cloudflare-tor/what-to-do.md

126 lines
7.6 KiB
Markdown
Raw Normal View History

2018-09-03 12:17:32 +02:00
##### What you can do to resist Cloudflare?
2019-02-11 11:44:20 +01:00
2018-09-03 12:27:53 +02:00
###### Website consumer
2018-09-03 12:17:32 +02:00
- If the website you like is using Cloudflare, tell them not to use Cloudflare.
> You are just helping corporate censorship and mass surveillance.
2018-09-17 02:58:59 +02:00
>
2018-09-03 12:17:32 +02:00
> https://trac.torproject.org/projects/tor/ticket/24351
2018-09-03 12:27:53 +02:00
- Try not to use their service. Remember you are being watched by Cloudflare.
- Search for other website. There are many alternatives and opportunites on the internet!
2018-09-03 12:17:32 +02:00
2018-09-17 02:58:59 +02:00
- If your browser is Firefox, use one of these add-ons.
| Name | Can Block | Can Notify |
| -------- | -------- | -------- |
2018-10-09 04:15:38 +02:00
| [Block Cloudflare MITM Attack](https://addons.mozilla.org/en-US/firefox/addon/bcma/) | **Yes** | **Yes** |
2018-09-18 00:38:30 +02:00
| [Block Cloudflare MITM Attack](https://trac.torproject.org/projects/tor/attachment/ticket/24351/block_cloudflare_mitm_attack-1.0.14.1-an%2Bfx.xpi) | **Yes** | **Yes** |
2019-02-18 06:31:55 +01:00
| [Are links vulnerable to MITM?](https://addons.mozilla.org/en-US/firefox/addon/are-links-vulnerable-to-mitm/) | No | **Yes** |
2018-11-17 11:13:13 +01:00
| [Third-party Request Blocker (AMO)](https://addons.mozilla.org/en-US/firefox/addon/tprb/) | **Yes** | **Yes** |
2018-11-17 11:14:29 +01:00
| [Third-party Request Blocker](https://searxes.danwin1210.me/collab/___go.php?go=get_tprb0&prf=nab) | **Yes** | **Yes** |
2018-09-17 02:58:59 +02:00
| [Detect Cloudflare](https://addons.mozilla.org/en-US/firefox/addon/detect-cloudflare/) | No | **Yes** |
2018-09-17 03:03:48 +02:00
2018-09-03 12:17:32 +02:00
- Convince your friends to use [Tor Browser](https://www.torproject.org/) on the daily basis. Anonymity should be the standard of the open internet!
2018-09-03 12:29:14 +02:00
2018-09-03 12:27:53 +02:00
###### Website owner / Web developer
2018-09-03 12:17:32 +02:00
2018-09-03 12:27:53 +02:00
- Do not use Cloudflare solution. You are loser if you fall to that easy solution. You can do better than that, right?
2018-09-03 12:17:32 +02:00
2018-09-06 14:12:00 +02:00
- Install Web Application Firewall (such as OWASP) and Fail2Ban on _your_ server and configure it _properly_.
2018-09-03 12:17:32 +02:00
2018-09-06 14:12:00 +02:00
- Set up [Tor Onion Service](https://www.torproject.org/docs/onion-services.html.en) or I2P insite if you believe in freedom and welcome anonymous users.
2018-09-03 12:17:32 +02:00
- Ask for advice from other [Clearnet/Tor dual website operators](https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor) and make anonymous friends! :)
2018-09-03 12:29:14 +02:00
2018-09-03 12:27:53 +02:00
###### Software user
2018-09-03 12:17:32 +02:00
2018-09-03 12:41:21 +02:00
- If you use Debian GNU/Linux, or any derivative, subscribe to [bug #831835](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831835). And if you can, help verify the patch, and help the maintainer come to the right conclusion on whether it should be accepted.
2018-09-03 12:17:32 +02:00
2019-02-12 07:05:26 +01:00
- Always recommend [Tor Browser](https://www.torproject.org/) for desktop and [Tor Browser for Android](https://play.google.com/store/apps/details?id=org.torproject.torbrowser_alpha)~~, [Orfox](https://guardianproject.info/apps/orfox/)~~ for smartphone. Other software's privacy is imperfect. This doesn't mean Tor browser is "perfect". There is no 100% secure nor 100% private on the internet and technology.
2018-09-03 12:29:14 +02:00
2018-09-03 12:17:32 +02:00
2018-09-03 12:27:53 +02:00
Let's talk about _other software's privacy_...
2018-01-19 20:32:48 +01:00
2018-09-03 12:29:14 +02:00
2018-09-03 12:27:53 +02:00
- If you really need to use Firefox, pick "[Firefox ESR](https://www.mozilla.org/en-US/firefox/organizations/)". ESR is developed for company and organizations, thus _some_ spyware code is disabled by default. Portable version is [here](https://portableapps.com/apps/internet/firefox-portable-esr).
2018-03-29 09:09:00 +02:00
2018-09-03 12:27:53 +02:00
- Remember, Mozilla is [using Cloudflare service](https://www.robtex.com/dns-lookup/www.mozilla.org). They're also using [Cloudflare's DNS service on their product](https://www.theregister.co.uk/2018/03/21/mozilla_testing_dns_encryption/) D'oh!
