Slashdot Mirror

← Back to Stories (view on slashdot.org)

CloudFlare Working On New System That Removes CAPTCHAs For Tor Users (softpedia.com)

Posted by msmash on from the fixing-things dept.

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.

54 comments

  1. Identifying the user?? by Anonymous Coward · · Score: 1

    One time token per Tor user.... doesn't that mean it identifies the user??? Sounds anti-Tor.

    1. Re:Identifying the user?? by omnichad · · Score: 1

      This is nothing that can't be done with any old cookie. In fact, it probably uses them. If anything, this highlights some inherent problems with using Tor without being careful.

    2. Re:Identifying the user?? by Anonymous Coward · · Score: 0

      One-time token per site, not user.

    3. Re:Identifying the user?? by kav2k · · Score: 5, Informative

      To be specific, let me quote the spec:

      The current Cloudflare CAPTCHA simply places a cookie allowing you to access the website. Since Cloudflare controls the origins, it could currently correlate user sessions across multiple circuits using these cookies. This is a gap in the Tor Browser threat model- the design explicitly ignores linking within a session by malicious first parties, but Cloudflare has effectively first-party control over a large proportion of the web.

      Our design is an improvement over this state of affairs. Since the CAPTCHA service only sees blinded nonces, Cloudflare cannot link a CAPTCHA solution session to a given redemption request. Since each token is used only once, in contrast to a cookie, the tokens themselves cannot be used to link requests.

    4. Re: Identifying the user?? by Anonymous Coward · · Score: 0

      Aka a cookie? So why the need for a browser extension?

      NSL to CloudFlare and data slurp commencing in 5... 4... 3...

    5. Re:Identifying the user?? by sittingnut · · Score: 0

      one should always be careful using anything, as sjw infested, as western intelligence infested, and as quick to jump to convictions without proof or crime, as tor now is.

    6. Re: Identifying the user?? by Hizonner · · Score: 1

      Aka a cookie? So why the need for a browser extension?

      Because it wants to blind the token.

      NSL to CloudFlare and data slurp commencing in 5... 4... 3...

      NSLs don't work that way. Even the DOJ doesn't claim they can do that with an NSL.

      There is, of course, a risk in running any code. But in this case one assumes they'll publish the code.

    7. Re:Identifying the user?? by omnichad · · Score: 1

      In other words, they could have just used a cookie. But instead, they're making their own cookie system because they don't think Tor should even have cookies. This is good.

      I just hope they contribute it to the Tor standard and release the plugin unbranded rather than just as a "Cloudflare enabler."

    8. Re:Identifying the user?? by gweihir · · Score: 1

      It is user-tracking, sure. Anonymous user-tracking though. And if it works per-session, it is an acceptable solution IMO, as you can just restart the Tor-browser before going to a different site. Not great, but a lot better than nothing.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Identifying the user?? by gweihir · · Score: 1

      I agree. I think they are making an honest and competent attempt to solve the issue for Tor and that is excellent news.

      Thanks for the link!

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Identifying the user?? by networkBoy · · Score: 1

      you can still correlate those nonces, yes?
      Solve Capcha get nonce
      use nonce at site A
      use nonce at site B
      use nonce at site C

      At site A you divulge the nonce and component 1 of your identity
      at site B you divulge the nonce and component 2 of your identity
      at site C you divulge the nonce and component 3 of your identity
      across sites A:C you divulge a larger set of your writing style than at only one by its self.

      Third party actor (not cloudflare) can use this to build your session info into an ID of you; assuming they already have a large data trove on you, then the smaller bits they captured from the nonce can be used to correlate this TOR session with your existing dataset.

      just sayin...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    11. Re:Identifying the user?? by networkBoy · · Score: 1

      or, just don't install the extension.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    12. Re:Identifying the user?? by gweihir · · Score: 1

      Indeed.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Identifying the user?? by omnichad · · Score: 1

      From Wikipedia:

      In cryptography, a nonce is an arbitrary number that may only be used once

      You're given multiple nonces for solving one CAPTCHA.

