Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands

Martin Brinkmann
Sep 18, 2017
Updated • Nov 10, 2017
Firefox add-ons, Google Chrome extensions, Internet
|
17

If you connect to the Tor network or VPN services regularly, you may have noticed an increase in CloudFlare captcha challenges whenever you are connected to these networks.

Depending on which sites you visit, to which network you are connected, and how the site is configured, you may need to solve captchas quite often, and sometimes on any page you open on that particular site.

This is obviously not desirable as you spend more time solving captchas than browsing the site in question.

I reviewed the Firefox add-on CloudHole back in 2016 which promised to reduce the number of CloudFlare captchas by storing user agent and clearance cookie information so that they may be reused in future challenges. The extension is still available, and it appears to work just fine.

Cloudflare Privacy Pass

cloudflare edge pass

Cloudflare Privacy Pass is an official extension for Firefox and Chrome that has been designed for the same purpose. The browser extension uses a different system though, as it takes advantage of CloudFlare's Challenge Bypass Specification.

The specification "has been developed to allow bypassing challenge pages using signed tokens that guarantee anonymity to the user". Basically, what it is designed to do is reduce the number of challenges that are thrown on devices connect to the Tor network or VPN services without leaking identity information.

Cloudflare Privacy Pass works silently in the background for the most part. It lets you bypass CloudFlare challenges pages if a valid solution has already been submitted during the session.

The extension generates cryptographically "blinded" tokens that are signed by Cloudflare's edge when a CAPTCHA is solved. These tokens are "unblinded" and stored by the extension for future use; they are redeemed automatically when a future challenge page is seen. The "blinding" procedure means that signed and redeemed tokens are cryptographically unlinkable from Cloudflare's perspective and, as such, are suitable for usage in conjunction with external anonymity measures (such as Tor/VPNs).

The extension is available for Firefox and Google Chrome. It installs fine in the Tor Browser, but I'm not 100% sure it works in that browser right now as it is provided as a WebExtension.

While it installed fine, I had trouble getting any site to throw a captcha while using the Tor browser (go figure).

Anyway, if you use Tor or a VPN regularly and are exposed to an ungodly number of challenge captchas, you may want to give this extension a try as it may help reduce the number of captchas per browsing session significantly.

Update: The extension has been pulled. Privacy Pass is a new extension that offers similar functionality.

Summary
Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands
Article Name
Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands
Description
Cloudflare Privacy Pass is an official extension for Firefox and Chrome that reduces the number of captchas that sites throw when using Tor or a VPN.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. John Navas said on October 30, 2019 at 2:55 am
    Reply

    Works great in Chrome, although only on CloudFlare Captchas.
    Just be sure to use the extension menu to Get Passes in advance.

  2. wexafig said on September 26, 2017 at 12:22 am
    Reply
    1. Martin Brinkmann said on September 26, 2017 at 5:41 am
      Reply

      Thank you, I have updated the article to reflect the name change, and added the link.

  3. sonya18.2 said on September 22, 2017 at 10:00 am
    Reply

    anybody grab it before it got yanked?

    1. Ali Sofyan Nasution said on September 22, 2017 at 11:09 pm
      Reply

      Same here. Would be glad if someone can share the xpi.

  4. Anonymous said on September 19, 2017 at 12:01 am
    Reply

    Martin, captchas for Cloudflare have decreased dramatically way back in this year for Tor Browser users (if you’re user agent isn’t that of the Tor Browser and you connect using Tor then you’ll get a captcha, you can test this yourself). In fact, I rarely see them these days so this extension is at best unnecessary.

  5. Yuliya said on September 18, 2017 at 9:51 pm
    Reply

    Here’s a tip: there are two kinds of challenges for reCAPTCHA v2 which you’ll often encounter (there are more, but their occurrence frequency ranges from once every week to only screenshots seen on the internet).

    Anyway, here are screenshots: https://imgur.com/a/9XSdJ

    Note the wording:
    Easy one: Select all squares with […] If there are none, click skip
    Difficult one: Select all images with […] Click verify once there are none left

    One the easy one the lower right button also says “Skip”, instead of “Verify”. If you get the bad one simply click that refresh icon on lower left until you get the good captcha. You usually are allowed on sites after completing only one of that (worst case is two) and it’s a lot easier and faster as it’s just a grid with checkboxes.

    The difficult one is with the b/s fading images which sometimes it takes more than a second to just load a new image (one of those 3×3 small thumbnails I mean) and you have to complete four or five sometimes.

    tl;dr: click lower left refresh button (two, three times) until you get the easy captcha

  6. CHEF-KOCH said on September 18, 2017 at 8:59 pm
    Reply

    I can’t recommend this extension, due the simple reason that this will weak your security setup. CAPTCHAs are there to reveal who you really are.

    https://blog.torproject.org/trouble-cloudflare
    https://developers.google.com/recaptcha/docs/verify
    https://news.ycombinator.com/item?id=12122268

  7. 424 said on September 18, 2017 at 6:50 pm
    Reply

    >This add-on has been removed by its author.
    Huh?

    1. Martin Brinkmann said on September 18, 2017 at 9:22 pm
      Reply

      Wonder why they have done so?

  8. 424 said on September 18, 2017 at 6:50 pm
    Reply

    >This add-on has been removed by its author.
    Huh?

  9. John said on September 18, 2017 at 11:56 am
    Reply

    Hi Martin,

    Just a off-topic question. What do you think of BleachBit? Do you think it’s effective as CCleaner? And a request/suggestion: what do you think of a review of it here? I searched on your site and only found an article mentioning it in 2010.

    The reason: I’m using CCleaner and, besides the fact that they started to remove the slim package in the builds page[1], the program is causing problems with Firefox 55 and beyond: if you clear Firefox data with it, some of your bookmarks favicons are being lost[2]. I’m looking for an alternative, and maybe BleachBit is the one.

    I guess that could be one of the side effects of Piriform being bought by Avast appearing already. Needless to say, I’m looking for an alternative.

    [1] https://www.piriform.com/ccleaner/builds
    [2] https://support.mozilla.org/en-US/questions/1172862#answer-1000231

    1. Martin Brinkmann said on September 20, 2017 at 6:03 pm
      Reply

      John, Slim packages are back on the download page.

    2. Martin Brinkmann said on September 18, 2017 at 12:10 pm
      Reply

      John, the latest release 5.34 fixed the favicon issue according to the release announcement page: http://www.piriform.com/news/release-announcements/2017/9/12/ccleaner-v534

      I have to admit that I have not run Bleachbit in a long while. The program has a couple of things going for it, one being that it is open source. It is not the complete package that CCleaner is, but that is often not what you need anyway.

      Why don’t you give it a try and see how it goes? You can integrate CCEnhancer into Bleachbit, so that is definitely a plus.

      1. John said on September 18, 2017 at 12:18 pm
        Reply

        I installed CCleaner 5.34 today and the problem is still happening, although I should mention that I’m using Firefox 57.

        Can you reproduce this issue with the stable or nightly?

        Anyway, I will give BleachBit a try. Thanks!

      2. Martin Brinkmann said on September 18, 2017 at 12:58 pm
        Reply
  10. Clairvaux said on September 18, 2017 at 8:36 am
    Reply

    That’s interesting, but I would be wary of using an extension not vetted by Tor (and therefore not bundled with the software).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.