[tor-talk] How do tor users get past the recapacha and it's super short 2min exemption
dw at thedave.ca
Mon Jul 23 03:13:01 UTC 2018
On 2018-07-17 17:30, grarpamp wrote:
> On Mon, Jul 16, 2018 at 3:08 PM, Dave Warren <dw at thedave.ca> wrote:
>> The whole point of tor is that you are anonymous just like everybody else.
>> Privacy Pass attempts to allow you to bypass CAPTCHAs by providing you with tokens that anonymously prove you have solved CAPTCHAs recently.
> Presumably those tokens get passed to all participating sites,
> so all your sessions across them all are easily linkable
> by cloudflare, the sites, their backend databrokers, etc.
> "Privacy Pass"... lol.
Interestingly no, you cannot be tracked across sites. They put a lot of
effort into this aspect of the design specifically to ensure that the
signing happens only against the blinded version of passes so when the
passes are redeemed they can be verified as valid, but not linked to the
original generator of the passes.
If you're interested in how this works, they have an overview and links
to the actual papers and protocol: https://privacypass.github.io/ -- You
don't need to take my or their word for it, the cryptography is public
and you can write your own implementation if you desire or review the
source for their extensions should you have the appropriate skill sets
(I do not).
>>>> they do make it easy for site operators to approve tor
>>>> traffic in a more general way (by treating tor as a separate country in
>>>> their whitelisting system).
> So what are the default settings provided to new cloudflare /
> recaptcha subscribers?
There are no default settings at the individual customer or site level
to handle tor exit IP addresses differently than any other IP address.
If you can think of a way to differentiate good traffic vs abusive
human driven browser) and/or cookies (to identify one user from another)
and/or a extension such as privacy pass I would encourage you to write a
paper and publish it.
More information about the tor-talk