TBB allows - by design)?
They *only* thing they don't know (yet) may be  your real IPa?

It sounds like you're not just saying there are *some* possible ways for cross origin tracking, but that much of the Tor Browser design document regarding this has no validity?

Sect. 4.5 Cross-Origin Identifier Unlinkability https://www.torproject.org/projects/torbrowser/design/#identifier-linkability subsection of 4.5, "Identifier Unlinkability Defenses in the Tor Browser," that says,
"Here is the list that we have discovered and dealt with to date:"

Sect 4.6 "Cross-Origin Fingerprinting Unlinkability"

4.7. "Long-Term Unlinkability via "New Identity" button" https://www.torproject.org/projects/torbrowser/design/#new-identity

On 6/23/2015 3:41 PM, Çağıl P. Şesto wrote:
On Mon, Jun 22, 2015 at 07:15:24PM -0500, Joe Btfsplk wrote:
Is that actually true?  (they can track you over various exits)
Is that what the design document says?
Tor can't protect you, if your browser emits cookies or information
about cached content back to an entity that operates global scale cdn
or services:

Lets make it easy:
You are you (joe) and there is google (gog) and cloudflare (clo):
You are ordering pizza via tor-exit1 (tex1) and watch some cats while
eating that pizza on tor-exit2 (tex2).

In your first session, you request content, a picture of said pizza from a
cdn (clo) and with that request comes caching information and cookies
from (clo) along with that picture.

(clo) knows you now as an entity, you are emitting cookies back to (clo)
with every use of his cdn.

Lets assume the pizza service uses a website analytics service from
(gog) under the premise of customer statisfaction:

Your browser, requests 1x1pixel from that service, with that pixel comes
another cookie, you are now knowm to (gog) as an pizza eating entity too.
Every time you visit another site using (gog) analytics, you are the
same pizza eating entity.

Its time to go to the loo, and the pizza is delivered. The tor-client did
his awesome job and has build new circuits, (joe) is know using (tex2).

So, whats better than pizza? Pizza and cats:
(joe) requests a embedded catmovie from some catmovie site, bad for him
the catmovie is delivered via (clo) cdn, the browser adds the cookie
to the request and (clo) adds that information to the record they
startet about you earlier. Unfortunately catmovies uses the (gog) analytics
service too (because its free, so who would mind), and (gog) gets their
cookie back from earlier.

Sorry to say, I am under the impression, you have watched to much VPN
advertising, if it comes to your browser, your ip is no longer of
interest. You really should get rid of that misconception that you are
a ip address or somebody uses ip address to track people, since the
inception of tor and vpn networks thats plain stupid.

If you don't like to third parties from knowing that you are into the
cat thing, the right thing to do would to use your browser to order
pizza and using TBB to watch cats - that works.

But, many Tor Browser users  seem to question allowing all scripts by
default - including 3rd party.
That example works with plain http or https, were https is recommended
while using tor. There was no active content involved.

On the _latter point_, I'm not as technically advanced as many on this
list, to fully understand ALL subtleties in the design document.
It gets nasty and scary with active content involved, tor is only a
network, it can hide your ip, but thats not always the solution.

On the _latter point_, I'm not as technically advanced as many on this
to fully understand ALL subtleties in the design document.
If one only has one tool, lets say a hammer, one tends to see every
problem as nail, thats what you are doing.

Please consider which parts of your personal habits and needs you like
to expose in which way. So order pizza with your whatever browser and do
the lewd cats thing with TBB. I know, not very convenient, but privacy
or anonymity aren't avaliable in a convenient way anymore. Your ip has
nothing to do with that anymore.

That said, it isn't impossible. I still try to convice site owners to
respect visitors and not exclude, track or sell their anonymity or
privacy for some funky graphs.

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to