Partnering with Mozilla

Mozilla announced that the Tor Project and the Center for Democracy & Technology will be part of their new privacy initiative called Polaris, a collaboration to bring even more privacy features into Mozilla’s products. We are honored to be working alongside Mozilla as well as the Center for Democracy & Technology to give Firefox users more options to protect their privacy.

Why Mozilla?

Mozilla is an industry leader in developing features to support the user’s desire for increased privacy online and shares the Tor Project's mission of helping people protect their security online. At the core of Mozilla's values is the belief that individuals’ privacy cannot be treated as optional. We share this belief. Millions of people around the world rely on the protection of the Tor software and network to safeguard their anonymity. We appreciate companies like Mozilla that see the importance of safeguarding privacy. The Tor volunteer network has grown to the point that large companies can usefully contribute without hurting network diversity. The Tor network will get even better with Mozilla's help, and we hope that their participation will encourage even more organizations to join us.

The initial projects with Mozilla will focus on two areas:

Engineering support: 

The Tor Browser is built on the Firefox platform and we are excited to have the resources of Mozilla’s engineers to help us merge the many Firefox privacy fixes into the Mozilla codebase. The increased attention from Mozilla will give us time to focus on finding and fixing new issues rather than maintaining our fork.

Network Support:

Tor's network size constrains the number of users that can use Tor concurrently. In the short term, Mozilla will help address this by hosting high-capacity Tor middle relays to make Tor’s network more responsive and allow Tor to serve more users.

We believe that the Tor Browser is one of the best ways to protect privacy on the web and this partnership is a huge step in advancing people’s right to freedom of expression online.

Anonymous

November 11, 2014

Permalink

This Cloudfare crap is becoming a serious pain the butt! It is even throwing up capchas in arabic! depending on where you exit from. Down with Cloudfare and their crap!

Is there any technical solution to the Cloudflare approach?

I mean, if they really need a solution to avoid automated attacks to their customers' servers, is there a way to certify we're human without risks on privacy?
A temporary cookie would solve the problem (or at least mitigate it) but will make it possible to identify the browser.

Maybe also a proposal to Cloudflare to work with Tor team to solve the problem could help: their catpcha approach is reducing the accessibility of their customers' contents directly affecting their business.

It seems like all the other hosting providers can handle Tor users just fine, and have appropriate security measures in place to deal with malicious traffic regardless of its source. Maybe Cloudflare doesn't have as strong a security team as the other players.

Me too.

Make a search for "bypass cloudflare" and you will find some valuable information about their architecture and how to bypass it. Bypassing cloudflare is however a "manual" process and it does not work for every cloudflare domain.

I found that, if you go to a www.domain.tdn that is hosted on cloudflare and you will see their (for me not working) captcha, then you may just type ftp.domain.tdn instead and you get access oftentimes (search for "bypass cloudflare" if you want to know the details).

However, first, this hack does not always work , and, second, problems remain for embedded links like images that are hosted by some Image hoster which in turn uses cloudflare but the Image is embedded in another site that you want to view. Then you won't get to see the image because the browser is presented with the captch page instead of the image and then of course does show nothing.

Cloudflare claims that restricted access for TOR users is not their fault, because site owners can in principle choose between different flavors of automatic blocking. It however seems that blocking everything suspicious (inlcuding TOR) is their default setting. Also, their blocking procedure that does not block TOR access is labeled s.th. like "block almost everything suspicious" whereas the stronger option is labeled "block everything suspicious". Why then should the website operator choose to only block _almost_ everything if he could easily block _everything_ suspicious? They should better Label the TOR enabled option s.th. like "block everything suspicious but allow anonymous access". This would be better to the point. Afterall it should be legitimate to be able to block anonymous access for some websites businesses, but I don't see why someone Image Hosting site wouldn't want to allow anonymous download of images.

I think, we would be much better off already if cloudflare decides to label their blocking options more appropriately.

I have a friend in China I keep in touch with. I want to introduce them to Tor, but I worry this will discourage them from using it. The people at Cloudflare are scum who know full well how much they're hurting Tor.

"The people at Cloudflare are scum who know full well how much they're hurting Tor."

I appreciate your frustration but using such language and tone is counterproductive. It only makes the one using it appear immature and petulant.

Isn't raiding sites and routers more productive? Disrupting communications by falsifying connections more productive? What "product" nsa and others make? For sure they are terrorists and criminals. The more people understand that the better.
And I don't like that new "business letter style" - 'Dear ... friends your finest product is really wonderful and amusing. But I can't get full experience because it does not work.' - instead of simple 'you sell shit'. So keep it that way with these criminal scums.

Circumvent the Cloudflare-trolls by using a simple, free-to-use web proxy like www.my-proxy.com. It works most of them for viewing pages.

And notify the webmaster(s), that Cloudflare's just horrible. Never waste time on their tasks!

I have found out how Cloudflare works.
https://www.quora.com/How-does-CloudFlare-work

The author of this claims to be the CEO of CloudFlare. So, take it with caution.

It acts as a Firewall, DNS-server, caching/filtering reverse proxy, router and uses some type of NAT. The websites using it have 2 URLs from CF as their authoritative name servers. It may even use DPI, record the traffic and meta data. So the issue is how to circumvent a reverse proxy.

