[shaicoleman]

A workaround is to install the Privacy Pass extension to bypass the captchas [1] [2]

It's an open source extension available for Chrome and Firefox. It allows to privately identify you're human, and is the process of going through IETF standardisation, so hopefully someday you won't need to install an extension for it. After you complete a captcha once, you won't need to do it again for a long time.

I'm not happy about installing extensions just to view some websites, but it'll make things less painful

1. https://privacypass.github.io/

2. https://support.cloudflare.com/hc/en-us/articles/11500199265...

[dingleberry420]

Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

[shaicoleman]

"The blind signing procedure ensures that passes that are redeemed in the future are not feasibly linkable to those that are signed. We use a privacy-preserving cryptographic protocol based on ‘Verifiable, Oblivious Pseudorandom Functions’ (VOPRFs) built from elliptic curves to enforce unlinkability. The protocol is exceptionally fast and guarantees privacy for the user. As such, Privacy Pass is safe to use for those with strict anonymity restrictions."

1. https://privacypass.github.io/

> Deanonymizing yourself just to appease cloudflare is not a valid solution

I'm not claiming it is a valid solution, I'm just sharing a possible workaround.

[robonerd]

Unless you're a mathematician or a cryptographer who's qualified to verify these claims, I think all of this amounts to "trust us."

[mynameisvlad]

You have to trust a whole lot of companies to get onto and use the Internet. Or just use everyday technology. I don't see why this is different.

[robonerd]

> You have to trust a whole lot of companies to get onto and use the Internet.

Obviously, I wouldn't dream of asserting otherwise. My point is that for the vast majority of the population, a paragraph of technogibberish about cryptography doesn't fundamentally change anything, you're still reliant on trust. To most people, that paragraph is worth about as much as a basic promise. The worth of that statement is derived from whatever trust is had in the corporation and the ability of academics and regulators to stay on the ball and keep corporations in check.

If somebody who isn't a cryptographer has decided not to trust Cloudflare and not to trust the rest of society to keep a company like Cloudflare in check, then that whole explanation isn't worth much. It's boils down to saying "Just trust me" in response to somebody who just said "I don't trust you."

[Semaphor]

I searched around a bit, and the only thing I found was the EFF not complaining about it when mentioning it while talking about something else [0]:

> This proposal is based on Privacy Pass, a privacy-preserving and frustration-reducing alternative to CAPTCHAs.

So I guess that’s good-ish?

[0]: https://www.eff.org/tr/deeplinks/2019/08/dont-play-googles-p...

[mynameisvlad]

That extends to pointing out that trust is required. When it's the default state of things, what use is pointing it out going to bring?

I made an obvious point because it's strange to bring up that something on the internet requires trust. Because of course it does.

[Wowfunhappy]

Sorry, can I get a layman's translation? What prevents websites from using Privacy Pass to track user behavior? (Beyond determining who is and is not a bot.)

[shaicoleman]

Basically, you fill a captcha once, and that gives 30 anonymous one-time-use tokens which are stored on the browser. The cryptography used ensures that there's no way to associate the one-time tokens between each other or back to the original captcha. Redeeming the token proves that you've already filled a captcha, and will bypass the captcha for that session.

[ntoskrnl]

Cloudflare is the one putting up the captcha-wall and deciding whether to forward your request to the destination site. Your browser sends Cloudflare a token, then if Cloudflare accepts the token, it forwards your request. The destination site does not see the token and so cannot use it to track you.

Since Cloudflare does see the token, it's reasonable to consider whether Cloudflare could deanonymize you across different sites. Privacy Pass uses cryptography that claims to prevent that.

[shadowgovt]

> If they don't, the website is broken.

The Internet is a network with social effects. Whether "this didn't work" means "the website is broken" or "the browser is broken" has always been more about end-user experience and the wisdom of crowds than a more concrete definition.

A website broken only on Firefox works for 96.5% of users. I have personally had to make the hard judgment call (as a fan of Firefox!) to not spend 25% of our engineering debugging time on a problem only 3.5% of users encounter.

[dingleberry420]

Right, so you accepted that your website was broken. That can be a valid business decision, but that doesn't not make it broken.

Try this analogy: Most people have functional legs, so why install a ramp? 99% of your users can access your property, so who cares, right?

[karpierz]

> Most people have functional legs, so why install a ramp? 99% of your users can access your property, so who cares, right?

People without functional legs can't simply decide to walk up some steps.

People use Firefox can simply decide to use Chrome.

To be more direct; what's your definition of "broken"? Is it that it doesn't work for you in the manner that you'd like?

[robonerd]

It seems as though capitalism has little room for craftsmanship as a virtue. The only value becomes the dollar value, people see no shame in shoddy workmanship so long as it's profitable.

[shadowgovt]

The way I see it, Firefox's reputation for craftsmanship is unearned. The only time it crosses my desk as a site developer is people filing browser-specific bug reports for it. Its engine does not, in general, benchmark as performant as either Chrome's or Safari's on our site. It's certainly not beating them by enough percentage points for me to suggest people switch to it for performance.

Mozilla has had more time to work on this problem space than their competitors, and they don't have the technical advantage to show for it. They may have been the technologically better choice in the Browser Wars era of Internet Explorer, but nowadays? They're falling down on the technical merits, not just the network effects.

It's free and it's widely available. If they were better than the alternatives more people would switch to them but they're not.

[my69thaccount]

That's too bad. If you didn't make that call it would probably have larger market share. What you've done actually feeds in to the problem.

[shadowgovt]

But that's the issue. It's not my problem. My problem is maximizing the user experience for most of my users, and that involves squashing usability bugs common to all browsers and adding features that have been requested, not keeping up with the Gecko quirks-du-jour.

(Speaking of "quirks-du-jour", the problem eventually "solved itself." The next major iteration of Firefox fixed a rendering regression and resolved the bug. We "solved" the problem spending zero eng-hours on it; you can't beat that for efficiency. But that's the challenge Mozilla faces as an also-ran: burden's on them to keep up with the competition and make their rendering agent on-par with other agents for both performance and strangeness, because they lack the market clout to make developers bend to their flaws and oddities. No matter who the front runner is, there are always flaws and oddities.)

[paulryanrogers]

So a tragedy of the commons?

See it is your problem to offer something to the general public then serve only the defacto monopolist instead of web standards. Because with each small compromise we each contribute to the problem until it reaches a breaking point. All the while those on the margins suffer, some with no real alternative.

For ex in poorer areas where they cannot afford a computer that runs Chrome (which has no LTS/ESR).

[robonerd]

Some people simply have no sense of community or civic duty. Everything is all about them, all the time. If they stand to profit from antisocial behavior, they won't hesitate.

[lowwave]

>Deanonymizing yourself just to appease cloudflare is not a valid solution. Any website should work in any browser out of the box. If they don't, the website is broken.

I totally agree with you. I think maybe an upper limit per ip (maybe a bit higher for tor ips) would be need to prevent DoS type attacks.