Comment by Tozen
3 years ago
The purpose of CAPTCHA is supposedly to test if human or a bot, not to break or violate user privacy protections. It appears Cloudflare and others rather push the dangling of websites as "carrots", and see if they can get users to disable their ad blockers or any other privacy protections to get access.
The Cloudflare verification has become a sick or sadistic joke now. It's often just used to annoy people, and no matter if they pass the tests, denies access anyway. If the test is not going to determine access, then don't provide it, and just wholesale be up front on mindlessly or frivolously blocking people and entire IP ranges.
I thought the purpose of captcha was to train AI
Cloudflare's captcha alternative Turnstile doesn't have anything to train ai on, no images, descriptions or anything else really, its just a single click.
There's a natural contradiction between security and privacy.
For security, an actor needs to be tested and marked as secure, or else tested again before every interaction.
For privacy, an actor must not be marked, lest observers could correlate several interactions and make conclusions undesirable for the actor.
It does not make the infinite loop produced by CLoudflare any more reasonable though.
Ever heard of zero-knowledge proofs?
CloudFlare claims to support Privacy Pass, which is supposed to use a zero-knowledge scheme to solve for this for Tor users.
Unforunately, the integration has been broken for a very long time and bug reports aren't tended to.
https://blog.cloudflare.com/cloudflare-supports-privacy-pass...
https://privacypass.github.io/
https://github.com/privacypass/challenge-bypass-extension/is...
I don't understand why an actor needs to be tested and marked as secure on first interaction. There must be signals so that the server could initially trust an actor in some case. For example, why can't the server trust a never before seen IP attempting to sign into an account that hasn't been experiencing incorrect password attempts? Is Cloudflare just a case of a one size fit all solution?
the problem is it's too easy to make a botnet attack a sure by having each computer try a password for a unique account once per day. this wouls let you get a few million chances per day or website at guessing user passwords without detection.
1 reply →
I disbelieve there is no way for a client to prove that it has been challenged and cleared in the past without disclosing a persistent unique identifier.
Without a unique identifier, it would be easy for an attacker to clear one challenge and use the result for all nodes in a botnet.
4 replies →
I'm at a loss for how this could be implemented reliably (where it never fails to stop bots). Ideas?
4 replies →
Isn't the client's IP address a sufficient unique identifier?
1 reply →