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Mozilla officially [rejected this ticket](https://bugzilla.mozilla.org/show_bug.cgi?id=1426618).
2018-01-19 20:32:48 +01:00
2019-02-12 07:16:03 +01:00
- PaleMoon developer [loves Cloudflare](https://github.com/mozilla-mobile/focus-android/issues/1743#issuecomment-345993097).
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Chrome is a [spyware](https://www.gnu.org/proprietary/malware-google.en.html).
2018-01-19 20:32:48 +01:00
2019-02-12 07:05:26 +01:00
- Brave Browser [whitelist Facebook/Twitter trackers](https://www.bleepingcomputer.com/news/security/facebook-twitter-trackers-whitelisted-by-brave-browser/).
2018-01-19 20:32:48 +01:00
2018-09-03 12:29:14 +02:00
2019-02-11 11:43:41 +01:00
###### "Mozilla Firefox" user
- Don't use Firefox Nightly. It will send debug-level information to Mozilla servers without opt-out method. Mozilla servers are [behing Cloudflare](https://www.digwebinterface.com/?hostnames=www.mozilla.org%0D%0Amozilla.cloudflare-dns.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers=).
2019-02-12 07:13:05 +01:00
- It is possible to prohibit Firefox to connect to Mozilla servers. Create a file "/distribution/policies.json". Mozilla's [policy-templates guide](https://github.com/mozilla/policy-templates/blob/master/README.md).
2019-02-12 07:01:49 +01:00
> {
> "policies": {
> "WebsiteFilter": {
> "Block": [
> "*://*.mozilla.com/*",
> "*://*.mozilla.net/*",
> "*://*.mozilla.org/*",
> "*://*.firefox.com/*",
> "*://*.thunderbird.net/*",
> "*://*.cloudflare.com/*"
> ]
> },
2019-02-12 07:13:05 +01:00
> ...
> }
2019-02-11 11:49:44 +01:00
2019-02-11 11:43:41 +01:00
- ~~Report a bug on mozilla's tracker, telling them not to use Cloudflare/TRR.~~ There was a bug report on bugzilla. Many people were posted their concern, however the bug was hidden by the admin last year.
2019-02-12 07:13:05 +01:00
- To disable DOH, enter about:config?filter=network.trr in the address bar then set "network.trr.mode" to 5 to completely disable it. The value "5" [means "Off by choice"](https://gist.github.com/bagder/5e29101079e9ac78920ba2fc718aceec). (If you really need to use non-ISP DNS, consider using [OpenNIC Tier2 DNS service](https://wiki.opennic.org/start).)
2019-02-11 11:43:41 +01:00
- Tell us if you see [this functionality](https://ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/) start to creep up beyond Firefox Nightly into more stable versions of Firefox.
2019-02-11 11:49:44 +01:00
2018-09-03 12:27:53 +02:00
###### Action
2018-01-19 20:32:48 +01:00
2018-09-06 14:12:00 +02:00
- Tell others around you about the dangers of Cloudflare. But don't talk with NSA employee; you'll be _definitely_ marked... just kidding!
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Help improve this repository, both the lists, the arguments against it and the details.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Document and make very public where things go wrong with Cloudflare (and similar companies), making sure to mention this repository when you do so
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Get more people using Tor by default so they can experience the web from the perspective of different parts of the world.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Start groups, in social media and meatspace, dedicated to liberating the world from Cloudflare.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Where appropriate, link to these groups on this repository - this can be a place for coordinating working together as groups.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Start a coop that can provide a meaningful non corporate alternative to Cloudflare.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Let us know of any alternatives to help at least provide multiple layered defence against Cloudflare.
2018-01-19 20:32:48 +01:00
2018-09-03 12:27:53 +02:00
- Try using [globalist](globalist.txt) to maintain this list.
2018-01-19 20:32:48 +01:00
- If you are in the **United States of America** and the website in question is a bank or an accountant, try to bring legal pressure under the [GrammLeachBliley Act](https://en.wikipedia.org/wiki/Gramm%E2%80%93Leach%E2%80%93Bliley_Act), or the [Americans with DIsabilities Act](https://www.ada.gov/cguide.htm) and report back to us how far you get.
2018-01-19 20:32:48 +01:00
2018-09-03 12:48:02 +02:00
- If the website is a government site, try to bring legal pressure under the [1st Amendment of the US Constitution](https://en.wikipedia.org/wiki/First_Amendment_to_the_United_States_Constitution).
- If you are EU citizen, contact the website to send your personal information under the [General Data Protection Regulation](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation). If they refuse to give you your information, that's a violation of the law.
2018-01-19 20:32:48 +01:00
2018-09-03 12:49:19 +02:00
- For companies that claim to _offer service on their website_ try reporting them as "_false advertising_" to consumer protection organizations and BBB. Cloudflare websites are served by Cloudflare servers.
2018-01-19 20:32:48 +01:00
2019-02-02 21:26:21 +01:00
- the [ITU](https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20181218/Documents/Geoff_Huston_Presentation.pdf) suggest in the US context that Cloudflare is starting to get big enough that antitrust law might be brought down upon them.