Does Privacy Pass Protect One's Privacy?

Does any one have an experience and/or thoughts about privacy pass

Recently using tor, I tried to view a site that was hosted by cloudfare and I could not see. The cloudfare notice said privacy pass was needed.

At first blush it seems to protect the user’s privacy but I would be interested in others’ thoughts.

"Cloudflare is probably especially familiar to the Tor users among you, who are constantly harassed by CAPTCHAs. If Cloudfare has its way, then the annoying CAPTCHAs or the question whether you are a bot belong to the past.

Cloudflare has THE solution: The Privacy Pass addon for Chrome and Firefox!

Sure, now the user should install a browser addon to “prove” that he is not a bot? There’s something seriously wrong with the Internet. Tor users should keep their hands off such addons anyway, as the risk of deanonymization increases immensely.

Thanks Fabian!

Translated with (free version)"


I agree with the reply above: using TOR is typically for more than privacy… it is really for anonymity. When going for anonymity, you don’t really want to take any chances with such add-ons. Projects like Tails exit to give you a complete environment where TOR can run to ensure maximum anonymity, the more you stray from the environment, the less protection you may have with TOR.

Small word about bot detection: most CDNs have their own bot detection solutions that many business opt to use (whether it is Cloudflare, Akamai, etc). Some companies are even building their own home grown solutions. Most of these bot detection solutions are just a few layers of detection and blocking. They try to profile the user connection by looking at the origin IP, where the traffic comes from, which ISP it is, etc. Then they try to profile the user-agent (browser, OS, device, etc) with the aid of some advanced Javascript. They will see what screen resolution you have, mouse movement, how fast you type, etc. Based on all that, they will make a decision if you are a bot or not. Depending on the configuration for these sites, sometimes they will just not work when using TOR (or very strong privacy settings in browsers).

For me, when it comes to day to day use, I simply route my traffic to a VPN server. And I recently started using Decloudus DNS as my upstream DNS servers (I use Alpha inside browser DoH settings, Zulu for mobile DoT Private DNS settings, and Echo as upstream for my AdGuardHome for my home network). That set up works fairly well for more privacy for daily Internet use.

1 Like

I didn’t know about this project before, thanks.

It uses the right tool to preserve anonymity. But the FAQ doesn’t provide an answer to one question: if it’s meant for legitimate users, what prevents it from being used by bots?

A very good question.

I use Decloudus DNS in conjunction with algovpn on my mobile devices and selective machines. I have one vpn that blocks out google and another, for those instances where I might need it, lets google through.

I assume you are asking how TOR/Tails prevent bots. The answer is that they do not and honestly, they should not. If they were to add mechanisms to know who is a bot and who is not, it would start to erode the anonymity guarantees in place… and then there will be ways for bots to defeat these mechanisms… and then they would have to implement even more anonymity-intrusive ways to counter. It would essentially be a downward spiral for the main purpose and goal of TOR.

So I can tell you many bots do indeed use TOR. Many hackers also use TOR. These are abuse cases that the project has to unfortunately live with for the sake of all the good the project does to combat online censorship, oppressive governments, freedom of press, surveillance programs, etc.

As a user, when you get a TOR identity and you find some sites are blocking you, it is probably because you were assigned an IP address that was abused by bots and hackers. Sometimes it helps to get a new identity/IP address. But that mostly depends on the sites you are trying to access and how they are tuned to handle TOR traffic. Some sites let you in, others may give you a CAPTCHA challenge, and others may just flat out block you.

That sounds like a great elaborate setup!

Nope, I’m asking how privacy pass prevents bots from using its captcha bypass.

1 Like

It works really well. I tear down and rebuild the vpn every month so I get new ip addresses as well.

1 Like

Is Decloundus DNS better than having a personal VPN with pihole and dnscrypt proxy?

I use DeCloudus in combination with a personal vpn: Algo vpn uses dnscrypt proxy with DeCloudus as my dns resolver. In addition to Google, DeCloudus blocks online trackers and advertising, etc. The combination is really quite easy to set up; it takes about 5 minutes to run. Algo vpn produces qr codes for the clients so installing it on mobile devices is trivial.

Than make sense then as Decloudus without a VPN it may be a worst solution that giving to the ISP [only to them actually, probably] your DNS requests. But beeing behind a VPN makes it more private.

Am I understanding this correctly ?

Yes, because I have the vpn server hosted in the cloud, my ISP only sees the vpn connection to an ever changing IP address.

1 Like

DNS privacy and VPN are not dependent on each other. They can certainly be combined, but they serve slightly different purposes depending on the level of privacy you want.

Privacy DNS (like Decloudus) will ensure your DNS traffic is encrypted. It will block ads, trackers, etc. Decloudus also emphasizes that there are no logs, so there is no way Decloudus can associate your DNS queries to you. That’s a must-have-requirement for any DNS provider I use.

As others noted, a VPN will hide all of your traffic from ISP. When using Decloudus, your ISP will not see your DNS traffic, but the ISP will still know the IPs you are connecting to. For example, your ISP will not see that visited URL, BUT they will see you connected to IP address, which then maybe used to know what site your actually visited (through reverse DNS lookups… but who knows if ISPs do that or not)

I have devices that just use Decloudus DNS and other devices that use both Decloudus and a VPN. For example, I have gaming console, kids tablet, etc with internet traffic that I don’t care if the ISP knows about. But, I do want my DNS traffic to be private and I do want to block ads, trackers, and such. So using Decloudus DNS is enough for my privacy needs there.

I have other devices where not only I want to have DNS privacy, block google, ads, trackers, etc… but I also don’t want the ISP to know what IPs I am connecting to. So I route the traffic for these devices to VPN also.

So depending on the specific privacy needs you have, Decloudus can be good enough on its own or add a VPN to the mix for even more privacy from your ISP.


Very nice explanation!

1 Like

That’s what I tried to say. I can’t see DNS as a privacy feature. Yes, using some custom DNS you have options like parental control, ad blocking… but you don’t have privacy.

Lets assume you’ll use DoH or DoT but for me it does not matter (actually it is) if i’m giving my sites visited to isp or other company (prefer to my isp, as it is not so centtalized as other big companies)

Words like “no logs” for me makes no sanse (vpns providers same) as there is no way you can actually check, verify, audit that (that means you just need to trust them and I don’t)

In my case, it is a vpn that I spin up and destroy every month so I know there are no logs.

1 Like

Here is a summary of my interpretation of Privacy Pass so far.

Currently, to use the protocol, it is required to use the browser plugin. It is under a BSD license, located at the URL below.

There is also TCP server code, maintained by the Privacy Pass team, located at the URL below.

It is in the process of being standardized by the IETF. The CDN currently supporting Privacy Pass is Cloudflare.

It is designed to preserve anonymity by providing signed tokens to the user after completing a CAPTCHA. These tokens can be redeemed at a later time, which means that they are a medium for storing proof-of-work. They can be traded or shared, similar to cash, therefore, during redemption, the edge server (assuming Cloudflare) will know that the token was generated and signed before, but is unable to directly determine who is using them.

It is not designed to deter bots, that would be the job of CAPTCHAs.

The Privacy Pass team provided more details about the protocol located in the URL below.

1 Like