blacklisted Tor-hostile banks

This commit is contained in:
cyberMonk 2021-05-14 13:49:52 -04:00
parent 15063a26b0
commit b01cacfc67
2 changed files with 29 additions and 17 deletions

View File

@ -56,6 +56,7 @@
[41-cache]: https://web.archive.org/web/20171024040313/www.businessinsider.com/cloudflare-ceo-suggests-people-who-report-online-abuse-use-fake-names-2017-5
[42]: https://www.theguardian.com/technology/2015/nov/19/cloudflare-accused-by-anonymous-helping-isis
[43]: <https://web.archive.org/web/20210226152834/boingboing.net/2015/01/19/invasion-boards-set-out-to-rui.html> "using mirror to avoid CloudFlare"
[brennan]: https://web.archive.org/web/20150112121911/twitter.com/infinitechan/status/554613394813120513
[TrademarkTroll]: <https://web.archive.org/web/20210120103517/www.cloudflare.com/learning/cloud/what-is-a-cloud-firewall> "using mirror to avoid CloudFlare"
[cloudFW]: https://addons.mozilla.org/en-US/firefox/addon/cloud-firewall
[rbi]: <https://web.archive.org/web/20210323130327/blog.cloudflare.com/browser-isolation-for-teams-of-all-sizes> "using mirror to avoid CloudFlare"
@ -68,10 +69,13 @@
[unescoEDU2019]: http://portal.unesco.org/en/ev.php-URL_ID=49556&URL_DO=DO_TOPIC&URL_SECTION=201.html
[unescoG16]: https://en.unesco.org/themes/access-information
[unescoEDUhr]: https://en.unesco.org/themes/education
[dcfstats]: https://git.nogafam.es/deCloudflare/deCloudflare/src/branch/master/subfiles/google_ad_planner_top_1000_sites.md
[gfd]: https://static.fsf.org/nosvn/directory/fdl-1.3-standalone.html
[freedom0]: https://lists.gnu.org/archive/html/directory-discuss/2017-02/msg00000.html
# CloudFlare
CloudFlare is a vigilante extremist organization that takes the decentralized web and centralizes it under one corporate power who dictates terms in the world's largest walled-garden. A very large portion of the web (10%+) were once freely open to all but are now controlled and monitored by a single central authority who decides for everyone who may access what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:
CloudFlare is a vigilante extremist organization that takes the decentralized web and centralizes it under one corporate power who dictates terms in the world's largest walled-garden. A very large portion of the web (16.7%+) were once freely open to all but are now controlled and monitored by a single central authority who decides for everyone who may access what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:
1. CloudFlare mounts mutlifaceted attacks on **privacy**
1. CloudFlare is a [man-in-the-middle][2] who [sees all traffic][1] including usernames, unhashed passwords, and financial data within the HTTPS tunnel. This is done surreptitiously. They admit to it on [one document][33] in the course of a sales pitch while on other documents they say zero trust is needed.
@ -88,12 +92,21 @@ CloudFlare is a vigilante extremist organization that takes the decentralized we
1. CloudFlare takes away **software freedom**
1. CF imposes CAPTCHAs that require the user to execute non-free javascript.
* CF restricts how users may use their software by rendering the web dysfunctional for some browsers.
* Free software projects that use CF to distribute
documentation without whitelisting T1 inherently violate the
[GNU Free Documentation License][gfd] as a consequence of
not being "*simple HTML*".
* Software Freedom 0 is [hindered][freedom0] for some tools.
1. CloudFlare diminishes **network neutrality** -- *Access Equality* is the centerpiece of net neutrality, while CF yields widespread access *inequality*.
1. CloudFlare took a seat on the FCC's [Open Internet Advisory Committee][14], and serves its own interest (to influence legislation against net neutrality).
1. CloudFlare [discriminates][15] against connections coming from developing countries.
1. CloudFlare discriminates unfairly against Tor users, those who use non-graphical browsers, and those who deploy beneficial robots.