    14. Re:Identifying the user?? by Shane_Optima · · Score: 1

      It's the best that can be hoped for. I'm shocked they cared at all. People who're that worried shouldn't be using exit nodes at all without a post-Tor VPN hop. Costs perhaps $3 per month, payable by gift cards. Bypasses this issue entirely and also puts a much needed layer between you and the exit node.

      Half of the people who're paranoid about this sort of thing don't even bother to use Whonix, which (with a snapshot on VB, or after they fix it to be a proper DispVM on Qubes) doesn't force you have to micromanage anything at all for the best* possible tracking protection between sessions. The easiest to use option is also not uncommonly the most secure, but some people just have to be unreasonably fancy about everything.


      * Ignoring traffic analysis, which is a very... specific vector and on a low latency system will always be losing battle anyway.

    15. Re:Identifying the user?? by Anonymous Coward · · Score: 0

      "Cloudflare cannot link a CAPTCHA solution session to a given redemption request"? Surely the "nonces" can contain any amount of information they wish. Don't they mean "does not link"?

  2. Tracking by BitZtream · · Score: -1, Insightful

    So in the end ... you can easily track Tor users ...

    Oh, and this doesn't do jack shit to stop bots ... a user can authenticate one bot manually by viewing the captcha ... then letting it run for hours, so theres a startup cost, but after that ... its back to bot town.

    And how do you get users to do captchas for you? Something like the URL in my sig, which uses a 'game' to get users to do actual work no wants to pay for.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:Tracking by Hizonner · · Score: 1

      Blinded. Token.

      Learn some crypto and go read the proposal.

    2. Re:Tracking by BitZtream · · Score: -1

      I wrote crypto implementations for 10 years, have a software package certified as FIPS 140-2 written entirely by me (reviewed of course by a certification facility), and I read the proposal.

      Having done crypto in the real world for those years, I know the difference between proposed implementation and actual implementation, just like the guys at OpenSSL ... remember heart bleed? You think that was because those guys didn't know crypto ... or because of a bad implementation or bug?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    3. Re:Tracking by Hizonner · · Score: 1

      In that case, you shouldn't trust Tor itself, since it relies on a terrific amount of equally complicated crypto and other code.

    4. Re:Tracking by Anonymous Coward · · Score: 0

      I wrote crypto implementations for 10 years

      You are so full of shit.

    5. Re:Tracking by Anonymous Coward · · Score: 0

      It's bitztream, the autism-hating Slashdot troll!

  3. Tor. by ledow · · Score: 3, Insightful

    If nothing else, this is just another confirmation that the modern web isn't set up to allow you to be anonymous.

    That's a problem we techy types should be fixing, not encouraging solutions that identify the user even more.

    1. Re:Tor. by Calydor · · Score: 1

      Problem: Easy anonymous access for legitimate users allows easy anonymous access for malicious users.

      Solution: ?

      The problem isn't necessarily technical so much as it is psychological. To quote one of the Batman movies, some people just want to watch the world burn.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Tor. by Anonymous Coward · · Score: 0

      no. it is just further confirmation that CLOUDFARE isn't set up to allow you to be anonymous. they don't WANT that, because they track the shit out of users on the sites they service... they're as bad, if not worse, than any third party ad network.

      and there's no fucking way an extension with 1 time 'authentication' is 'anonymous' or untrackable.

    3. Re:Tor. by 110010001000 · · Score: 1

      It has nothing to do with the web specifically. NETWORKING is not anonymous. Networks were designed to share information. In order to share information you need to know the endpoints on the network in order to route the data to them. This is really unpopular, but there is NO WAY to make a network anonymous. Tor isn't anonymous, the exit nodes need to know where the endpoints are.

    4. Re:Tor. by Hizonner · · Score: 1

      Read what they propose. You may have to learn some math first.

    5. Re:Tor. by omnichad · · Score: 1

      I posted the same at first, but it looks like they avoided the low-hanging fruit. They could have just used cookies - which tor browsers accept just the same as any web page. They're actually proposing a more anonymous standard, and trying to close the cookie security hole.

