[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

On 2018-07-17 17:30, grarpamp wrote:
On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren <dw@xxxxxxxxxx> wrote:
The whole point of tor is that you are anonymous just like everybody else.

Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently.

Presumably those tokens get passed to all participating sites,
so all your sessions across them all are easily linkable
by cloudflare, the sites, their backend databrokers, etc.
"Privacy Pass"... lol.

Interestingly no, you cannot be tracked across sites. They put a lot of effort into this aspect of the design specifically to ensure that the signing happens only against the blinded version of passes so when the passes are redeemed they can be verified as valid, but not linked to the original generator of the passes.

If you're interested in how this works, they have an overview and links to the actual papers and protocol: https://privacypass.github.io/ -- You don't need to take my or their word for it, the cryptography is public and you can write your own implementation if you desire or review the source for their extensions should you have the appropriate skill sets (I do not).

they do make it easy for site operators to approve tor
traffic in a more general way (by treating tor as a separate country in
their whitelisting system).

So what are the default settings provided to new cloudflare /
recaptcha subscribers?

There are no default settings at the individual customer or site level to handle tor exit IP addresses differently than any other IP address.

If you can think of a way to differentiate good traffic vs abusive traffic without JavaScript (to verify that the connection is from a human driven browser) and/or cookies (to identify one user from another) and/or a extension such as privacy pass I would encourage you to write a paper and publish it.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to