1. CloudFlare also discriminates against people with impairments and disabilities (details in the human rights section)
1. CloudFlare's detriment to **human rights**
1. Access to education is a [human right][unescoEDUhr], so when a
school like Roskilde University (RUC in Denmark) uses Proquest
which makes access to educational material exclusive by using
Cloudflare, it undermines human rights.
1. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. The labor violates the 13th amendment of the US Constitution due to involuntary servitude. The most perverse manifestation is when a citizen attempts to access a government service such as voter registration, and they're forced to solve a puzzle, the labor of which compensates CloudFlare instead of the laborer.
1. CF discriminates against people with impairments and disabilities
1. CF attacks robots that help provide an alternative user interface for users that are impaired or handicapped. This attack violates some WCAG 2.0 principles mentioned in the next table regardless of the role of CAPTCHA (which itself violates WCAG 2.0 principles).
@ -110,7 +123,7 @@ CloudFlare is a vigilante extremist organization that takes the decentralized we
| *3.2: Make web pages appear and operate in predictable ways.* | It's unpredictable whether the IP reputation assessment will invoke a CAPTCHA and also unpredictable whether a CAPTCHA solution will be accepted. The time you have to solve the puzzle is also unpredictable.|
| *4.1.: Maximize compatibility with current and future user agents, including assistive technologies.* | When a user attempts to use `lynx`, `w3m`, `wget`, `cURL` or any other text-based tool, the blockade imposes tooling limitations on the user. |
5. CloudFlare inflicts customers and web users with excessive **vulnerabilty** to exploits.
1. CloudFlare's immense centralization becomes catastrophic when a single bug emerges. The degree of damage is acutely heightened when over 10% of the web is subject to vulnerabilities on CloudFlare. The enticement for malicious hackers to find a zero-day is also greatly heightened as a result of the widespread scale of impact. *Cloudbleed* was a vulnerability that had serious widespread consequences. Even a simple accident at CloudFlare like a one-line erroneous regular expression brought down a huge segment of the web on July 17th, 2020. August 11-12: "Cloudflare went down and took over Discord [and some game program][17] (which proxies packets through Cloudflare)."
1. CloudFlare's immense centralization becomes catastrophic when a single bug emerges. The degree of damage is acutely heightened when over [21%][dcfstats] of the 1000 most visited websites is subject to vulnerabilities on CloudFlare. The enticement for malicious hackers to find a zero-day is also greatly heightened as a result of the widespread scale of impact. *Cloudbleed* was a vulnerability that had serious widespread consequences. Even a simple accident at CloudFlare like a one-line erroneous regular expression brought down a huge segment of the web on July 17th, 2020. August 11-12: "Cloudflare went down and took over Discord [and some game program][17] (which proxies packets through Cloudflare)."
1. A *tragedy of the commons* has manifested. Website owners are baited to act independantly in their own self interest by using CloudFlare at no charge-- but each website that becomes part of CloudFlare shrinks the ethical decentralized web while incrementing the size of the centralized walled-garden which inflicts harm to everyone collectively. Each website owner only perceives CloudFlare as solving their problem but unwittingly they create a host of new problems for everyone else. It's a selfish move that occurs on a much larger scale than the quantity of selfish personalities because most of CloudFlare's patrons are kept in the dark as to the harm they're contributing to.
1. CloudFlare's proliferation is a product of the
*[Tyranny of Convenience][18]*.
@ -164,13 +177,12 @@ CloudFlare is a vigilante extremist organization that takes the decentralized we
paragraphs 3.2 and 3.5 of
[Recommendation concerning the preservation of, and access to, documentary heritage including in digital form][unescoEDU2015]
and article 2 of the 2003
[Charter on the Preservation of Digital Heritage][unescoEDU2003]. [Goal 16][unescoG16]
of UNESCO's 2030 Agenda for Sustainable Development
includes open public access to information, which RUC and
Proquest violates as a consequence of jailing education
resources in the walled garden of Cloudflare. Access to
education is a [human right][unescoEDUhr], so when RUC
makes it exclusive, it undermines human rights.
