One Internet or something?
Eliot Lear <mailto:lear(_at_)cisco(_dot_)com>
15 March 2016 at 10:14
I'll bite: why is it important that IETF documents be accessible via Tor?
Eliot
Jari Arkko <mailto:jari(_dot_)arkko(_at_)piuha(_dot_)net>
15 March 2016 at 08:20
I don’t have a solution, but I wanted to say that I feel the pain.
It is important that IETF documents are accessible via Tor. It is
important that whatever CAPTCHA's are being employed, they are
accessible to everyone. It is important that we at the IETF are able
to deal with DoS attacks.
I’m not ready to believe that the above requirements are fundamentally
in conflict.
I have a question thought and couple of other observations.
The question: Yui: I was under the (perhaps mistaken) assumption that
ietf.org is generally accessible to everyone in the usual way, but
that some blacklisted nodes will have to go through a CAPTCHA process
before being able to continue. Is this so, or is there an experience
that says nodes are blocked and there isn’t even a possibility to go
through a CAPTCHA? Or is the problem that there is a CAPTCHA but you
do not feel that it is done in a way that is appropriate? Does all
this relate to http or https traffic?
The observations:
o I do not feel that contracted running of multiple copies of our
servers constitutes a man-in-the-middle arrangement.
o I have asked the matter to be discussed in our IT/tools/IAOC
meetings, but I’ll note that we may not have any more magical answers
than what is already being discussed on the list.
Jari
Randy Bush <mailto:randy(_at_)psg(_dot_)com>
14 March 2016 at 23:26
i agree this is a problem. but i am not sure about the solution space.
are we trading one form of security for another?
what is the treat model which drives us to tls/https? authenticity of
the data? privacy of what i access? in the scheme of things, how
important are our data anyway and what are we trading for perceived
protection?
how much load-spreading and resilience do ietf web/wiki/archives
actually need? if they need a cdn, and i am not so sure they do, can we
have a cdn which supports tls without being a monkey in the middle? do
we pay to deploy a half dozen anycasted instances of our own and
maintain them [0]?
some of this we have discussed before, maybe not as insightfully as we
might have.
randy
0 - sysadmin is similar to doing the dishes; you go to sleep with a
clean kitchen, but there will be more dishes tomorrow.
Yui Hirasawa <mailto:yui(_at_)cock(_dot_)li>
13 March 2016 at 14:35
Hello IETF,
Today when I tried to go read a standard on the ietf.org website I was
met with a CloudFlare CAPTCHA page.
By using CloudFlare IETF is actively blocking Tor connections to IETF
page. CloudFlare also works as man-in-the-middle and all encryption to
ietf.org is null and void which means IETF is actively helping the
authoritarian governments weaken the encryption on the Internet.
CloudFlare also requires proprietary javascript to be run by Tor users
who want to access websites which makes fingerprinting them very easy.
Because CloudFlare is a man-in-the-middle it can also inject websites
with malicious javascript, such as fingerprinting javascript. CloudFlare
also collects all connection data and is subject to US secret courts and
thus using it is directly contributing to the mass surveillance of the
Internet.
Tor project has also finally started noticing this[1]. And I wrote a
small thing[2] about it on my website recently as well.
IETF using CloudFlare is a very bad thing for the security and
neutrality of the Internet and this should be fixed immediately.
If you think there is some other place where I could notify people about
this then please send me an email.
[1]: https://trac.torproject.org/projects/tor/ticket/18361
[2]: https://GNU.moe/thoughts/cloudflare.html
--
Christian de Larrinaga FBCS, CITP,
-------------------------
@ FirstHand
-------------------------
+44 7989 386778
cdel(_at_)firsthand(_dot_)net
-------------------------