[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
From: Dave Warren <dw@xxxxxxxxxx>
Date: Sun, 22 Jul 2018 21:13:01 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 22 Jul 2018 23:13:18 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thedave.ca; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=h05mOCdsCLJfwB20Ty4qpk04MtLfF D1W6imvAnR2C+c=; b=faJIQNh6H7LMcJprtiBvlPpx9P4Ccz5IG2bP9VZhBN0uQ dsGbWESlfF+mBJVPiJkSW4PoT8NnXjaR21sunrFdKYW2leCl+2cq5TMw/78thNRs ORTAPTlRhdLAwETM6XapfRvffyU/tN9C9wuFR//udwfHBsMiMpCex7i9PPdYzahS bd8g+QH3Ye2Hba5cmT9dXj91au2uP2R1hYJ65Ze91Af79bg5tDm8y5enmAmwp+/i peGk+3bywG2fuC+0OjSpKVpDhPytu7pzL2PCePWMys2a6GlsxXfEl3E3emBi4xdx QtUAsj4J4IamQdAMWYHn4iRM4eJPh/XCBUp3WFPwg==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=h05mOC dsCLJfwB20Ty4qpk04MtLfFD1W6imvAnR2C+c=; b=c/Rlmt1Wvr8hkBlRMw6EOT dCMTDs4lKP5kkCy9IMjQTfEgl1xlIqa3H0v9+9GybBOTvjxMvJ9/B4t/capYYnzR utvnsf+SXCd+dHhlmKGJ3fmKWe+KnnKy2ebd0gSlTx+9Llp3nhWx0cLpCxdDz3FL hKbbdK3amMNGqurY8DMrye6pDzBHYGAI7+z95Z7KMi8w6F8JWQsECWsBFkPSKVHb LnV9hjFoiPTOB3bQcdqDOSKfniRHLS2fiJHnSWoksgKMQBy8dVMsIbp7BV1tUJmS GT5u6TZiz4nH4jewR3RzixiJOqpN6Y2th8CEayeMGC/EpwGImvh2lX2KPoAJc7nw ==
In-reply-to: <CAD2Ti28dTuDWzYyzT+vR8Pbm_UVHRPLpGXe2VYwGgP35gd_32w@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <mailman.7.1531396802.12351.tor-talk@lists.torproject.org> <20180714113927.682b9e96@Phenom-II-x6.niklas.com> <A02CE9A5-2FEA-47D9-B244-419B7150C03B@thedave.ca> <CAD2Ti28dTuDWzYyzT+vR8Pbm_UVHRPLpGXe2VYwGgP35gd_32w@mail.gmail.com>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 2018-07-17 17:30, grarpamp wrote:

On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren <dw@xxxxxxxxxx> wrote:

The whole point of tor is that you are anonymous just like everybody else.

Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently.
https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass


Presumably those tokens get passed to all participating sites,
so all your sessions across them all are easily linkable
by cloudflare, the sites, their backend databrokers, etc.
"Privacy Pass"... lol.

Interestingly no, you cannot be tracked across sites. They put a lot ofeffort into this aspect of the design specifically to ensure that thesigning happens only against the blinded version of passes so when thepasses are redeemed they can be verified as valid, but not linked to theoriginal generator of the passes.

If you're interested in how this works, they have an overview and linksto the actual papers and protocol: https://privacypass.github.io/ -- Youdon't need to take my or their word for it, the cryptography is publicand you can write your own implementation if you desire or review thesource for their extensions should you have the appropriate skill sets(I do not).

they do make it easy for site operators to approve tor
traffic in a more general way (by treating tor as a separate country in
their whitelisting system).


So what are the default settings provided to new cloudflare /
recaptcha subscribers?

There are no default settings at the individual customer or site levelto handle tor exit IP addresses differently than any other IP address.

If you can think of a way to differentiate good traffic vs abusivetraffic without JavaScript (to verify that the connection is from ahuman driven browser) and/or cookies (to identify one user from another)and/or a extension such as privacy pass I would encourage you to write apaper and publish it.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
  - From: grarpamp

References:
- Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
  - From: David Niklas
- Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
  - From: Dave Warren
- Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
  - From: grarpamp

Prev by Author: Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
Next by Author: Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
Previous by thread: Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
Next by thread: Re: [tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
Index(es):
- Author
- Thread