[Charter on the Preservation of Digital Heritage][unescoEDU2003].
[Goal 16][unescoG16] of UNESCO's 2030 Agenda for
Sustainable Development includes open public access to
information, which RUC and Proquest violates as a
consequence of jailing education resources in the walled
garden of Cloudflare, is undermined.
1. ACM's Digital Library is jailed in CloudFlare's exclusive walled-garden despite ACM's intent to be ["open" during a pandemic][28]. The perverse affect is that privacy-seekers are subject to CF's privacy abuses when attempting to access [a paper about privacy abuse][29].
1. CloudFlare [attacks freedom of expression][30].
1. When a review exposed CloudFlare's doxxing of whistle blowers, CF [censored][31] the review.
@ -194,6 +206,6 @@ CloudFlare is a vigilante extremist organization that takes the decentralized we
1. CloudFlare asks those who anonymously report illegal conduct on their websites to reveal their true identity. Yet CF has a history of doxxing whistle blowers and making them into victims. Instead of apologizing in the child porn case, the CEO (Matthew Prince) said the whistle blowers [should have used fake names][41]. (see "CloudFlare shelters criminals" below)
1. CloudFlare **shelters criminals**
1. CF [protects][42] pro-ISIS websites from attack.
1. CF protected a website that distributed child pornography. When a whistle blower reported the illegal content to CF, CF actually [doxxed][43] the people who reported it. CloudFlare revealed the whistle blowers' identities directly to the dubious website owner, who then published their names and email addresses to provoke retaliatory attacks on the whistle blowers! Instead of apologizing, the CEO (Matthew Prince) said the whistle blowers [should have used fake names][41].
1. CF protected a website that distributed child pornography. When a whistle blower reported the illegal content to CF, CF actually [doxxed][43] the people who reported it. CloudFlare revealed the whistle blowers' identities directly to the dubious website owner, who then [published][brennan] their names and email addresses to provoke retaliatory attacks on the whistle blowers! Instead of apologizing, the CEO (Matthew Prince) said the whistle blowers [should have used fake names][41].
[//]: # (if any US k-12 schools use Proquest, then it should also me mentioned that this is a [FERPA]https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html violation b/c 3rd party vendors legally cannot further expose a student's PII to yet another 3rd party; scriborder should perhaps be spotlighted)

View File

@ -39,12 +39,17 @@ their customers to the privacy and netneutrality
| ***Financial institution*** | ***Values-based network*** | ***Blocks Tor*** | ***CloudFlared login page*** | ***hCAPTCHA*** | ***Locations*** | ***Notes*** |
|--|--|--|--|--|--|--|
| [Beneficial State Bank](https://www.beneficialstatebank.com) | [B Corp](https://bcorporation.net/directory/beneficial-state-bank), [GABV](http://www.gabv.org/members/beneficial-state-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx), [UNEPFI](https://www.unepfi.org/banking/bankingprinciples/signatories), [Just.](http://justorganizations.com/node/45) || 👁 | y | California, Oregon, Washington| They [claim](https://beneficialstatebank.com/web-accessibility): "we have taken definitive steps to follow Web Content and Accessibility Guidelines (WCAG)," but their CloudFlared login portal imposes an hCAPTCHA which violates WCAG. BSB admits in their [privacy policy](https://beneficialstatebank.com/uploads/files/BSB-Consumer-Privacy-Act-CCPA-Privacy-Notice-Current-6.4.2020.pdf#page=2) that they collect your IP address to track your geoloctation. They also vaguely state that they share your sensitive information with third parties, but they do not name the third parties (thus sharing with CloudFlare, Inc. is concealed). The landing page is not CloudFlared, but the login page (xvault.beneficialstatebank.com) is, which enables CloudFlare to eavesdrop on your banking. |
| [Brattleboro Savings & Loan](https://www.brattbank.com) | [B Corp](https://bcorporation.net/directory/brattleboro-savings-loan) | 👁 ||| Vermont | Sales site permits Tor but [transactional site](https://www.brattbankonline.com) blocks Tor. |
