Review Cloudflare's Official "Privacy Pass" addon to evaluate inclusion in Tor Browser

[cypherpunks]

​https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/
This addon is a design intended to reduce the captcha burden from Cloudflare on users.

PETS 2018 paper:
​https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf

[nullius]

Please don’t. All of the following reasons are valid, and any would be sufficient to close this bug WONTFIX:

1. The idea that Tor users should be forced to install arbitrary software to comply with the wishes of Tor-blockers is wrong, wrong, WRONG in principle. To do so would set a horrid precedent. What’s next, a Tor Browser plugin which provides blinded signatures from a smartcard chip in a government-issued “Internet Driver’s License”? Such blinding should be done with some scheme which can be reversed by “escrowed” keys, of course. Hey, if you have nothing to hide, that would not only stop net abuse, it would also facilitate legitimate law enforcement! (I am scared by the number of people who will not detect sarcasm in that statement.)

2. Privacy Pass is still experimental. Well, quote-unquote “beta”, according to their own ​FAQ: “we regard Privacy Pass and the protocol we use as being beta releases currently and still under active development”. Moreover, it is their own cryptographic construction—“​developed independently”—and a subtly novel one. There is nothing wrong with that; all good crypto starts that way; but it does mean, this needs to be thoroughly peer-reviewed. Frankly, it needs to see some serious public attempts to attack it (especially its promises of unlinkability). This is NOT ready to be included with Tor Browser at all, let alone enabled by default.

3. The right way to “end Cloudflare captcha madness!”, per this ticket’s title, is for Cloudflare to stop being mad—or better still, for its customers to dump it. Not for the Tor Browser team to jump through Cloudflare-defined hoops, or feel their users are being held as hostages. Myself, I simply ignore most sites which demand a CAPTCHA for read-only, no-side-effect requests. There are plenty of other sites I can go to. Their loss is worse than mine. Really. Throwing up a Cloudflare CAPTCHA before you deign to let me see your site is the equivalent of a Flash-required splash page 20 years ago. It makes you look stupid. Cloudflare “madness” is losing quality site visitors, and sites need to be told that.

(Any apparent ire in the foregoing is not directed at Privacy Pass itself. It looks like a neat idea. It needs crypto experts to hammer on it for awhile. Then, sane sites may have more options for filtering the limited subset of requests which have high abuse potential. Ire is directed at Cloudflare, the Net’s single largest MITM security hole, which needs to die in a fire. “IMO.”)

[yawning]

Against.

Of all the people that get to run code as an addon in my browser, it's hard to think of people I trust less than Cloudflare.

Edit: All the people that worked there that I trusted left I think.

[cypherpunks]

The funny thing is ​https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

[cypherpunks]

Too many websites use Cloudflare for FREE SSL and Cache. No other online service provide this level, for FREE, zero dollars! That's why they use Cloudflare and they won't change that easily. Piracy site use Cloudflare to hide their IP too.

Cloudflare can collect information what IP goes to what cloudflared website. This will bring enough information to make online profile of the user. With Google's captcha API combined, non-Tor users are always fucked up. And Tor users like us can't read cloudflared websites.

[cypherpunks]

related https://trac.torproject.org/projects/tor/ticket/23840

[nullius]

Replying to cypherpunks:

The funny thing is ​https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Yes, sorry, I am aware of that. And that’s not the first time this has come up here; compare ticket:18361#comment:190 and following. It highlights the scope of the problem, really.

archive.is ​did click a whitelist checkbox, which made this CAPTCHA “sporadic” rather than “always”.

[nullius]

This is a duplicate of #18361, or at best its child bug. See ticket:18361#comment:241 as proposed solution by jgrahamc (Cloudflare’s CTO) to #18361. (Note: Does not actually fix the problem.)

[nullius]

Related: #24351

[cypherpunks]

I agree, Cloudflare captchas have been much much lesser in frequency these 8 months with the Tor Browser so I don't even see the usefulness of this...

[cypherpunks]

Replying to cypherpunks:

The funny thing is ​https://archive.is/ is using Cloudflare too. How the hell am I suppose to read that?

Don't go to archive.is use their archive.fo instead. Or use ​https://via.hypothes.is/https://archive.fo (you'll need to refresh the page when it's capturing the page in the "Loading...")

[cypherpunks]

​https://www.reddit.com/r/TOR/comments/7e2joe/endless_captchas_privacy_pass_doesnt_help/

Here's an example of a user who tripped into Cloudflare's rabbithole.
Write a blog to inform the "newbie" user like him to stop using that add-on.

[cypherpunks]

​https://lists.torproject.org/pipermail/tor-dev/2017-November/012627.html

[nullius]

Suggestion: Instead of using some ad hoc “pass” scheme to distinguish “good” from “bad” traffic, Cloudflare and Tor Browser should both implement an Internet Standard, ​RFC 3514. If Tor Browser may consider implementing such a feature, should I open a new bug for this?

N.b. that this suggested implementation does not eliminate CAPTCHAs. Rather, it turns so-called “challenges” into an in-browser currency whilst snookering the user into serving as a ​mechanical Turk. Thus, it is perhaps the worst form of micropayments ever conceived. As a more general issue, users should be educated on the current market value of their time and “Attention Required!” attention performing mind-numbingly boring tasks on behalf of computers: The new masters, whom humans are hatched to serve.

[cypherpunks]

Can you please stop closing random tickets? Thanks!

[gk]

Please stop closing random bugs, thanks.

[cloudflarezoey]

Our add-on is open source. You can trust us.

Please contact us so we can assist you.

