I am interested to know to what extent Tor Browser protects me from Cross-Origin linkability by CloudFlare. Specifically I am interested in to what extent CloudFlare can track me across sites which use their DDoS protection service. This service requires the website owner to configure CloudFlare servers as the DNS resolution endpoint (evidenced by nameservers like diva.ns.cloudflare.com showing up with a whois query).
From Tor Browser’s design document I read this:
User activity on one URL bar origin MUST NOT be linkable to their activity in any other URL bar origin by any third party automatically or without user interaction or approval.
My understanding of “URL bar origin” is it is the second level domain - e.g. google.com in the case of translate.google.com in the URL bar.
In order to illustrate the issue consider the following scenario:
- I navigate to website A which uses CloudFlare DNS servers - e.g. Sign in · GitLab
- I am presented with CloudFlare’s “turnstile” (which require JavaScript) and note in the URL bar that an additional parameter
__cf_chl_rt_tkis briefly added - i.e. I am redirected with a tracking parameter - I also note that before I dutifully click the “Verify you are human” checkbox, cookie storage is available for the cloudflare.com domain (see screenshot)
- Once CloudFlare is satisfied I’m not a bot I’m redirected to the site (GitLab is actually a bad example, as GitLab’s login seems broken with Tor Browser & the turnstile can never be completed - but that’s a different issue)
- Later in the same session I navigate to website B, which also uses CloudFlare DNS servers, presents the turnstile page, adds the extra parameter in the URL bar and allows cookie storage by cloudflare.com
Question 1: By navigating to a page which uses CloudFlare nameservers, or by clicking the “Verify you are human” checkbox, am I giving approval (as per the design document definition) to CloudFlare to track me?
Question 2: Given the above, can CloudFlare in fact track me across sites?
I would hope the answer to both questions is “no”. However, by resolving DNS at CloudFlare’s servers at both website A and B isn’t cloudflare.com in effect the 2nd level domain? Giving the cloudflare.com domain the opportunity to store cookies on my machine every time I encounter the turnstile page (whether they do so or not) would seem to bolster this argument.
I have picked on CloudFlare due to the semi-ubiquitous nature of their presence on the internet. It is hard to surf the net for very long with Tor Browser without encountering CloudFlare and their turnstiles/CAPTCHAs. My question is really aimed at provoking discussion on whether (and if so how) Tor Browser should be used to avoid tracking by companies offering DDoS services of this kind.
Right now, whenever I encounter a CloudFlare turnstile or CAPTCHA I consider my session ‘tainted’ and end my session on that page by obtaining a New identity before surfing any further. I would like to be confident that either a) this is unnecessary or b) if it is currently necessary to prevent CloudFlare tracking me, that the Tor Browser team might consider how to prevent the tracking of Tor Browser users by companies of this kind.