Does Privacy Pass Protect One's Privacy?

eNZymOrTHe · March 17, 2021, 2:10pm

Does any one have an experience and/or thoughts about privacy pass

Recently using tor, I tried to view a site that was hosted by cloudfare and I could not see. The cloudfare notice said privacy pass was needed.

At first blush it seems to protect the user’s privacy but I would be interested in others’ thoughts.

maximilian · March 17, 2021, 2:16pm

"Cloudflare is probably especially familiar to the Tor users among you, who are constantly harassed by CAPTCHAs. If Cloudfare has its way, then the annoying CAPTCHAs or the question whether you are a bot belong to the past.

Cloudflare has THE solution: The Privacy Pass addon for Chrome and Firefox!

Sure, now the user should install a browser addon to “prove” that he is not a bot? There’s something seriously wrong with the Internet. Tor users should keep their hands off such addons anyway, as the risk of deanonymization increases immensely.

Thanks Fabian!

Translated with www.DeepL.com/Translator (free version)"

JCAnO · March 19, 2021, 1:39am

I agree with the reply above: using TOR is typically for more than privacy… it is really for anonymity. When going for anonymity, you don’t really want to take any chances with such add-ons. Projects like Tails exit to give you a complete environment where TOR can run to ensure maximum anonymity, the more you stray from the environment, the less protection you may have with TOR.

Small word about bot detection: most CDNs have their own bot detection solutions that many business opt to use (whether it is Cloudflare, Akamai, etc). Some companies are even building their own home grown solutions. Most of these bot detection solutions are just a few layers of detection and blocking. They try to profile the user connection by looking at the origin IP, where the traffic comes from, which ISP it is, etc. Then they try to profile the user-agent (browser, OS, device, etc) with the aid of some advanced Javascript. They will see what screen resolution you have, mouse movement, how fast you type, etc. Based on all that, they will make a decision if you are a bot or not. Depending on the configuration for these sites, sometimes they will just not work when using TOR (or very strong privacy settings in browsers).

For me, when it comes to day to day use, I simply route my traffic to a VPN server. And I recently started using Decloudus DNS as my upstream DNS servers (I use Alpha inside browser DoH settings, Zulu for mobile DoT Private DNS settings, and Echo as upstream for my AdGuardHome for my home network). That set up works fairly well for more privacy for daily Internet use.

dcz · March 19, 2021, 6:50am

I didn’t know about this project before, thanks.

It uses the right tool to preserve anonymity. But the FAQ doesn’t provide an answer to one question: if it’s meant for legitimate users, what prevents it from being used by bots?

eNZymOrTHe · March 19, 2021, 1:19pm

A very good question.

I use Decloudus DNS in conjunction with algovpn on my mobile devices and selective machines. I have one vpn that blocks out google and another, for those instances where I might need it, lets google through.

JCAnO · March 19, 2021, 2:45pm

I assume you are asking how TOR/Tails prevent bots. The answer is that they do not and honestly, they should not. If they were to add mechanisms to know who is a bot and who is not, it would start to erode the anonymity guarantees in place… and then there will be ways for bots to defeat these mechanisms… and then they would have to implement even more anonymity-intrusive ways to counter. It would essentially be a downward spiral for the main purpose and goal of TOR.

So I can tell you many bots do indeed use TOR. Many hackers also use TOR. These are abuse cases that the project has to unfortunately live with for the sake of all the good the project does to combat online censorship, oppressive governments, freedom of press, surveillance programs, etc.

As a user, when you get a TOR identity and you find some sites are blocking you, it is probably because you were assigned an IP address that was abused by bots and hackers. Sometimes it helps to get a new identity/IP address. But that mostly depends on the sites you are trying to access and how they are tuned to handle TOR traffic. Some sites let you in, others may give you a CAPTCHA challenge, and others may just flat out block you.

That sounds like a great elaborate setup!

dcz · March 19, 2021, 3:08pm

Nope, I’m asking how privacy pass prevents bots from using its captcha bypass.

eNZymOrTHe · March 19, 2021, 3:22pm

It works really well. I tear down and rebuild the vpn every month so I get new ip addresses as well.

dallas87 · March 19, 2021, 7:42pm

Is Decloundus DNS better than having a personal VPN with pihole and dnscrypt proxy?

eNZymOrTHe · March 19, 2021, 7:59pm

I use DeCloudus in combination with a personal vpn: Algo vpn uses dnscrypt proxy with DeCloudus as my dns resolver. In addition to Google, DeCloudus blocks online trackers and advertising, etc. The combination is really quite easy to set up; it takes about 5 minutes to run. Algo vpn produces qr codes for the clients so installing it on mobile devices is trivial.

dallas87 · March 19, 2021, 8:12pm

Than make sense then as Decloudus without a VPN it may be a worst solution that giving to the ISP [only to them actually, probably] your DNS requests. But beeing behind a VPN makes it more private.

Am I understanding this correctly ?

eNZymOrTHe · March 19, 2021, 8:19pm

Yes, because I have the vpn server hosted in the cloud, my ISP only sees the vpn connection to an ever changing IP address.

JCAnO · March 20, 2021, 3:51pm

DNS privacy and VPN are not dependent on each other. They can certainly be combined, but they serve slightly different purposes depending on the level of privacy you want.