​https://support.cloudflare.com/hc/en-us/requests/new

[cypherpunks]

Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.

Tor devs, why not write about Cloudflare in your blog already?
Other anonymous users, stop using this add-on.

If you use this, YOU ARE TRADING YOUR PRIVACY, AND CLOUDFLARE CAN IDENTIFY YOU
EVEN WHEN YOU VISIT OTHER CLOUDFLARED WEBSITE!!

This add-on send "token"(like passport in real life) in background to
Cloudflare server, when add-on detect "HTTP 403" and Cloudflare-specific header.

It scan all website's response, and it's using multiple listener(which is unnecessary).
Adding this add-on to your browser may seriously degrade your browsing speed.

If you really care about your privacy or internet anonymity, you should do:

1. Ask the website owner to stop using Cloudflare and pick alternative method such as WAF module.
2. Ask the website owner to add "T1" to Cloudflare's whitelist(NOT A BEST OPTION)
3. If both are failed, just say "goodbye, I'm gonna use other website, asshole" to the owner.
4. Don't buy anything or input your information on Cloudflare websites.
5. Join to this ticket for discussion and development for TorButton patch: #24351

SAY NO TO CLOUDFLARE.

​https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/reviews/

---

Makes using TOR bearable again!

Occasionally I use TOR for a few hours while browsing to to get a feel
for how it feels like to browse the web when you're not connected using
a (mostly) stable and (mostly) AAA broadband connection.
Until this extension arrieved: Terrible!
It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't
realize how mighty CloudFlare is until one spends some time using TOR :-(

Anyways, while this extension obviously doesn't address Cloudization at all
at least it drastically improves the experience when surfing with TOR!
And the was the point from the beginning wasn't it?
So thumbs for getting this to work! You've done a great job on this!

Rated 5 out of 5
by Alexander Schlarb

[nullius]

Replying to cypherpunks:

Copied from add-on's review. This Mr/Mrs. Alexander didn't understand how Cloudflare works.

[...well said...]

Makes using TOR bearable again!

Occasionally I use TOR for a few hours while browsing to to get a feel
for how it feels like to browse the web when you're not connected using
a (mostly) stable and (mostly) AAA broadband connection.
Until this extension arrieved: Terrible!
It'd just be CAPTCHA after CAPTCHA, after CAPTCHA… One really doesn't
realize how mighty CloudFlare is until one spends some time using TOR :-(

The ironic part is, a CAPTCHA is an denial-of-service on two different levels: It denies service to connections which for any reason, including conscious choice, do not abjectly submit and jump through CAPTCHA hoops; and it denies wetware service, stealing away time from the life of a human being. By distributing its DOS across a claimed six million different websites, Cloudflare is an anti-human DDoS.

“CAPTCHA madness” long ago reached the point that I question whether anybody who fills out CAPTCHAs on demand be actually human. Who robotically obeys arbitrary orders to complete tedious tasks which would numb the mind of any human? Why, a robot!

Myself, I stopped Cloudflare’s DDoS against my limited lifetime by installing this extension in my Tor Browser:

​https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

​https://github.com/nym-zone/block_cloudflare_mitm_fx

Now, I don’t see any more Cloudflare CAPTCHAs. None! Never! Problem solved.

When will people grow some spine, and learn to “vote with their feet” (or their clicks)?

I also ban Gmail correspondence from my personal life. E-mailing me is a privilege, not a right; and even with PGP, Google gets all the metadata (date/time, social graph...).

Likewise, I don’t want a man-in-the-middle decrypting my TLS connections throughout some obscene proportion of my web sessions. A site uses Cloudflare? With very few, very limited exceptions, my answer is: Bye!

Privacy is important; and if the Tor Project desires to promote privacy, then they should encourage Cloudflare to throw as many CAPTCHAs as possible until Cloudflare destroys their customers’ traffic stats and user bases.

In my opinion, Cloudflare’s policy should be: CAPTCHAs for everybody! CAPTCHAs, day and night! CAPTCHAs for Tor, and non-Tor, too—minute-long CAPTCHAs, hour-long CAPTCHAs, CAPTCHAs sixscore times per day. Eventually, people would realize that when Cloudflare demands that you drive a “self-driving” car AI for Google, the only way to win is not to play. Only the sanity of those who refuse “CAPTCHA madness” can stop CAPTCHA madness.

[cypherpunks]

If you really care about your privacy or internet anonymity, you should do:

I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.

[gk]

Replying to cypherpunks:

If you really care about your privacy or internet anonymity, you should do:

I totally aggrree. And we need an own method. I just suggest using old good well-known proof-of-work.

[cypherpunks]

GK, Why did you removed PID? Because you are Cloudflare employee's friend?

[cypherpunks]

Who cares?

[tom]

Please don't change bug statuses.

[dmr]

Replying to cypherpunks:

​https://lists.torproject.org/pipermail/tor-dev/2017-November/012627.html

Quoting that email from gk here:

bancfc at openmailbox.org:

Hi. Are there any plans to include Privacy Pass addon in Tor Browser by default? Privacy Pass is the result of some great work by Ian and his team at University of Waterloo to spare Tor users the torture of solving infinite captchas from Cloudflare.[0][1]

That's not decided yet. We are still reviewing the extension in a Tor
Browser context.

Georg

[0] ​https://privacypass.github.io/team/
[1] ​https://blog.cloudflare.com/privacy-pass-the-math/

Based on that, changing the ticket title to reflect the task more appropriately. Moving some of the title into the ticket body, to keep that context.

[dmr]

Adding the "Privacy Pass" PETS 2018 paper to description.