
Privacy Pass - peteretep
https://support.cloudflare.com/hc/en-us/articles/115001992652-Can-I-use-Privacy-Pass-with-Cloudflare-
======
ThePhysicist
I don't know how Cloudflare can on one hand fight for net neutrality [1] and
on the other hand play such an active role in creating a "two-class" Internet.
I understand that spamming and DoS attacks are a real problem and that they
provide a solution for this e.g. using CAPTCHAs, I just think their approach
will lead to a world where your IP address (and thus often your country)
decides more and more how easy or hard it is to browse large parts of the
Internet. Not sure how to solve this in a better way but I really don't like
what they're doing here considering their recent VPN/DNS efforts, which (IMHO)
seem to be part of a long-term strategy to create a "fast-track" Cloudflare-
powered Internet (for those who can afford it).

1:
[https://blog.cloudflare.com/battleforthenet/](https://blog.cloudflare.com/battleforthenet/)

~~~
nabla9
Net neutrality is the principle that _Internet service providers_ should treat
all Internet communications equally. Cloudfare is not an ISP.

Web service like Hacker News don't have any obligation to provide everyone
equal access to their site. Cloudfare works for the web services. As a web
service provider, you don't have, nor should you have, any obligation to
provide equal access to anyone.

~~~
chii
> Hacker News don't have any obligation to provide everyone equal access to
> their site.

i disagree. Net neutrality to me also means that a site like HN should serve
all customers coming to the site the same, and not discriminate against TOR
users or VPN users, or users from a certain IP range, or users with
different/non-standard user-agent headers.

~~~
nabla9
> Net neutrality to me also means that

I don't see how individual inserting his own meaning to well defined terms
adds anything positive to the.

If you encounter term you don't understand, you look it up and don't try to
make up your own definition. There is no disagreement of what the term means
in a way you insist.

------
therealmarv
This is so annoying. E.g. it's not unusual to surf the web with Laptop on
mobile connection in Philippines but then you get all this CAPTCHAs on all
Cloudflare sites with the standard configuration.

Actually this is the biggest reason I don't like Cloudflare. They are
discriminating some second/third world countries and if you don't travel much
and check websites you will never know.

Many websites owners are also not aware of this issue with Cloudflare.
Discriminating traffic like this should at least be an optional opt-in in
Cloudflare and not standard.

~~~
grenoire
I think the discrimination against third-world countries are justified as
that's the main source of clickspamming and like factories.

~~~
fxbl0i
Are people actually downvoting this comment just because it's not politically
correct?

I mean, you could argue that it's not fair to discriminate entire countries
because of the lax abuse policy of their ISPs, but the comment is correct:
that's the reason those countries are discriminated against in this context.

~~~
snorlaxle
I didn't downvote but I don't believe the claim was 100% factual. Cloudflare
has always been horrible with dealing with shared IP's even if the users are
all legitmate non-malicious. I once worked in an office with a single shared
IP for ~200 people and we got constantly captcha-blocked by Cloudflared
websites. It was also a problem with google but it was less prevalent and
their captcha system was less annoying than Cloudlfare's.

When I was a sysadmin for a few admittedly-not-highly-popular websites, there
were definitely more unwelcome bot traffic from US and EU IP's than there were
from any 3rd world countries.

I also don't agree that social media "like-factories" should be a concern for
Cloudflare at all. Even if they are truly a concern; social media "like-
factories" are probably human-operated on third-world countries or bots that
are likely running from developed world servers with access to cheaper
bandwidth and IP's.

~~~
grenoire
This is more insightful than anything else in the comment chain that was
spawned from my GP. My opinion on the 'justifiable' end has shifted a bit,
thanks!

------
dessant
When you do encounter CAPTCHAs, try out Buster [0]. It passes the CAPTCHA by
solving the audio challenge using speech recognition APIs.

Google does block people from accessing the audio challenge [1] in some cases,
so make sure to check if you can access the audio challenge even before
installing the extension by clicking on the headphone icon within the
challenge widget.

Enable user input simulation from the extension's options and install the
client app to reduce the chance of a temporary block while using the
extension.

If you're on Chrome, there is a pending update (0.5.2) that switches to the
Wit Speech API (demo) service by default, verify that you're using the correct
service by visiting the extension's options to avoid any errors.

Please open an issue if you have experience with image recognition and you'd
like to contribute towards a mode that would solve the visual challege, or
assist users by suggesting image tiles to select.

[0] [https://github.com/dessant/buster](https://github.com/dessant/buster)

[1]
[https://github.com/w3c/apa/issues/25](https://github.com/w3c/apa/issues/25)

~~~
dewey
Isn't this ruining the feature for people who are forced to use the
accessibility feature?

They'll improve the captcha just like they did with the basic obscured text to
now making the user do image recognition for them and people who really need
the accessibility won't have it that easy any more.

I don't feel like that's a nice thing to do.

~~~
dessant
Google blocks people with disabilities from accessing the audio challenge,
please see the second link in my original post for details. This project,
while in the early stages, aims to bring attention to the human cost of the
reCAPTCHA service, and helps those who can no longer cope with that cost.