    6. Re:Tor. by Anonymous Coward · · Score: 0

      Much like "humans will always (ALWAYS) be able to kill each other in large numbers" I think "humans will always be able to act anonymously" is something you can only thin, and you're treating a symptom at best.

      Then again, the psychological root is probably not fully soluble either. It does seem a better place to preempt malice though, particularly compared to After The Matter.

    7. Re:Tor. by driblio · · Score: 1

      Do you have any idea how tor works? The exit nodes specifically don't know where the end points are, you need ISP/NSA level monitoring to correlate flows.

    8. Re:Tor. by AmiMoJo · · Score: 2

      They mean that the browser will be able to generate one time codes for each web site, not use the same code multiple times.

      https://github.com/cloudflare/...

      "In this document we detail a protocol that enables a user to complete
            a single edge-served challenge page in return for a finite number of
            signed tokens. These tokens can then be used to bypass future
            challenge pages that are served by participating edge-providers. The
            tokens are generated in such a way that signed tokens cannot be
            linked to future redeemed tokens for bypassing."

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    9. Re:Tor. by 110010001000 · · Score: 1

      Um, no. Do YOU have any idea? How would the exit nodes know where to send the data to if it didn't know the true IP of the end point? Jesus. If you own the exit node you know where the flows are going.

    10. Re:Tor. by ADRA · · Score: 1

      People who benefit from anonymity:
        - Political Radicals
        - Privacy Averse (Really, there aren't many that care, and you aren't changing their minds fast enough)
        - Trolls / Illegal Activity / blah blah

      People who benefit from identity:
        - Soft hearted hate-troll haters
        - Oppressive and not-so oppressive governments (and their law enforcement)
        - Pretty much every notable web company making money off your info/reputation

      People that don't give a fuck:
        - Everyone else

      --
      Bye!
    11. Re:Tor. by ledow · · Score: 2

      First category could include:

      - Rape victims seeking advice online.
      - People who are being stalked by their ex, or eye-witnesses to crimes, who might have someone kill them if they find them (sure, they could live their entire life offline in perpetuity, but that's just as oppresive)
      - Political dissidents
      - People who publish honest things about oppressive regimes (e.g. Salman Rushdie)
      - You, writing this post, hoping that your employer doesn't find that story about him being a shithead last month.
      - Some guy in China / Korea wondering what all this democracy shit is about and why it's blocked.

      All kinds of decent reasons for anonymity.
      Very few for identity for just casual browsing. Sure, buying products, paying for services, these things come with identity attached in one way or another (even Bitcoin could catch up with you years later if someone bothers to track the blockchain transactions). But general web browsing? Nah.

      And the companies making money from your data are, basically not. They're making money from other people who pay to show you ads. A slightly better rate can be had using data, but Google et al all have opt-outs which turn the ads into generic bollocks rather than anything to do with your life, profession, shopping habits, etc. As such, data for that isn't **necessary**.

      Anonymity has a million reasons for and very little against.

      Oh, no, a terrorist used an anonymous means of warning us about the bomb! Like a phone call from a throwaway phone, or a message sent from a cyber-cafe, or posting a clean piece of paper to a police station.

      Taking away anonymity on the net doesn't "solve" any problem. It might shift it to other media for a while. But solving the need for identity is a solution which solves a lot of problems.

      P.S. Don't use Tor. Opt-out of ads but don't really care about Google. Far from privacy-paranoid. Just understand the need for it.

    12. Re:Tor. by Anonymous Coward · · Score: 0

      But not where they're coming from. Hence, the anonymity (assuming nothing else leaks that info).

      Your assertion that a network cannot be anonymous is incorrect. Onion routing is a technique for anonymous communication over a computer network....

      This is really unpopular, but there is NO WAY to make a network anonymous.

      It's "really unpopular" because it's wrong.

    13. Re:Tor. by driblio · · Score: 1

      Yes, I do. Exit nodes know where the next hop is, obviously, but not the end point.

      Calm down, climb down, and admit you were wrong.

