"Cloudflare is probably especially familiar to the Tor users among you, who are constantly harassed by CAPTCHAs. If Cloudfare has its way, then the annoying CAPTCHAs or the question whether you are a bot belong to the past.
Cloudflare has THE solution: The Privacy Pass addon for Chrome and Firefox!
Sure, now the user should install a browser addon to “prove” that he is not a bot? There’s something seriously wrong with the Internet. Tor users should keep their hands off such addons anyway, as the risk of deanonymization increases immensely.
I agree with the reply above: using TOR is typically for more than privacy… it is really for anonymity. When going for anonymity, you don’t really want to take any chances with such add-ons. Projects like Tails exit to give you a complete environment where TOR can run to ensure maximum anonymity, the more you stray from the environment, the less protection you may have with TOR.
For me, when it comes to day to day use, I simply route my traffic to a VPN server. And I recently started using Decloudus DNS as my upstream DNS servers (I use Alpha inside browser DoH settings, Zulu for mobile DoT Private DNS settings, and Echo as upstream for my AdGuardHome for my home network). That set up works fairly well for more privacy for daily Internet use.
I use Decloudus DNS in conjunction with algovpn on my mobile devices and selective machines. I have one vpn that blocks out google and another, for those instances where I might need it, lets google through.
I assume you are asking how TOR/Tails prevent bots. The answer is that they do not and honestly, they should not. If they were to add mechanisms to know who is a bot and who is not, it would start to erode the anonymity guarantees in place… and then there will be ways for bots to defeat these mechanisms… and then they would have to implement even more anonymity-intrusive ways to counter. It would essentially be a downward spiral for the main purpose and goal of TOR.
So I can tell you many bots do indeed use TOR. Many hackers also use TOR. These are abuse cases that the project has to unfortunately live with for the sake of all the good the project does to combat online censorship, oppressive governments, freedom of press, surveillance programs, etc.
As a user, when you get a TOR identity and you find some sites are blocking you, it is probably because you were assigned an IP address that was abused by bots and hackers. Sometimes it helps to get a new identity/IP address. But that mostly depends on the sites you are trying to access and how they are tuned to handle TOR traffic. Some sites let you in, others may give you a CAPTCHA challenge, and others may just flat out block you.
I use DeCloudus in combination with a personal vpn: Algo vpn uses dnscrypt proxy with DeCloudus as my dns resolver. In addition to Google, DeCloudus blocks online trackers and advertising, etc. The combination is really quite easy to set up; it takes about 5 minutes to run. Algo vpn produces qr codes for the clients so installing it on mobile devices is trivial.
DNS privacy and VPN are not dependent on each other. They can certainly be combined, but they serve slightly different purposes depending on the level of privacy you want.
Privacy DNS (like Decloudus) will ensure your DNS traffic is encrypted. It will block ads, trackers, etc. Decloudus also emphasizes that there are no logs, so there is no way Decloudus can associate your DNS queries to you. That’s a must-have-requirement for any DNS provider I use.
As others noted, a VPN will hide all of your traffic from ISP. When using Decloudus, your ISP will not see your DNS traffic, but the ISP will still know the IPs you are connecting to. For example, your ISP will not see that visited forums.puri.sm URL, BUT they will see you connected to IP address 220.127.116.11, which then maybe used to know what site your actually visited (through reverse DNS lookups… but who knows if ISPs do that or not)
I have devices that just use Decloudus DNS and other devices that use both Decloudus and a VPN. For example, I have gaming console, kids tablet, etc with internet traffic that I don’t care if the ISP knows about. But, I do want my DNS traffic to be private and I do want to block ads, trackers, and such. So using Decloudus DNS is enough for my privacy needs there.
I have other devices where not only I want to have DNS privacy, block google, ads, trackers, etc… but I also don’t want the ISP to know what IPs I am connecting to. So I route the traffic for these devices to VPN also.
So depending on the specific privacy needs you have, Decloudus can be good enough on its own or add a VPN to the mix for even more privacy from your ISP.
That’s what I tried to say. I can’t see DNS as a privacy feature. Yes, using some custom DNS you have options like parental control, ad blocking… but you don’t have privacy.
Lets assume you’ll use DoH or DoT but for me it does not matter (actually it is) if i’m giving my sites visited to isp or other company (prefer to my isp, as it is not so centtalized as other big companies)
Words like “no logs” for me makes no sanse (vpns providers same) as there is no way you can actually check, verify, audit that (that means you just need to trust them and I don’t)
Here is a summary of my interpretation of Privacy Pass so far.
Currently, to use the protocol, it is required to use the browser plugin. It is under a BSD license, located at the URL below.
There is also TCP server code, maintained by the Privacy Pass team, located at the URL below.
It is in the process of being standardized by the IETF. The CDN currently supporting Privacy Pass is Cloudflare.
It is designed to preserve anonymity by providing signed tokens to the user after completing a CAPTCHA. These tokens can be redeemed at a later time, which means that they are a medium for storing proof-of-work. They can be traded or shared, similar to cash, therefore, during redemption, the edge server (assuming Cloudflare) will know that the token was generated and signed before, but is unable to directly determine who is using them.
It is not designed to deter bots, that would be the job of CAPTCHAs.
The Privacy Pass team provided more details about the protocol located in the URL below.