Terminology
Reverse proxies are common place in the head-end infrastructure of organisations. They route web (HTTP and HTTPS) protocols from an external request to one of several internal web servers.
http://contextis.com/resources/blog/server-technologies-reverse-proxy-b…

This means your browser gets the ip of Cloudflare which requests content from the website and delivers it to your browser. So content comes from CF instead of the website directly. Since the IP you get returned is one of CF it isn't simple DNS-blocking. A whois delivers IPs of CF.

Note that designating CloudFlare as your authoritative name servers doesn't change anything else about your website's ecosystem. Your registrar remains your registrar. Your hosting provider remains your hosting provider. However, because we are your authoritative name server, we can begin cleaning and accelerating your traffic.

Cleaning means censorship and filtering out actual malicious traffic.

You can view our global CloudFlare network map at:
https://www.cloudflare.com/network-map

After a visitor's browser has done the initial DNS lookup, it begins making requests to retrieve the actual content of a website. These requests are directed to the IP address that was returned from the DNS lookup. Before CloudFlare, that would have been 1.1.1.1, with CloudFlare as the authoritative name server that would be 99.99.99.99 (or some other address depending on what CloudFlare data center is closest to the user). CloudFlare's frontline servers running on that IP address receive the request and perform analysis on it. We scan to see if the visitor appears to be a threat based a number of characteristics including the visitor's IP address, what resource they are requesting, what payload they are posting, how frequently they're making requests, etc.

How many dumb people keep keys from there houses at cloudflare?
Well I believe everybody who delegate there's own services are imbeciles. By the way is it 'legal' to hack dns traffic? Or are they just criminals?
Then where is the great nsa? Was cloudflare raided? I believe I saw some commercial https site unexpectedly change the location - and I stop using it. Seems they start use this criminal service.
So lets new round start - split dns? Just like browsers UA. - I don't like you and i will send you fake data, feed you viruses etc.
And tor devs what about fake collector? Or service like 'our network will prevent you from connecting to spy sites'? And 'our dns will authoritative response to you query based on artificial algorithm for all sites'?

"How many dumb people keep keys from there houses at cloudflare?
Well I believe everybody who delegate there's own services are imbeciles."

Not everyone has the requisite expertise to keep a server/site reasonably secure. In fact, very few people do.

Lacking IT expertise does not make one an "imbecile".

I hate ads too, but perhaps there are ways have non-annoying text-ads without hurting any privacy. DuckDuckGo does something like this, so does StartPage.com.

Careful though, i'd hate to see Tor Project become addicted to ad revenue. Make sure to never rely on it. Be ready to toss it out at time.

Perhaps, have such ads as opt-in.

Ads should be run as a subscription service - it has no connection to privacy. Want ads - subscribe and get them! Mark your prefs etc.
Stop use MY traffic for not selected/ordered by me ads!

ads? what ads? I do not see any ads....
what makes you think the combining of resources of tor and mozilla will bring in ads?
oh, and heres a plug for a nice thing i found for that ad issue you have, AdBlock Plus its a extension for firefox ;-)

Anonymous

November 11, 2014

Permalink

Does it mean:

1- you won't rely on ESR anymore, and move instead to the regular release?

2- TorBrowser's privacy features and enhancement will be integrated in the regular FireFox for all users, tor users and FF alike?

Anonymous

November 11, 2014

Permalink

It's great that Mozilla is running tor relays, but its unwillingness to host exit nodes tells us a lot about the contours of their commitment. If wikimedia can do it, I don't see why Mozilla couldn't.

They are blocking Tor for registered users, too, although they could easily ban the mischief's accounts. There is no reason to prevent long-running accounts from editing with Tor.

Well they need something like svn with option to view previous revisions. In that case i'm fully agree with you. Till then 'long-running account' can be compromised and data be lost. With or without tor... Try to explain that to them.

orwell__46__ means 1946? And isn't "has now no meaning" related to 1946? In 1946 most people believed that that "not desirable" regime vanished _forever_. And I believe he didn't even think where we all are now in 2014.

Anonymous

November 11, 2014

Permalink

"Mozilla will help address this by hosting high-capacity Tor middle relays"

So Mozilla, which financially depends on Google and functionally adapts their browser to Google needs, will know the IP numbers of many guard/exit node pairings.

I wonder what could go wrong.

Nothing stops Google from doing that anyways. The amount of cash they give Mozilla is a pittance compared to what they have. For all we know, Google could already run 90% of all Tor relays. Google doesn't need Mozilla as a middle-man.

At it's current rate of absorption Google will own this planet. If they aren't already wholly owned or controlled by the OWO already.

Mozilla has a very transparent relationship with google. They take Google's money and give them the top search position. Absolutely nothing else. Please don't spread FUD. I'm sure you're also the guy that uses Google's 'open source' Android.

Firefox reports visited web sites and software downloads to Google with its various "safe browsing" features.

Firefox's interface to remove cookies has been made increasingly obscure for normal users. Thus benefiting Google with its various tracking cookies to follow users all over the web year after year.

And Firefox is eager to send your Location data to Google.

For Mozilla's corporate orientation read with comments:
https://blog.mozilla.org/labs/2013/07/a-user-personalization-proposal-f…
https://blog.mozilla.org/advancingcontent/2014/02/11/publisher-transfor…

ghostery extension for firefox as well as adblock plus and noscript, any more petty issues you have with the most secure and privacay oriented browser, which is open source btw