Slashdot Mirror

← Back to Stories (view on slashdot.org)

CloudFlare Working On New System That Removes CAPTCHAs For Tor Users (softpedia.com)

Posted by msmash on from the fixing-things dept.

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.

32 of 54 comments (clear)

  1. Identifying the user?? by Anonymous Coward · · Score: 1

    One time token per Tor user.... doesn't that mean it identifies the user??? Sounds anti-Tor.

    1. Re:Identifying the user?? by omnichad · · Score: 1

      This is nothing that can't be done with any old cookie. In fact, it probably uses them. If anything, this highlights some inherent problems with using Tor without being careful.

    2. Re:Identifying the user?? by kav2k · · Score: 5, Informative

      To be specific, let me quote the spec:

      The current Cloudflare CAPTCHA simply places a cookie allowing you to access the website. Since Cloudflare controls the origins, it could currently correlate user sessions across multiple circuits using these cookies. This is a gap in the Tor Browser threat model- the design explicitly ignores linking within a session by malicious first parties, but Cloudflare has effectively first-party control over a large proportion of the web.

      Our design is an improvement over this state of affairs. Since the CAPTCHA service only sees blinded nonces, Cloudflare cannot link a CAPTCHA solution session to a given redemption request. Since each token is used only once, in contrast to a cookie, the tokens themselves cannot be used to link requests.

    3. Re: Identifying the user?? by Hizonner · · Score: 1

      Aka a cookie? So why the need for a browser extension?

      Because it wants to blind the token.

      NSL to CloudFlare and data slurp commencing in 5... 4... 3...

      NSLs don't work that way. Even the DOJ doesn't claim they can do that with an NSL.

      There is, of course, a risk in running any code. But in this case one assumes they'll publish the code.

    4. Re:Identifying the user?? by omnichad · · Score: 1

      In other words, they could have just used a cookie. But instead, they're making their own cookie system because they don't think Tor should even have cookies. This is good.

      I just hope they contribute it to the Tor standard and release the plugin unbranded rather than just as a "Cloudflare enabler."

    5. Re:Identifying the user?? by gweihir · · Score: 1

      It is user-tracking, sure. Anonymous user-tracking though. And if it works per-session, it is an acceptable solution IMO, as you can just restart the Tor-browser before going to a different site. Not great, but a lot better than nothing.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:Identifying the user?? by gweihir · · Score: 1

      I agree. I think they are making an honest and competent attempt to solve the issue for Tor and that is excellent news.

      Thanks for the link!

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Identifying the user?? by networkBoy · · Score: 1

      you can still correlate those nonces, yes?
      Solve Capcha get nonce
      use nonce at site A
      use nonce at site B
      use nonce at site C

      At site A you divulge the nonce and component 1 of your identity
      at site B you divulge the nonce and component 2 of your identity
      at site C you divulge the nonce and component 3 of your identity
      across sites A:C you divulge a larger set of your writing style than at only one by its self.

      Third party actor (not cloudflare) can use this to build your session info into an ID of you; assuming they already have a large data trove on you, then the smaller bits they captured from the nonce can be used to correlate this TOR session with your existing dataset.

      just sayin...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    8. Re:Identifying the user?? by networkBoy · · Score: 1

      or, just don't install the extension.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    9. Re:Identifying the user?? by gweihir · · Score: 1

      Indeed.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Identifying the user?? by omnichad · · Score: 1

      From Wikipedia:

      In cryptography, a nonce is an arbitrary number that may only be used once

      You're given multiple nonces for solving one CAPTCHA.

    11. Re:Identifying the user?? by Shane_Optima · · Score: 1

      It's the best that can be hoped for. I'm shocked they cared at all. People who're that worried shouldn't be using exit nodes at all without a post-Tor VPN hop. Costs perhaps $3 per month, payable by gift cards. Bypasses this issue entirely and also puts a much needed layer between you and the exit node.

