Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Internet IT

CloudFlare Working On New System That Removes CAPTCHAs For Tor Users (softpedia.com) 54

Tor users have long criticized CloudFlare for annoying CAPTCHAs, but it appears the CDN provider is finally working on a fix. An anonymous reader writes: CloudFlare is working on a new system called "Challenge Bypass Specification," which it wants to deploy as a Tor Browser extension and replace the CAPTCHAs Tor users see when trying to access a website protected by CloudFlare. This new system will have users solve one CAPTCHA at the beginning and after that, the browser extension will use nonces (one-time authentication tokens) to prove the user's real identity before accessing a CloudFlare-protected site.
This discussion has been archived. No new comments can be posted.

CloudFlare Working On New System That Removes CAPTCHAs For Tor Users

Comments Filter:
  • by Anonymous Coward

    One time token per Tor user.... doesn't that mean it identifies the user??? Sounds anti-Tor.

    • This is nothing that can't be done with any old cookie. In fact, it probably uses them. If anything, this highlights some inherent problems with using Tor without being careful.

      • by kav2k ( 1545689 ) on Tuesday October 04, 2016 @10:02AM (#53010963)

        To be specific, let me quote the spec [github.com]:

        The current Cloudflare CAPTCHA simply places a cookie allowing you to access the website. Since Cloudflare controls the origins, it could currently correlate user sessions across multiple circuits using these cookies. This is a gap in the Tor Browser threat model- the design explicitly ignores linking within a session by malicious first parties, but Cloudflare has effectively first-party control over a large proportion of the web.

        Our design is an improvement over this state of affairs. Since the CAPTCHA service only sees blinded nonces, Cloudflare cannot link a CAPTCHA solution session to a given redemption request. Since each token is used only once, in contrast to a cookie, the tokens themselves cannot be used to link requests.

        • In other words, they could have just used a cookie. But instead, they're making their own cookie system because they don't think Tor should even have cookies. This is good.

          I just hope they contribute it to the Tor standard and release the plugin unbranded rather than just as a "Cloudflare enabler."

          • by gweihir ( 88907 )

            I agree. I think they are making an honest and competent attempt to solve the issue for Tor and that is excellent news.

            Thanks for the link!

        • you can still correlate those nonces, yes?
          Solve Capcha get nonce
          use nonce at site A
          use nonce at site B
          use nonce at site C

          At site A you divulge the nonce and component 1 of your identity
          at site B you divulge the nonce and component 2 of your identity
          at site C you divulge the nonce and component 3 of your identity
          across sites A:C you divulge a larger set of your writing style than at only one by its self.

          Third party actor (not cloudflare) can use this to build your session info into an ID of you; assuming t

    • one should always be careful using anything, as sjw infested, as western intelligence infested, and as quick to jump to convictions without proof or crime, as tor now is.

    • by gweihir ( 88907 )

      It is user-tracking, sure. Anonymous user-tracking though. And if it works per-session, it is an acceptable solution IMO, as you can just restart the Tor-browser before going to a different site. Not great, but a lot better than nothing.

      • or, just don't install the extension.

      • It's the best that can be hoped for. I'm shocked they cared at all. People who're that worried shouldn't be using exit nodes at all without a post-Tor VPN hop. Costs perhaps $3 per month, payable by gift cards. Bypasses this issue entirely and also puts a much needed layer between you and the exit node.

        Half of the people who're paranoid about this sort of thing don't even bother to use Whonix, which (with a snapshot on VB, or after they fix it to be a proper DispVM on Qubes) doesn't force you have to mic
  • Tor. (Score:4, Insightful)

    by ledow ( 319597 ) on Tuesday October 04, 2016 @09:49AM (#53010887) Homepage

    If nothing else, this is just another confirmation that the modern web isn't set up to allow you to be anonymous.

    That's a problem we techy types should be fixing, not encouraging solutions that identify the user even more.

    • by Calydor ( 739835 )

      Problem: Easy anonymous access for legitimate users allows easy anonymous access for malicious users.

      Solution: ?

      The problem isn't necessarily technical so much as it is psychological. To quote one of the Batman movies, some people just want to watch the world burn.

    • It has nothing to do with the web specifically. NETWORKING is not anonymous. Networks were designed to share information. In order to share information you need to know the endpoints on the network in order to route the data to them. This is really unpopular, but there is NO WAY to make a network anonymous. Tor isn't anonymous, the exit nodes need to know where the endpoints are.
      • Do you have any idea how tor works? The exit nodes specifically don't know where the end points are, you need ISP/NSA level monitoring to correlate flows.

        • Um, no. Do YOU have any idea? How would the exit nodes know where to send the data to if it didn't know the true IP of the end point? Jesus. If you own the exit node you know where the flows are going.
          • Yes, I do. Exit nodes know where the next hop is, obviously, but not the end point.

            Calm down, climb down, and admit you were wrong.

    • I posted the same at first, but it looks like they avoided the low-hanging fruit. They could have just used cookies - which tor browsers accept just the same as any web page. They're actually proposing a more anonymous standard, and trying to close the cookie security hole.

    • by AmiMoJo ( 196126 )

      They mean that the browser will be able to generate one time codes for each web site, not use the same code multiple times.

      https://github.com/cloudflare/... [github.com]

      "In this document we detail a protocol that enables a user to complete
      a single edge-served challenge page in return for a finite number of
      signed tokens. These tokens can then be used to bypass future
      challenge pages that are served by participating edge-providers. The

    • by ADRA ( 37398 )

      People who benefit from anonymity:
      - Political Radicals
      - Privacy Averse (Really, there aren't many that care, and you aren't changing their minds fast enough)
      - Trolls / Illegal Activity / blah blah

      People who benefit from identity:
      - Soft hearted hate-troll haters
      - Oppressive and not-so oppressive governments (and their law enforcement)
      - Pretty much every notable web company making money off your info/reputation

      People that don't give a fuck:
      - Everyone els

      • by ledow ( 319597 )

        First category could include:

        - Rape victims seeking advice online.
        - People who are being stalked by their ex, or eye-witnesses to crimes, who might have someone kill them if they find them (sure, they could live their entire life offline in perpetuity, but that's just as oppresive)
        - Political dissidents
        - People who publish honest things about oppressive regimes (e.g. Salman Rushdie)
        - You, writing this post, hoping that your employer doesn't find that story about him being a shithead last month.
        - Some guy in

  • , the browser extension will use nonces (one-time authentication tokens)

    Couldn't they have come up with a better name one that doesn't evoke "Kiddy Fiddler"

  • by NotInHere ( 3654617 ) on Tuesday October 04, 2016 @09:56AM (#53010917)

    The problem here is that the TOR browser does one separate circuit per domain. So if you visit site A through TOR and have to solve a captcha because of cloudflare, and then visit site B, your IP will be different, and you'll have to solve a captcha again. AFAIK this problem only surfaced (doing captchas for every cloudflare site) when TOR adopted that behaviour. Before, everything was routed through one circuit, and you only had to fill in one captcha.

    • You just load the Javascript for the CAPTCHA all from the same Cloudflare domain, and it gets a third-party cookie that identifies you everywhere.

      What they actually did was implement a standard and a browser extension that improves on the security of third-party cookies, and are effectively encouraging them to be completely disabled within Tor.

  • I'm not especially inclined to bother with a site when Cloudflare shoves a captcha in my face not just to create and account or make a post; but to view its front page in the first place. My "One more step" is nearly always my browser's "back" button. Cloudflare can take their precious snowflake of a half-assed CDN and bite my shiny daffodil ass.

To the landlord belongs the doorknobs.

Working...