Comment by Brian_K_White

3 years ago

I disbelieve there is no way for a client to prove that it has been challenged and cleared in the past without disclosing a persistent unique identifier.

12 comments

Brian_K_White

Reply
me551ah  3 years ago

Without a unique identifier, it would be easy for an attacker to clear one challenge and use the result for all nodes in a botnet.

  • Brian_K_White  3 years ago

    Why can't the identifier be merely yet another bit of data whose existence and properties can be proven by cryptography without transmitting the data itself? It's done all the time with other data.

    • revelio  3 years ago

      He's saying that won't work, because the goal is not actually to fingerprint or mark users. It's to ensure that the thing connecting to their servers at that moment is a web browser and not something pretending to be a browser. Give away tokens that say "i'm a browser honest" and they'll just get cloned all the bots.

      2 replies →

davidmurdoch  3 years ago

I'm at a loss for how this could be implemented reliably (where it never fails to stop bots). Ideas?

  • msm_  3 years ago

    I don't think the burden of proof/R&D is on us. But there are many smart people around, I'm sure Cloudflare can pay some of them (even more surprising things are possible with cryptography).

    One far-fetched idea is to use ZKP proofs to prove that you were verified, without disclosing anything your identity. But that's likely overkill.

    Anyway, I think Cloudflare already works on something better with turnstile, the "privacy preserving captcha" and private access tokens [0].

    [0] https://blog.cloudflare.com/turnstile-private-captcha-altern...

  • 3np  3 years ago

    What do you see as the problem with this attempt?

    https://privacypass.github.io/

    • YetAnotherNick  3 years ago

      It allows for unlimited tries. Let's say current ML system could solve 1% of the captchas, then an attacker could try a million captchas and generate privacy passes for equivalent of 10k captchas.

      Theoretically, to penalize the user you need to identify the user. And for that you need to maintain long term identity.

      1 reply →

petre  3 years ago

Isn't the client's IP address a sufficient unique identifier?

  • nine_k  3 years ago

    Absolutely not. Dozens if not hundreds of legitimate clients can appear on the same public IPv4 address, being home internet customers behind a NAT. The same client can trivially change their IPv4 and likely IPv6 address on a mobile network by toggling flight mode to reconnect.