| [City First Bank of DC](https://www.cityfirstbank.com) | [B Corp](https://bcorporation.net/directory/city-first-bank), [GABV](http://www.gabv.org/members/city-first-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| Washington, D.C., Southern CA (worldwide charter) | Sales site permits Tor but [transactional site](https://olb.cityfirstbank.com) blocks Tor. Online application [available](https://www.cityfirstbank.com/sites/default/modules/ckeditor/ckfinder/userfiles/files/PersonalAccount.pdf), so perhaps it's open to out-of-state clients. Recent merger with a bank in Southern California. |
| [Clearwater Credit Union](http://web.archive.org/web/www.clearwatercreditunion.org) | [GABV](http://www.gabv.org/members/clearwater-credit-union), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) || 👁 | y | ? | hCAPTCHA is pushed by CloudFlare and thus triggered unpredictably. Their [vague privacy policy](https://web.archive.org/web/20201027053008/https://clearwatercreditunion.org/privacy-security-policy) conceals the fact that they share all web traffic with CloudFlare, Inc. |
| [Decorah Bank & Trust Company](https://web.archive.org/web/www.decorahbank.com) | [GABV](http://www.gabv.org/members/decorah-bank-trust-company) || 👁 || Iowa | Their [privacy policy](https://www.decorahbank.com/legal-information/privacy-policy) lies. Since CloudFlare sees all traffic, these are false statements: "we will not give your data to third parties without your permission."; "you will never be required to give information to a third party supplier." |
| [First Green Bank](https://web.archive.org/web/www.firstgreenbank.com) | ~~B Corp~~, [GABV](http://gabv.org) || 👁 | y | Florida | A 3rd party site said they were B Corp listed, but they aren't listed on the B Corp site. hCAPTCHA is pushed by CloudFlare and thus triggered unpredictably. They don't even have a proper privacy policy, but their "[privacy commitment](https://web.archive.org/web/20201129095019/https://www.firstgreenbank.com/privacy-commitment)" statement conceals the fact that all web traffic is shared with CloudFlare, Inc. |
| [Mascoma Savings Bank](http://www.mascomabank.com/) | [B Corp](https://bcorporation.net/directory/mascoma-bank) | 👁 || ? | New Hampshire, Vermont |||
| [Missoula Federal Credit Union](https://web.archive.org/web/missoulafcu.org/) | ~~[GABV](http://gabv.org/the-community/members/banks)~~, ~~CDFI~~ || 👁 | y | Montana | A 3rd party site said they were a GABV member, but they aren't listed on the GABV site. They also don't exist in the [CDFI spreadsheet](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) |
| [National Cooperative Bank](http://www.ncb.coop) | [GABV](http://www.gabv.org/members/national-cooperative-bank) | 👁 | 👁 | y | ? | hCAPTCHA pushed to Tor users (untested for non-Tor users) |
| [Spring Bank](https://springbankny.com/) | [B Corp](https://bcorporation.net/directory/spring-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| New York | Website down in Jan. 2021; up when checked in May 2021. Sales site permits Tor but [transactional site](https://retailonline.fiservapps.com) blocks Tor.|
| [VCC Bank](http://www.vacommunitycapital.org/invest/products/) | [B Corp](https://bcorporation.net/directory/virginia-community-capital), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | 👁 ||| Virginia | Sales site permits Tor but [transactional site](https://retailonline.fiservapps.com) blocks Tor. [Non-profit](https://www.vacommunitycapital.org/about/frequently-asked-questions); Fastly-hosted; checking, savings, money markets, but no debit cards or ATMs; there is an online application, so perhaps it's open to out-of-state clients. |
| [VSECU (Vermont State Employees Credit Union)](https://www.vsecu.com/) | [GABV](http://www.gabv.org/members/vermont-state-employees-credit-union-vsecu-usa) | 👁 | 👁 || Vermont | Sales site permits Tor but [transactional site](https://online.vsecu.com) is Cloudflared and blocks Tor. Vermont residents only, generally, with [some exceptions](https://www.vsecu.com/about/membership/join). |
## Graylisted banks
@ -71,12 +76,7 @@ or anti-consumer website features.