  4. Nonces? by Big+Hairy+Ian · · Score: 0

    , the browser extension will use nonces (one-time authentication tokens)

    Couldn't they have come up with a better name one that doesn't evoke "Kiddy Fiddler"

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:Nonces? by Anonymous Coward · · Score: 0

      nonces is short for "N" once

      It means you use the number one time.

      You are the only person who is has these "Kiddy Fiddler" feelings evoke. Perhaps you should have a seat over there and have a talk with Chris Hansen.

    2. Re:Nonces? by Anonymous Coward · · Score: 0

      Nonce is a British slang for a sexual predator.
      https://en.wikipedia.org/wiki/...
      http://www.urbandictionary.com...

    3. Re:Nonces? by Hizonner · · Score: 1

      Actually, "nonce" is a longstanding English word meaning a single specific moment. It survives in common usage in the phrase "for the nonce".

    4. Re:Nonces? by omnichad · · Score: 4, Informative

      This is a technology site. Regardless of any UK slang most Slashdotters have never heard of, a nonce is a very standard word in the world of security/cryptography.

    5. Re:Nonces? by Anonymous Coward · · Score: 0

      That's nice, it's also a standard term in cryptography and has been for a very, very long time.

    6. Re:Nonces? by Anonymous Coward · · Score: 0

      I was going to remark pessimistically about the fascinations of Normals keeping us one-foward-two-back as usual, but urbandictionary may actually be a notch further below them.

      Like hell I'm going to let makeupwords.com get in the way.

    7. Re:Nonces? by clickclickdrone · · Score: 1

      You are the only person who is has these "Kiddy Fiddler" feelings evoke.

      No, me too. It's a common phrase in the UK to describe pedos.

      --
      I want a list of atrocities done in your name - Recoil
  5. One connection per domain problem by NotInHere · · Score: 2

    The problem here is that the TOR browser does one separate circuit per domain. So if you visit site A through TOR and have to solve a captcha because of cloudflare, and then visit site B, your IP will be different, and you'll have to solve a captcha again. AFAIK this problem only surfaced (doing captchas for every cloudflare site) when TOR adopted that behaviour. Before, everything was routed through one circuit, and you only had to fill in one captcha.

    1. Re:One connection per domain problem by omnichad · · Score: 1

      You just load the Javascript for the CAPTCHA all from the same Cloudflare domain, and it gets a third-party cookie that identifies you everywhere.

      What they actually did was implement a standard and a browser extension that improves on the security of third-party cookies, and are effectively encouraging them to be completely disabled within Tor.

  6. Ok, guilty. by poofmeisterp · · Score: -1, Troll

    Read subject of comment ^^

    I'm guilty of not reading the article. I don't have to because in the summary I see "a Tor Browser extension" and stopped.

    What the eff? That completely defeats the purpose of having something that's not "trackable". It could very well be an extension that phones home the activity of the user to a government entity so they can catch more of the REALLY bad guys - that being whatever's on the menu of good catch this week/month/whatever. If it were open source, it's still BS because you KNOW most people that use Tor aren't developers and aren't going to set up an environment to compile an extension to ensure every line of it is clean. Let alone what it sends to CAPTCHA to work around the problem; doing so can be used to easily identify who is using Tor to make them a target rather than the exit nodes or whatever they're called now.

    1. Re:Ok, guilty. by Hizonner · · Score: 2

      If it were open source, it's still BS because you KNOW most people that use Tor aren't developers and aren't going to set up an environment to compile an extension to ensure every line of it is clean.

      They also haven't read the source code for Tor or for Firefox or for the OS they're running all of it on. Package it with Tor and it's no worse than the rest of the TBB. In fact Cloudflare is trying to do it as an RFC so you could have multiple independent implementations.

      Let alone what it sends to CAPTCHA to work around the problem; doing so can be used to easily identify who is using Tor to make them a target rather than the exit nodes or whatever they're called now.

      If you'd read it, you'd have seen that they propose to use cryptographic blinding to prevent that. Which is the whole reason for having the extension in the first place.

