[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Privacy Pass from Cloudflare, and the CAPTCHA problem

Cloudflare just announced its support of Privacy Pass, a challenge-response
protocol designed to avoid repetitive CAPTCHAs-solving for anonymous users,
while using Zero-Knowledge Proof to prevent the possibility of distinguishing
each user, to acquire both convenience and anonymity.

It is developed in collaboration with researchers from Royal Holloway and the
University of Waterloo.


What does the Tor community think about it? Could it be a possible solution to
the Tor-CAPTCHAs problem?

My own opinions,

1. Any 3rd-party extensions harm the anonymity of Tor Browser, don't install the
Privacy Pass plugin to your Tor Browser.

2. It only supports Cloudflare. Something like this could be a general and
standardized protocol. So we could get rid of Cloudflare CAPTCHAs, Google
CAPTCHAs, you-name-it website CAPTCHAs altogether. And we can integrate it
in our browsers and servers.

3. Even if this protocol is integrated in Tor Browser, after clicking "New
Identity", all local data will be erased. Considering this feature is frequently
used by Tor users, we still need to solve some CAPTCHAs.

Anyway, the Cloudflare-CAPTCHAs problem won't go away in the visible future,
though Privacy Pass may be a possible improvement.

4. Perhaps a good solution for now, can be a campaign, asking sysadmins to
whitelist Tor users from their Cloudflare's firewall rules. Yes, you can give
Tor users a free pass unconditionally for your website on your Cloudflare panel.
If it's not practical to do it for some websites, one can also change the stupid
CAPTCHAs to an less-disturbing automatic JavaScript challenge, so it's hard to
give an excuse for not doing anything.

It's a effective solution, we just need to ask people to do it.

This functionality is not well-known and many sysadmins are ignorant about
it. Perhaps a campaign website with a name like whitelist-tor.org can help,
we can put introduction and instructions and arguments about Cloudflare
whitelisting. So users can persuade the website to do it, sysadmins can be
educated, etc. I can host the website for the community, if there are people
who wish to join to design the web-page and write the text.

What is your opinions about Privacy Pass, CAPTCHA problem and my proposal?

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to