| ***Financial institution*** | ***Values-based network*** | ***Locations*** | ***Notes*** |
|--|--|--|--|
| [Amalgamated Bank](https://www.amalgamatedbank.com) | [B Corp](https://bcorporation.net/directory/amalgamated-bank), [GABV](http://www.gabv.org/members/amalgamated-bank-usa), [UNEPFI](https://www.unepfi.org/banking/bankingprinciples/signatories) | New York, Washington, D.C.| Previously blocked Tor, but not when checked in Jan. 2021, so it's back on the whitelist for now. |
| [Brattleboro Savings & Loan](https://www.brattbank.com) | [B Corp](https://bcorporation.net/directory/brattleboro-savings-loan) | Vermont ||
| [City First Bank of DC](https://www.cityfirstbank.com) | [B Corp](https://bcorporation.net/directory/city-first-bank), [GABV](http://www.gabv.org/members/city-first-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | Washington, D.C.| Online application [available](https://www.cityfirstbank.com/sites/default/modules/ckeditor/ckfinder/userfiles/files/PersonalAccount.pdf), so perhaps it's open to out-of-state clients. |
| [First Boulevard](https://bankblvd.com) || online-only | This bank is not yet open for business. Its focused on shrinking the racial wealth gap and has partnered with Visa to offer crypto-trading capabilities. Note that involvement with Visa is cause for concern, as Visa is the most aggressive proponent of the unethical war on cash. It also appears they may be strictly mobile, which likely means forced use of Google Playstore. |
| [Spring Bank](https://springbankny.com/) | [B Corp](https://bcorporation.net/directory/spring-bank), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | New York | Website down as of Jan. 2021 |
| [VCC Bank](http://www.vacommunitycapital.org/ways-to-invest/products/) | [B Corp](https://bcorporation.net/directory/virginia-community-capital), [CDFI](https://www.cdfifund.gov/sites/cdfi/files/2020-11/cdfi-cert-list-10-14-2020-final.xlsx) | Virginia | Fastly-hosted; there is an online application, so perhaps it's open to out-of-state clients. |
| [VSECU (Vermont State Employees Credit Union)](https://www.vsecu.com/) | [GABV](http://www.gabv.org/members/vermont-state-employees-credit-union-vsecu-usa) | Vermont ||
| [Amalgamated Bank](https://www.amalgamatedbank.com) | [B Corp](https://bcorporation.net/directory/amalgamated-bank), [GABV](http://www.gabv.org/members/amalgamated-bank-usa), [UNEPFI](https://www.unepfi.org/banking/bankingprinciples/signatories) | New York, Washington, D.C. (worldwide charter)| Previously blocked Tor, but not when checked in Jan. 2021, so it's back on the whitelist for now. |
| [First Boulevard](https://bankblvd.com) || online-only | This bank is not yet open for business. Its focused on shrinking the racial wealth gap and has partnered with Visa to offer crypto-trading capabilities. Note that involvement with Visa is cause for concern, as Visa is the most aggressive proponent of the unethical war on cash. It also appears they may be strictly mobile, which likely means forced use of Google Playstore. First Boulevard is not a bank - banking outsourced to Central Bank of Kansas City. |
The scope of this page is US banks. Some ethical European banks are listed by [FEBEA](https://febea.org/map/node) and [GABV](http://gabv.org) covers the world.