Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands
If you connect to the Tor network or VPN services regularly, you may have noticed an increase in CloudFlare captcha challenges whenever you are connected to these networks.
Depending on which sites you visit, to which network you are connected, and how the site is configured, you may need to solve captchas quite often, and sometimes on any page you open on that particular site.
This is obviously not desirable as you spend more time solving captchas than browsing the site in question.
I reviewed the Firefox add-on CloudHole back in 2016 which promised to reduce the number of CloudFlare captchas by storing user agent and clearance cookie information so that they may be reused in future challenges. The extension is still available, and it appears to work just fine.
Cloudflare Privacy Pass
Cloudflare Privacy Pass is an official extension for Firefox and Chrome that has been designed for the same purpose. The browser extension uses a different system though, as it takes advantage of CloudFlare's Challenge Bypass Specification.
The specification "has been developed to allow bypassing challenge pages using signed tokens that guarantee anonymity to the user". Basically, what it is designed to do is reduce the number of challenges that are thrown on devices connect to the Tor network or VPN services without leaking identity information.
Cloudflare Privacy Pass works silently in the background for the most part. It lets you bypass CloudFlare challenges pages if a valid solution has already been submitted during the session.
The extension generates cryptographically "blinded" tokens that are signed by Cloudflare's edge when a CAPTCHA is solved. These tokens are "unblinded" and stored by the extension for future use; they are redeemed automatically when a future challenge page is seen. The "blinding" procedure means that signed and redeemed tokens are cryptographically unlinkable from Cloudflare's perspective and, as such, are suitable for usage in conjunction with external anonymity measures (such as Tor/VPNs).
The extension is available forÂ Firefox and Google Chrome. It installs fine in the Tor Browser, but I'm not 100% sure it works in that browser right now as it is provided as a WebExtension.
While it installed fine, I had trouble getting any site to throw a captcha while using the Tor browser (go figure).
Anyway, if you use Tor or a VPN regularly and are exposed to an ungodly number of challenge captchas, you may want to give this extension a try as it may help reduce the number of captchas per browsing session significantly.
Update: The extension has been pulled. Privacy Pass is a new extension that offers similar functionality.
That’s interesting, but I would be wary of using an extension not vetted by Tor (and therefore not bundled with the software).
Just a off-topic question. What do you think of BleachBit? Do you think it’s effective as CCleaner? And a request/suggestion: what do you think of a review of it here? I searched on your site and only found an article mentioning it in 2010.
The reason: I’m using CCleaner and, besides the fact that they started to remove the slim package in the builds page, the program is causing problems with Firefox 55 and beyond: if you clear Firefox data with it, some of your bookmarks favicons are being lost. I’m looking for an alternative, and maybe BleachBit is the one.
I guess that could be one of the side effects of Piriform being bought by Avast appearing already. Needless to say, I’m looking for an alternative.
John, the latest release 5.34 fixed the favicon issue according to the release announcement page: http://www.piriform.com/news/release-announcements/2017/9/12/ccleaner-v534
I have to admit that I have not run Bleachbit in a long while. The program has a couple of things going for it, one being that it is open source. It is not the complete package that CCleaner is, but that is often not what you need anyway.
Why don’t you give it a try and see how it goes? You can integrate CCEnhancer into Bleachbit, so that is definitely a plus.
I installed CCleaner 5.34 today and the problem is still happening, although I should mention that I’m using Firefox 57.
Can you reproduce this issue with the stable or nightly?
Anyway, I will give BleachBit a try. Thanks!
John, check this out: https://www.ghacks.net/2017/09/18/ccleaner-compromised-better-check-your-pc/
John, Slim packages are back on the download page.
>This add-on has been removed by its author.
>This add-on has been removed by its author.
Wonder why they have done so?
I can’t recommend this extension, due the simple reason that this will weak your security setup. CAPTCHAs are there to reveal who you really are.
Here’s a tip: there are two kinds of challenges for reCAPTCHA v2 which you’ll often encounter (there are more, but their occurrence frequency ranges from once every week to only screenshots seen on the internet).
Anyway, here are screenshots: https://imgur.com/a/9XSdJ
Note the wording:
Easy one: Select all squares with […] If there are none, click skip
Difficult one: Select all images with […] Click verify once there are none left
One the easy one the lower right button also says “Skip”, instead of “Verify”. If you get the bad one simply click that refresh icon on lower left until you get the good captcha. You usually are allowed on sites after completing only one of that (worst case is two) and it’s a lot easier and faster as it’s just a grid with checkboxes.
The difficult one is with the b/s fading images which sometimes it takes more than a second to just load a new image (one of those 3×3 small thumbnails I mean) and you have to complete four or five sometimes.
tl;dr: click lower left refresh button (two, three times) until you get the easy captcha
Martin, captchas for Cloudflare have decreased dramatically way back in this year for Tor Browser users (if you’re user agent isn’t that of the Tor Browser and you connect using Tor then you’ll get a captcha, you can test this yourself). In fact, I rarely see them these days so this extension is at best unnecessary.
anybody grab it before it got yanked?
Same here. Would be glad if someone can share the xpi.
they rename to Cloudflare Privacy Pass
Thank you, I have updated the article to reflect the name change, and added the link.
Works great in Chrome, although only on CloudFlare Captchas.
Just be sure to use the extension menu to Get Passes in advance.