[tor-talk] How do tor users get past the recapacha and it's super short 2min exemption

Dave Warren dw at thedave.ca
Mon Jul 23 03:13:01 UTC 2018

On 2018-07-17 17:30, grarpamp wrote:
> On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren <dw at thedave.ca> wrote:
>> The whole point of tor is that you are anonymous just like everybody else.
>> Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently.
>> https://support.cloudflare.com/hc/en-us/articles/115001992652-Privacy-Pass
> Presumably those tokens get passed to all participating sites,
> so all your sessions across them all are easily linkable
> by cloudflare, the sites, their backend databrokers, etc.
> "Privacy Pass"... lol.

Interestingly no, you cannot be tracked across sites. They put a lot of 
effort into this aspect of the design specifically to ensure that the 
signing happens only against the blinded version of passes so when the 
passes are redeemed they can be verified as valid, but not linked to the 
original generator of the passes.

If you're interested in how this works, they have an overview and links 
to the actual papers and protocol: https://privacypass.github.io/ -- You 
don't need to take my or their word for it, the cryptography is public 
and you can write your own implementation if you desire or review the 
source for their extensions should you have the appropriate skill sets 
(I do not).

>>>> they do make it easy for site operators to approve tor
>>>> traffic in a more general way (by treating tor as a separate country in
>>>> their whitelisting system).
> So what are the default settings provided to new cloudflare /
> recaptcha subscribers?

There are no default settings at the individual customer or site level 
to handle tor exit IP addresses differently than any other IP address.

If you can think of a way to differentiate good traffic vs abusive 
traffic without JavaScript (to verify that the connection is from a 
human driven browser) and/or cookies (to identify one user from another) 
and/or a extension such as privacy pass I would encourage you to write a 
paper and publish it.

More information about the tor-talk mailing list