      What is it that they say about "a little knowledge"? There's sure a lot of that going on in this thread.

    2. Re:Ok, guilty. by poofmeisterp · · Score: 0

      Two words: bullshit and trust.

      Presentations of things and deliveries of them are not the same, especially if there is government interest. Call me a conspiracy theorist, I don't mind a bit, but I don't trust anything that's taken a hit (government seizing control of "Tor'ed" servers to pick prey) being different in the future, and that's just the tip of the iceberg; since someone did it, others have the idea that it's a great way to use it for that purpose.

      Look, spammers don't follow RFC standards when they set up custom-coded SMTP servers to perform their work. That's the easiest and first example that pops right into my head. When encryption and specifics of encryption are introduced, it presents more of a psychological "challenge" to those who want to prove they can break it. In the process there can be more holes or bugs found, used, and/or tailored specially to try and work around it, hence producing more crap that can be seen and used as what appears to be perfectly valid or useful software/methods (see malware/viruses). I haven't even started thinking about the possibility in this context )(Tor; extension; either) of corporate use for luring people in to something that looks wonderful only to use it as a way to deliver more advertising or malware. Standards are awesome; in an environment where there are things that are a bit edgy or (in this case) have the possibility to have falsely-presented helpful features, there's just more that can be abused. I'm not focusing on things like Linux because it's a different context; it can be abused, too, or used as an abuse tool to the average, non-CS user. It's just not there yet. Different topic.

      I think from all angles when I do something (or do my best). I see ad-blocking plugins for Firefox as an awesome thing that helps me having a better web experience, but I do not in any way believe that they are not/cannot be/ing used, potentially, for other purposes. If I want to sign into my email account via web, I use a virtual machine with an old version of Firefox, no plugins. Same goes for anything else with sensitive information that can be abused (SSN/DOB/Address/phone number/etc).

      I've said way too much already. The first three paragraphs say what I intended to reply with as response to your differently-angled trust of standards and reading between the lines. I have had a life and childhood that lead me away from following standards, to see things from many angles. I'm not arguing with you at all, just stating fact from my experience, which you can accept or discard (your choice, of course) that as I have grown older, I have come to the realization that wherever there is a possibility for profit, theft, abuse, etc, there is going to be an individual, individuals, or groups finding ways to use the services/methods for evil when the services/methods were intended for good. I'll end with wherever there is a possibility for someone (government is the most repeated entity that tries to hide something and have it appear later; repeat; repeat) to use services/methods for the purpose of getting ahead of others in any way, or proving their self-worth for the purpose of presentation to others OR self-assurance, OR a combination or multiple combinations of both, the possibility subject item will become a research/experimentation/testing/use item.

    3. Re:Ok, guilty. by Anonymous Coward · · Score: 0

      I read the article and the article says the system would be modular, so other edge providers could use it to distinguish between Tor Browser traffic (humans) and Tor scripts (automated bots). So a browser extension actually makes sense.

  7. Nonces... LOL by Anonymous Coward · · Score: 0

    https://en.wikipedia.org/wiki/Nonce_(slang)

    Figures. They are all child porn browsing nonces on tor anyway.

  8. Fuck This by Anonymous Coward · · Score: 0

    Yeah, let's turn Tor Browser into swiss cheese by adding plug-ins from all sorts of characters. Fuck that and fuck CloudFlare.

    And fuck you archive.is for once being a very usable site to now showing up as CloudFlare shit.

    I guess once you become popular enough, you decide to alienate your users.

  9. If you like being fucked up the ass by Anonymous Coward · · Score: 0

    here's a plug to keep it open for us so you don't have to use hands.

  10. Or, just skip those sites. by SvnLyrBrto · · Score: 1

    I'm not especially inclined to bother with a site when Cloudflare shoves a captcha in my face not just to create and account or make a post; but to view its front page in the first place. My "One more step" is nearly always my browser's "back" button. Cloudflare can take their precious snowflake of a half-assed CDN and bite my shiny daffodil ass.

    --
    Imagine all the people...