CloudFlare Working On New System That Removes CAPTCHAs For Tor Users

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.

Tor.

[ledow]

If nothing else, this is just another confirmation that the modern web isn't set up to allow you to be anonymous.

That's a problem we techy types should be fixing, not encouraging solutions that identify the user even more.

Re:Tor.

[AmiMoJo]

They mean that the browser will be able to generate one time codes for each web site, not use the same code multiple times.

https://github.com/cloudflare/...

"In this document we detail a protocol that enables a user to complete
      a single edge-served challenge page in return for a finite number of
      signed tokens. These tokens can then be used to bypass future
      challenge pages that are served by participating edge-providers. The
      tokens are generated in such a way that signed tokens cannot be
      linked to future redeemed tokens for bypassing."

Re:Tor.

[ledow]

First category could include:

- Rape victims seeking advice online.
- People who are being stalked by their ex, or eye-witnesses to crimes, who might have someone kill them if they find them (sure, they could live their entire life offline in perpetuity, but that's just as oppresive)
- Political dissidents
- People who publish honest things about oppressive regimes (e.g. Salman Rushdie)
- You, writing this post, hoping that your employer doesn't find that story about him being a shithead last month.
- Some guy in China / Korea wondering what all this democracy shit is about and why it's blocked.

All kinds of decent reasons for anonymity.
Very few for identity for just casual browsing. Sure, buying products, paying for services, these things come with identity attached in one way or another (even Bitcoin could catch up with you years later if someone bothers to track the blockchain transactions). But general web browsing? Nah.

And the companies making money from your data are, basically not. They're making money from other people who pay to show you ads. A slightly better rate can be had using data, but Google et al all have opt-outs which turn the ads into generic bollocks rather than anything to do with your life, profession, shopping habits, etc. As such, data for that isn't **necessary**.

Anonymity has a million reasons for and very little against.

Oh, no, a terrorist used an anonymous means of warning us about the bomb! Like a phone call from a throwaway phone, or a message sent from a cyber-cafe, or posting a clean piece of paper to a police station.

Taking away anonymity on the net doesn't "solve" any problem. It might shift it to other media for a while. But solving the need for identity is a solution which solves a lot of problems.

P.S. Don't use Tor. Opt-out of ads but don't really care about Google. Far from privacy-paranoid. Just understand the need for it.

One connection per domain problem

[NotInHere]

The problem here is that the TOR browser does one separate circuit per domain. So if you visit site A through TOR and have to solve a captcha because of cloudflare, and then visit site B, your IP will be different, and you'll have to solve a captcha again. AFAIK this problem only surfaced (doing captchas for every cloudflare site) when TOR adopted that behaviour. Before, everything was routed through one circuit, and you only had to fill in one captcha.

Re:Identifying the user??

[kav2k]

To be specific, let me quote the spec:

The current Cloudflare CAPTCHA simply places a cookie allowing you to access the website. Since Cloudflare controls the origins, it could currently correlate user sessions across multiple circuits using these cookies. This is a gap in the Tor Browser threat model- the design explicitly ignores linking within a session by malicious first parties, but Cloudflare has effectively first-party control over a large proportion of the web.

Our design is an improvement over this state of affairs. Since the CAPTCHA service only sees blinded nonces, Cloudflare cannot link a CAPTCHA solution session to a given redemption request. Since each token is used only once, in contrast to a cookie, the tokens themselves cannot be used to link requests.

Re:Nonces?

[omnichad]

This is a technology site. Regardless of any UK slang most Slashdotters have never heard of, a nonce is a very standard word in the world of security/cryptography.

Re:Ok, guilty.

[Hizonner]

If it were open source, it's still BS because you KNOW most people that use Tor aren't developers and aren't going to set up an environment to compile an extension to ensure every line of it is clean.

They also haven't read the source code for Tor or for Firefox or for the OS they're running all of it on. Package it with Tor and it's no worse than the rest of the TBB. In fact Cloudflare is trying to do it as an RFC so you could have multiple independent implementations.

Let alone what it sends to CAPTCHA to work around the problem; doing so can be used to easily identify who is using Tor to make them a target rather than the exit nodes or whatever they're called now.

If you'd read it, you'd have seen that they propose to use cryptographic blinding to prevent that. Which is the whole reason for having the extension in the first place.

What is it that they say about "a little knowledge"? There's sure a lot of that going on in this thread.