Opened 4 weeks ago

Last modified 19 minutes ago

#24321 reopened task

Include Cloudflare's Official "Privacy Pass" addon to end Cloudflare captcha madness!

Reported by: cypherpunks Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: nullius@…, fdsfgs@… Actual Points:
Parent ID: #18361 Points:
Reviewer: Sponsor:

Child Tickets

Change History (17)

comment:1 Changed 4 weeks ago by nullius

Cc: nullius@… added

Please don’t. All of the following reasons are valid, and any would be sufficient to close this bug WONTFIX:

  1. The idea that Tor users should be forced to install arbitrary software to comply with the wishes of Tor-blockers is wrong, wrong, WRONG in principle. To do so would set a horrid precedent. What’s next, a Tor Browser plugin which provides blinded signatures from a smartcard chip in a government-issued “Internet Driver’s License”? Such blinding should be done with some scheme which can be reversed by “escrowed” keys, of course. Hey, if you have nothing to hide, that would not only stop net abuse, it would also facilitate legitimate law enforcement! (I am scared by the number of people who will not detect sarcasm in that statement.)
  1. Privacy Pass is still experimental. Well, quote-unquote “beta”, according to their own FAQ: “we regard Privacy Pass and the protocol we use as being beta releases currently and still under active development”. Moreover, it is their own cryptographic construction—“developed independently”—and a subtly novel one. There is nothing wrong with that; all good crypto starts that way; but it does mean, this needs to be thoroughly peer-reviewed. Frankly, it needs to see some serious public attempts to attack it (especially its promises of unlinkability). This is NOT ready to be included with Tor Browser at all, let alone enabled by default.
  1. The right way to “end Cloudflare captcha madness!”, per this ticket’s title, is for Cloudflare to stop being mad—or better still, for its customers to dump it. Not for the Tor Browser team to jump through Cloudflare-defined hoops, or feel their users are being held as hostages. Myself, I simply ignore most sites which demand a CAPTCHA for read-only, no-side-effect requests. There are plenty of other sites I can go to. Their loss is worse than mine. Really. Throwing up a Cloudflare CAPTCHA before you deign to let me see your site is the equivalent of a Flash-required splash page 20 years ago. It makes you look stupid. Cloudflare “madness” is losing quality site visitors, and sites need to be told that.

(Any apparent ire in the foregoing is not directed at Privacy Pass itself. It looks like a neat idea. It needs crypto experts to hammer on it for awhile. Then, sane sites may have more options for filtering the limited subset of requests which have high abuse potential. Ire is directed at Cloudflare, the Net’s single largest MITM security hole, which needs to die in a fire. “IMO.”)

comment:2 Changed 4 weeks ago by yawning

Against.

Of all the people that get to run code as an addon in my browser, it's hard to think of people I trust less than Cloudflare.

Edit: All the people that worked there that I trusted left I think.

Last edited 4 weeks ago by yawning (previous) (diff)

comment:3 Changed 4 weeks ago by cypherpunks

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

comment:4 Changed 4 weeks ago by cypherpunks

Too many websites use Cloudflare for FREE SSL and Cache. No other online service provide this level, for FREE, zero dollars! That's why they use Cloudflare and they won't change that easily. Piracy site use Cloudflare to hide their IP too.

Cloudflare can collect information what IP goes to what cloudflared website. This will bring enough information to make online profile of the user. With Google's captcha API combined, non-Tor users are always fucked up. And Tor users like us can't read cloudflared websites.

comment:6 in reply to:  3 Changed 4 weeks ago by nullius

Replying to cypherpunks:

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Yes, sorry, I am aware of that. And that’s not the first time this has come up here; compare ticket:18361#comment:190 and following. It highlights the scope of the problem, really.

archive.is did click a whitelist checkbox, which made this CAPTCHA “sporadic” rather than “always”.

comment:7 Changed 4 weeks ago by nullius

Parent ID: #18361

This is a duplicate of #18361, or at best its child bug. See ticket:18361#comment:241 as proposed solution by jgrahamc (Cloudflare’s CTO) to #18361. (Note: Does not actually fix the problem.)

comment:8 Changed 4 weeks ago by nullius

Related: #24351

comment:9 Changed 4 weeks ago by cypherpunks

I agree, Cloudflare captchas have been much much lesser in frequency these 8 months with the Tor Browser so I don't even see the usefulness of this...

Last edited 4 weeks ago by cypherpunks (previous) (diff)

comment:10 in reply to:  3 Changed 4 weeks ago by cypherpunks

Replying to cypherpunks:

The funny thing is https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Don't go to archive.is use their archive.fo instead. Or use https://via.hypothes.is/https://archive.fo (you'll need to refresh the page when it's capturing the page in the "Loading...")

Last edited 4 weeks ago by cypherpunks (previous) (diff)

comment:11 Changed 4 weeks ago by cypherpunks

https://www.reddit.com/r/TOR/comments/7e2joe/endless_captchas_privacy_pass_doesnt_help/

Here's an example of a user who tripped into Cloudflare's rabbithole.
Write a blog to inform the "newbie" user like him to stop using that add-on.

comment:13 Changed 3 weeks ago by nullius

Suggestion: Instead of using some ad hoc “pass” scheme to distinguish “good” from “bad” traffic, Cloudflare and Tor Browser should both implement an Internet Standard, RFC 3514. If Tor Browser may consider implementing such a feature, should I open a new bug for this?

N.b. that this suggested implementation does not eliminate CAPTCHAs. Rather, it turns so-called “challenges” into an in-browser currency whilst snookering the user into serving as a mechanical Turk. Thus, it is perhaps the worst form of micropayments ever conceived. As a more general issue, users should be educated on the current market value of their time and “Attention Required!” attention performing mind-numbingly boring tasks on behalf of computers: The new masters, whom humans are hatched to serve.

comment:14 Changed 8 days ago by tokotoko

Cc: fdsfgs@… added

comment:15 Changed 29 hours ago by cypherpunks

Priority: Very HighLow
Severity: CriticalNormal

comment:16 Changed 38 minutes ago by cypherpunks

Resolution: invalid
Status: newclosed

comment:17 Changed 19 minutes ago by cypherpunks

Resolution: invalid
Status: closedreopened

Can you please stop closing random tickets? Thanks!

Note: See TracTickets for help on using tickets.