cloudflare-tor/what-to-do.md

11 KiB
Raw Blame History

What you can do to resist Cloudflare?

< Matthew Prince (@eastdakota)

"Id suggest this was armchair analysis by kids its hard to take seriously." (source)


Website consumer
  • If the website you like is using Cloudflare, tell them not to use Cloudflare. Example below.
You are just helping corporate censorship and mass surveillance.
https://trac.torproject.org/projects/tor/ticket/24351
Your web page is in the privacy-abusing private walled-garden of CloudFlare.
See https://github.com/privacytoolsIO/privacytools.io/issues/374#issuecomment-460077544
  • Take some time to read website's privacy policy. It must explain what the "Cloudflare" is, and ask for permission to share your(user) data with CF. Failure to do so will result in the breach of trust and the website in question should be avoided.

An acceptable privacy policy example is here (look at "Subprocessors" -> "Entity Name")

I've read your privacy policy and I cannot find the word "Cloudflare".
I refuse to share data with you if you continue to feed my data to Cloudflare.
See https://notabug.org/themusicgod1/cloudflare-tor/src/master/README.md

For example, Liberland Jobs privacy policy says:

... is not going to happen. Cloudflare have their own "privacy policy", and there's no way to hear customer's privacy policy needs. Cloudflare loves doxxing people.

Here's a good example for website's signup form. AFAIK, zero website do this. Will you trust them?

By clicking “Sign up for XYZ”, you agree to our terms of service and privacy statement.
You also agree to share your data with Cloudflare and also agrees to cloudflare's privacy statement.
If Cloudflare leak your information, it's not our fault. [*]

[ Sign up for XYZ ] [ I disagree ]

[*] https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

  • Try not to use their service. Remember you are being watched by Cloudflare.

  • Search for other website. There are many alternatives and opportunites on the internet!

  • If your browser is Firefox, use one of these add-ons.

Name Can Block Can Notify
Block Cloudflare MITM Attack Yes Yes
Block Cloudflare MITM Attack Yes Yes
Are links vulnerable to MITM? No Yes
Third-party Request Blocker (AMO) Yes Yes
Third-party Request Blocker Yes Yes
Detect Cloudflare No Yes
  • Convince your friends to use Tor Browser on the daily basis. Anonymity should be the standard of the open internet!

Website owner / Web developer

  • Do not use Cloudflare solution. You are loser if you fall to that easy solution. You can do better than that, right?

  • Want more customers? You know what to do. Hint is "above line".

  • Using Cloudflare will increase chances of an outage. Visitors can't access to your website if your server is down or Cloudflare is down. Did you really think Cloudflare never go down?

  • Do you need HTTPS certificate? Use "Let's Encrypt" or just buy it from CA company.

  • Install Web Application Firewall (such as OWASP) and Fail2Ban on your server and configure it properly.

  • Set up Tor Onion Service or I2P insite if you believe in freedom and welcome anonymous users.

  • Ask for advice from other Clearnet/Tor dual website operators and make anonymous friends! :)


Software user
  • If you use Debian GNU/Linux, or any derivative, subscribe to bug #831835. And if you can, help verify the patch, and help the maintainer come to the right conclusion on whether it should be accepted.

  • Always recommend Tor Browser for desktop and Tor Browser for Android, Orfox for smartphone. Other software's privacy is imperfect. This doesn't mean Tor browser is "perfect". There is no 100% secure nor 100% private on the internet and technology.

  • Don't want to use "Tor"? You can use Tor Browser without Tor, and this is the best option for you.

How?

  1. Download Tor Browser and launch it.
  2. Open Add-ons Manager (about:addons) and disable EVERYTHING but "Torbutton". Do NOT remove them.
  3. Open about:config and search "extensions.torbutton.use_nontor_proxy". Set it to "true".
  4. Go to Options, scroll down to "Network Proxy". Click "Settings" and select "No proxy".
  5. Close Tor Browser.

Other guide is here.

Let's talk about other software's privacy...


"Mozilla Firefox" user
  • Don't use Firefox Nightly. It will send debug-level information to Mozilla servers without opt-out method. Mozilla servers are behing Cloudflare.

  • It is possible to prohibit Firefox to connect to Mozilla servers. Create a file "/distribution/policies.json". Mozilla's policy-templates guide. Keep in mind this trick might stop working in later version because Mozilla likes to whitelist themselves. Use firewall and DNS filter to block them completely.

"WebsiteFilter": {
  "Block": [
  "*://*.mozilla.com/*",
  "*://*.mozilla.net/*",
  "*://*.mozilla.org/*",
  "*://*.firefox.com/*",
  "*://*.thunderbird.net/*",
  "*://*.cloudflare.com/*"
  ]
},
  • Report a bug on mozilla's tracker, telling them not to use Cloudflare/TRR. There was a bug report on bugzilla. Many people were posted their concern, however the bug was hidden by the admin last year.

  • To disable DOH, enter about:config?filter=network.trr in the address bar then set "network.trr.mode" to 5 to completely disable it. The value "5" means "Off by choice".

  • If you really need to use non-ISP DNS, consider using OpenNIC Tier2 DNS service.

  • Tell us if you see this functionality start to creep up beyond Firefox Nightly into more stable versions of Firefox.

Action
  • Tell others around you about the dangers of Cloudflare. But don't talk with NSA employee; you'll be definitely marked... just kidding!

  • Help improve this repository, both the lists, the arguments against it and the details.

  • Document and make very public where things go wrong with Cloudflare (and similar companies), making sure to mention this repository when you do so ;)

  • Get more people using Tor by default so they can experience the web from the perspective of different parts of the world.

  • Start groups, in social media and meatspace, dedicated to liberating the world from Cloudflare.

  • Where appropriate, link to these groups on this repository - this can be a place for coordinating working together as groups.

  • Start a coop that can provide a meaningful non corporate alternative to Cloudflare.

  • Let us know of any alternatives to help at least provide multiple layered defence against Cloudflare.

  • Try using globalist to maintain this list.

  • If you are in the United States of America and the website in question is a bank or an accountant, try to bring legal pressure under the GrammLeachBliley Act, or the Americans with DIsabilities Act and report back to us how far you get.

  • If the website is a government site, try to bring legal pressure under the 1st Amendment of the US Constitution.

  • If you are EU citizen, contact the website to send your personal information under the General Data Protection Regulation. If they refuse to give you your information, that's a violation of the law.

  • For companies that claim to offer service on their website try reporting them as "false advertising" to consumer protection organizations and BBB. Cloudflare websites are served by Cloudflare servers.

  • The ITU suggest in the US context that Cloudflare is starting to get big enough that antitrust law might be brought down upon them.