      Half of the people who're paranoid about this sort of thing don't even bother to use Whonix, which (with a snapshot on VB, or after they fix it to be a proper DispVM on Qubes) doesn't force you have to micromanage anything at all for the best* possible tracking protection between sessions. The easiest to use option is also not uncommonly the most secure, but some people just have to be unreasonably fancy about everything.


      * Ignoring traffic analysis, which is a very... specific vector and on a low latency system will always be losing battle anyway.

  2. Tor. by ledow · · Score: 3, Insightful

    If nothing else, this is just another confirmation that the modern web isn't set up to allow you to be anonymous.

    That's a problem we techy types should be fixing, not encouraging solutions that identify the user even more.

    1. Re:Tor. by Calydor · · Score: 1

      Problem: Easy anonymous access for legitimate users allows easy anonymous access for malicious users.

      Solution: ?

      The problem isn't necessarily technical so much as it is psychological. To quote one of the Batman movies, some people just want to watch the world burn.

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:Tor. by 110010001000 · · Score: 1

      It has nothing to do with the web specifically. NETWORKING is not anonymous. Networks were designed to share information. In order to share information you need to know the endpoints on the network in order to route the data to them. This is really unpopular, but there is NO WAY to make a network anonymous. Tor isn't anonymous, the exit nodes need to know where the endpoints are.

    3. Re:Tor. by Hizonner · · Score: 1

      Read what they propose. You may have to learn some math first.

    4. Re:Tor. by omnichad · · Score: 1

      I posted the same at first, but it looks like they avoided the low-hanging fruit. They could have just used cookies - which tor browsers accept just the same as any web page. They're actually proposing a more anonymous standard, and trying to close the cookie security hole.

    5. Re:Tor. by driblio · · Score: 1

      Do you have any idea how tor works? The exit nodes specifically don't know where the end points are, you need ISP/NSA level monitoring to correlate flows.

    6. Re:Tor. by AmiMoJo · · Score: 2

      They mean that the browser will be able to generate one time codes for each web site, not use the same code multiple times.

      https://github.com/cloudflare/...

      "In this document we detail a protocol that enables a user to complete
            a single edge-served challenge page in return for a finite number of
            signed tokens. These tokens can then be used to bypass future
            challenge pages that are served by participating edge-providers. The
            tokens are generated in such a way that signed tokens cannot be
            linked to future redeemed tokens for bypassing."

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Tor. by 110010001000 · · Score: 1

      Um, no. Do YOU have any idea? How would the exit nodes know where to send the data to if it didn't know the true IP of the end point? Jesus. If you own the exit node you know where the flows are going.

    8. Re:Tor. by ADRA · · Score: 1

      People who benefit from anonymity:
        - Political Radicals
        - Privacy Averse (Really, there aren't many that care, and you aren't changing their minds fast enough)
        - Trolls / Illegal Activity / blah blah

      People who benefit from identity:
        - Soft hearted hate-troll haters
        - Oppressive and not-so oppressive governments (and their law enforcement)
        - Pretty much every notable web company making money off your info/reputation

      People that don't give a fuck:
        - Everyone else

      --
      Bye!
    9. Re:Tor. by ledow · · Score: 2

      First category could include:

      - Rape victims seeking advice online.
      - People who are being stalked by their ex, or eye-witnesses to crimes, who might have someone kill them if they find them (sure, they could live their entire life offline in perpetuity, but that's just as oppresive)
      - Political dissidents
      - People who publish honest things about oppressive regimes (e.g. Salman Rushdie)
      - You, writing this post, hoping that your employer doesn't find that story about him being a shithead last month.
      - Some guy in China / Korea wondering what all this democracy shit is about and why it's blocked.

      All kinds of decent reasons for anonymity.
      Very few for identity for just casual browsing. Sure, buying products, paying for services, these things come with identity attached in one way or another (even Bitcoin could catch up with you years later if someone bothers to track the blockchain transactions). But general web browsing? Nah.