~~~
dewey
Thanks for clearing that up, I missed the second link while browsing on
mobile.

------
twhb
I suggest the link be changed to
[https://www.petsymposium.org/2018/files/papers/issue3/popets...](https://www.petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf),
because there's serious misunderstanding in the comments.

\- This is not made by Cloudflare, Cloudflare is just the first to support it.

\- This does not tie anything to your IP address, this introduces an
alternative to tying things to your IP address.

\- This does not implement more granular tracking IDs, it implements
unlinkable one-time tokens.

\- This does not further Tor user blocking/inconveniencing, they're who it was
made for.

------
r1ch
Privacy Pass doesn't help when various desktop and mobile app developers host
their APIs behind Cloudflare. Users end up with timeouts or other error
messages that have don't mention anything about being blocked by Cloudflare.

------
lucb1e
Sounds like we're getting ever close to requiring identification before being
allowed to use the Internet. Such a law would be vehemently opposed I'm sure,
the question is whether we mind if a company does it and offers it
"voluntarily" for those first blocked by said company.

------
StavrosK
To clarify a few things:

PrivacyPass is a third-party extension that allows a user to receive anonymous
tokens that can't be tied back to them:
[https://privacypass.github.io/](https://privacypass.github.io/)

CloudFlare supports that third-party extension so visitors can see fewer
challenges.

------
jonplackett
I like cloudflare, but it seems like we're putting more and more trust in
them. Not sure if that's good.

~~~
birracerveza
This. We're centralizing all the websites to flow in the hands of one player
who can decide who can or cannot access a website, not to mention the fact
that they have the capability to know who accesses which website across a
larger and larger portion of the net. De facto we're giving them the keys to
the internet. But who's them? And who will it be in the future?

I understand that they offer cheap solutions to very real problems, but we
keep making the same mistake we made with Google and other tech giants. While
they are acting in a commendable way now, I fear for how much influence
they'll have when they will inevitably drop their "Don't be evil".

~~~
Operyl
To me, another company needs to step up and try to compete in the same sector.
The problem is that the alternatives, like Sucuri and Stackpath that are
reasonably cheap are _terrible_. I deal with both on a day to day and it’s
horrendous to deal with :/.

------
bobydonahue
This seems like a play taken directly from the United States TSA/DHS with
their global entry/pre-check 'services' which only exist to track people at a
more granular level.

------
codedokode
I don't understand what is the motivation to block Tor or VPNs if there is no
large volumes of traffic from specific IP. Does Cloudflare dislike anonymous
users?

Also, did you see the permission list for a Firefox extension? [1] It says
"Access your data for all websites".

[1] [https://addons.mozilla.org/en-US/firefox/addon/privacy-
pass/](https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/)

~~~
kevingadd
That permission is required for a vast set of features in chrome and Firefox
extensions because of how poorly the chrome extension API was designed. So
while it indeed has that permission, there are lots of things it could be
doing with it that don't impact your data at all. You'd have to audit the
code.

------
Vogtinator
So "Privacy" Pass effectively generates a unique token for every user? That
results in trivial tracking again, one of the main points of using VPNs, Tor
or whatever.

~~~
StavrosK
The tokens can't be correlated with a user.

~~~
tastroder
From the linked page "Privacy Pass uses elliptic curve cryptography to
generate 'anonymous' tokens after a single CAPTCHA page is solved."

In any case - privacy implications aside - having to install an extension to
get around their risk assessment algorithm going wrong seems like placing the
burden in very much the wrong place.

edit: was wrong about who created the extension

~~~
StavrosK
PrivacyPass is not their thing:

[https://privacypass.github.io/](https://privacypass.github.io/)

They run a service that shows high-risk visitors (or whom they deem high-risk)
a challenge. They support a third-party extension that lets you vouch for
yourself on other websites anonymously. The alternative is that they _don 't_
support it.

The other things they do are debatable, but this is a good thing.

~~~
tastroder
Oh, thanks for pointing that out, totally missed that part! In that case, at
least it's anonymous, yeah.

~~~
StavrosK
Yeah, in my view, it's nice that they're supporting a published way of
anonymously vouching for myself. Maybe it's less than awesome that every
visitor from Romania (as an arbitrary example) is considered a criminal, but
supporting PrivacyPass is a nice move.

------
tmikaeld
I wish all Chromium plugins had such good plugin content overview, saves a lot
of time if you want to review what you install.

[https://github.com/privacypass/challenge-bypass-
extension](https://github.com/privacypass/challenge-bypass-extension)

------
tokarein
This add-on isn't new. Why now?

[https://notabug.org/themusicgod1/cloudflare-
tor](https://notabug.org/themusicgod1/cloudflare-tor)

------
tbbttbbt
How the f __* does this even help at all when Google reCaptcha already "ghost-
blocks" bad ips as well?

------
localhostdotdev
getting closer everyday to a global "login" to access the internet

------
iscloudflareg
this is TSA level thievery -- first organize security theater in form of
"protection" and then charge money to be able to avoid that. Pathetic.

~~~
bepvte
There isnt any money involved. Did you read this?