Privacy DNS (like Decloudus) will ensure your DNS traffic is encrypted. It will block ads, trackers, etc. Decloudus also emphasizes that there are no logs, so there is no way Decloudus can associate your DNS queries to you. That’s a must-have-requirement for any DNS provider I use.

As others noted, a VPN will hide all of your traffic from ISP. When using Decloudus, your ISP will not see your DNS traffic, but the ISP will still know the IPs you are connecting to. For example, your ISP will not see that visited forums.puri.sm URL, BUT they will see you connected to IP address 138.201.228.33, which then maybe used to know what site your actually visited (through reverse DNS lookups… but who knows if ISPs do that or not)

I have devices that just use Decloudus DNS and other devices that use both Decloudus and a VPN. For example, I have gaming console, kids tablet, etc with internet traffic that I don’t care if the ISP knows about. But, I do want my DNS traffic to be private and I do want to block ads, trackers, and such. So using Decloudus DNS is enough for my privacy needs there.

I have other devices where not only I want to have DNS privacy, block google, ads, trackers, etc… but I also don’t want the ISP to know what IPs I am connecting to. So I route the traffic for these devices to VPN also.

So depending on the specific privacy needs you have, Decloudus can be good enough on its own or add a VPN to the mix for even more privacy from your ISP.

eNZymOrTHe · March 20, 2021, 3:58pm

Very nice explanation!

dallas87 · March 20, 2021, 4:32pm

That’s what I tried to say. I can’t see DNS as a privacy feature. Yes, using some custom DNS you have options like parental control, ad blocking… but you don’t have privacy.

Lets assume you’ll use DoH or DoT but for me it does not matter (actually it is) if i’m giving my sites visited to isp or other company (prefer to my isp, as it is not so centtalized as other big companies)

Words like “no logs” for me makes no sanse (vpns providers same) as there is no way you can actually check, verify, audit that (that means you just need to trust them and I don’t)

eNZymOrTHe · March 20, 2021, 4:54pm

In my case, it is a vpn that I spin up and destroy every month so I know there are no logs.

PX.6f3-EX-h.D7.UD_wh · March 23, 2021, 12:38am

Here is a summary of my interpretation of Privacy Pass so far.

Currently, to use the protocol, it is required to use the browser plugin. It is under a BSD license, located at the URL below.

There is also TCP server code, maintained by the Privacy Pass team, located at the URL below.

It is in the process of being standardized by the IETF. The CDN currently supporting Privacy Pass is Cloudflare.

It is designed to preserve anonymity by providing signed tokens to the user after completing a CAPTCHA. These tokens can be redeemed at a later time, which means that they are a medium for storing proof-of-work. They can be traded or shared, similar to cash, therefore, during redemption, the edge server (assuming Cloudflare) will know that the token was generated and signed before, but is unable to directly determine who is using them.

It is not designed to deter bots, that would be the job of CAPTCHAs.

The Privacy Pass team provided more details about the protocol located in the URL below.

github.com

privacypass/challenge-bypass-extension/blob/master/docs/PROTOCOL.md

# Overview of protocol

We give a short, cryptographic overview of the protocol written by George Tankersley. Our construction is based on the concept of a Verifiable, Oblivious Pseudorandom Function (VOPRF) related closely to the ROM realization of 2HashDH-NIZK from the \[JKK14\] with the addition of a batch NIZK proof. This VOPRF construction is currently in the process of standardization, and the latest draft can be found [here](https://tools.ietf.org/html/draft-irtf-cfrg-voprf).

## Introduction

The solution that we develop here is a protocol between a user, a challenger and an edge server. The edge server proxies user requests for a protected origin and refers the user to the challenger if the request is deemed to be (potentially) malicious. The challenger serves a CAPTCHA to the user. If the user solves the CAPTCHA, then the challenger issues a batch of signed tokens to the user. A user possessing signed tokens may attempt to redeem them with the edge instead of solving a challenge. If the edge verifies that a redemption pass contains a token signed by the challenger that has not already been spent, then the edge allows the connection through to the origin.

## Preliminaries

-   A message authentication code ("MAC") on a message is a keyed authentication tag that can be only be created and verified by the holder of the secret key.
-   A pseudorandom function is a function whose output cannot be efficiently distinguished from random output. This is a general class of functions; concrete examples include hashes and encryption algorithms.
-   An oblivious pseudorandom function ("OPRF") is a generalization of blind signatures. Per Jarecki, it's a two-party protocol between sender S and receiver R for securely computing a pseudorandom function `f_x(·)` on key `x` contributed by S and input `t` contributed by R, in such a way that receiver R learns only the value `f_x(t)` while sender S learns nothing from the interaction.
    -   In this protocol, the edge is the "sender" holding `x` and the inputs `t` are the tokens. So the clients don't learn our key and we don't learn the real token values until they're redeemed.
-   Furthermore, a verifiable OPRF is one where the sender supplies a proof that the function was evaluated correctly.


## Protocol description

We detail a 'blind-signing' protocol written by the Privacy Pass team using an OPRF to construct per-pass shared keys for a MAC over each redemption request. This hides the token values themselves until redemption and obviates the need for public key encryption. This protocol subsumes the blind-RSA protocol that was described in earlier releases of the protocol specification.

This file has been truncated. show original