      And the companies making money from your data are, basically not. They're making money from other people who pay to show you ads. A slightly better rate can be had using data, but Google et al all have opt-outs which turn the ads into generic bollocks rather than anything to do with your life, profession, shopping habits, etc. As such, data for that isn't **necessary**.

      Anonymity has a million reasons for and very little against.

      Oh, no, a terrorist used an anonymous means of warning us about the bomb! Like a phone call from a throwaway phone, or a message sent from a cyber-cafe, or posting a clean piece of paper to a police station.

      Taking away anonymity on the net doesn't "solve" any problem. It might shift it to other media for a while. But solving the need for identity is a solution which solves a lot of problems.

      P.S. Don't use Tor. Opt-out of ads but don't really care about Google. Far from privacy-paranoid. Just understand the need for it.

    10. Re:Tor. by driblio · · Score: 1

      Yes, I do. Exit nodes know where the next hop is, obviously, but not the end point.

      Calm down, climb down, and admit you were wrong.

  3. One connection per domain problem by NotInHere · · Score: 2

    The problem here is that the TOR browser does one separate circuit per domain. So if you visit site A through TOR and have to solve a captcha because of cloudflare, and then visit site B, your IP will be different, and you'll have to solve a captcha again. AFAIK this problem only surfaced (doing captchas for every cloudflare site) when TOR adopted that behaviour. Before, everything was routed through one circuit, and you only had to fill in one captcha.

    1. Re:One connection per domain problem by omnichad · · Score: 1

      You just load the Javascript for the CAPTCHA all from the same Cloudflare domain, and it gets a third-party cookie that identifies you everywhere.

      What they actually did was implement a standard and a browser extension that improves on the security of third-party cookies, and are effectively encouraging them to be completely disabled within Tor.

  4. Re:Tracking by Hizonner · · Score: 1

    Blinded. Token.

    Learn some crypto and go read the proposal.

  5. Re:Nonces? by Hizonner · · Score: 1

    Actually, "nonce" is a longstanding English word meaning a single specific moment. It survives in common usage in the phrase "for the nonce".

  6. Re:Nonces? by omnichad · · Score: 4, Informative

    This is a technology site. Regardless of any UK slang most Slashdotters have never heard of, a nonce is a very standard word in the world of security/cryptography.

  7. Re:Ok, guilty. by Hizonner · · Score: 2

    If it were open source, it's still BS because you KNOW most people that use Tor aren't developers and aren't going to set up an environment to compile an extension to ensure every line of it is clean.

    They also haven't read the source code for Tor or for Firefox or for the OS they're running all of it on. Package it with Tor and it's no worse than the rest of the TBB. In fact Cloudflare is trying to do it as an RFC so you could have multiple independent implementations.

    Let alone what it sends to CAPTCHA to work around the problem; doing so can be used to easily identify who is using Tor to make them a target rather than the exit nodes or whatever they're called now.

    If you'd read it, you'd have seen that they propose to use cryptographic blinding to prevent that. Which is the whole reason for having the extension in the first place.

    What is it that they say about "a little knowledge"? There's sure a lot of that going on in this thread.

  8. Re:Nonces? by clickclickdrone · · Score: 1

    You are the only person who is has these "Kiddy Fiddler" feelings evoke.

    No, me too. It's a common phrase in the UK to describe pedos.

    --
    I want a list of atrocities done in your name - Recoil
  9. Re:Tracking by Hizonner · · Score: 1

    In that case, you shouldn't trust Tor itself, since it relies on a terrific amount of equally complicated crypto and other code.

  10. Or, just skip those sites. by SvnLyrBrto · · Score: 1

    I'm not especially inclined to bother with a site when Cloudflare shoves a captcha in my face not just to create and account or make a post; but to view its front page in the first place. My "One more step" is nearly always my browser's "back" button. Cloudflare can take their precious snowflake of a half-assed CDN and bite my shiny daffodil ass.

    --
    Imagine all the people...