[tor-talk] Privacy Pass from Cloudflare, and the CAPTCHA problem

Lara lara.tor at emails.veryspeedy.net
Mon Nov 20 09:42:12 UTC 2017


On Mon, 20 Nov 2017, at 03:11, bob1983 wrote:
> What does the Tor community think about it? Could it be a possible
> solution to the Tor-CAPTCHAs problem?

Ugly.

> 1. Any 3rd-party extensions harm the anonymity of Tor Browser, don't
>    install the Privacy Pass plugin to your Tor Browser.

It would mean to lose the privacy or anonymity in exchange for receiving
the same shit, only in smaller portions. "Users can now use the Privacy
Pass browser extension to reduce the number of challenge pages presented
by Cloudflare." 99.98% is smaller, yet indistinguishable from the user
stand point. But it is an excellent position for cloudflare. They could
track the user, as nobody has examined their configurations AFAIK, and
lower the load on their servers.

What is worse: the appeal to authority: "researchers from Royal Holloway
and the University of Waterloo". Who? What is their track record? Are
they known for work in privacy? Waterloo is not rated in the first 200
universities, so maybe they are not the best in the lot. For example,
Roger Dingledine's name was associated with MIT which is both in Top 5
Universities and a private institution.

Going on the site things are even blurrier: no reference to any audit.
Even the authors have no idea: "In the near future, we hope to publish a
paper detailing the security goals that we hope for our protocol to
achieve." Near future is the optimist of sometimes. Yet it is a state
university, so that depends on the student doing the research. Missing
one grant request and they are gone.

That also lights some more bad aspects. When someone using Tor will be
in some Syrian jail, all the support coming from Cloudflare and Royal
Holloway and the University of Waterloo will be a mention in some dry
research paper published behind some paywall.

> 2. It only supports Cloudflare. Something like this could be a general
>    and standardized protocol. So we could get rid of Cloudflare
>    CAPTCHAs, Google CAPTCHAs, you-name-it website CAPTCHAs altogether.
>    And we can integrate it in our browsers and servers.

And Cloudflare is a hypocritical corporation just like any other:
"Cloudflare believes that the web is for everyone." Hence the need to
activate JavaScript for a whole site.

Cheers,
Lara


More information about the tor-talk mailing list