Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands - gHacks Tech News

Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands

If you connect to the Tor network or VPN services regularly, you may have noticed an increase in CloudFlare captcha challenges whenever you are connected to these networks.

Depending on which sites you visit, to which network you are connected, and how the site is configured, you may need to solve captchas quite often, and sometimes on any page you open on that particular site.

This is obviously not desirable as you spend more time solving captchas than browsing the site in question.

I reviewed the Firefox add-on CloudHole back in 2016 which promised to reduce the number of CloudFlare captchas by storing user agent and clearance cookie information so that they may be reused in future challenges. The extension is still available, and it appears to work just fine.

Cloudflare Privacy Pass

cloudflare edge pass

Cloudflare Privacy Pass is an official extension for Firefox and Chrome that has been designed for the same purpose. The browser extension uses a different system though, as it takes advantage of CloudFlare's Challenge Bypass Specification.

The specification "has been developed to allow bypassing challenge pages using signed tokens that guarantee anonymity to the user". Basically, what it is designed to do is reduce the number of challenges that are thrown on devices connect to the Tor network or VPN services without leaking identity information.

Cloudflare Privacy Pass works silently in the background for the most part. It lets you bypass CloudFlare challenges pages if a valid solution has already been submitted during the session.

The extension generates cryptographically "blinded" tokens that are signed by Cloudflare's edge when a CAPTCHA is solved. These tokens are "unblinded" and stored by the extension for future use; they are redeemed automatically when a future challenge page is seen. The "blinding" procedure means that signed and redeemed tokens are cryptographically unlinkable from Cloudflare's perspective and, as such, are suitable for usage in conjunction with external anonymity measures (such as Tor/VPNs).

The extension is available for Firefox and Google Chrome. It installs fine in the Tor Browser, but I'm not 100% sure it works in that browser right now as it is provided as a WebExtension.

While it installed fine, I had trouble getting any site to throw a captcha while using the Tor browser (go figure).

Anyway, if you use Tor or a VPN regularly and are exposed to an ungodly number of challenge captchas, you may want to give this extension a try as it may help reduce the number of captchas per browsing session significantly.

Update: The extension has been pulled. Privacy Pass is a new extension that offers similar functionality.

Summary
Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands
Article Name
Wave goodbye to CloudFlare Captchas: Cloudflare Privacy Pass lands
Description
Cloudflare Privacy Pass is an official extension for Firefox and Chrome that reduces the number of captchas that sites throw when using Tor or a VPN.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Clairvaux said on September 18, 2017 at 8:36 am
    Reply

    That’s interesting, but I would be wary of using an extension not vetted by Tor (and therefore not bundled with the software).

  2. John said on September 18, 2017 at 11:56 am
    Reply

    Hi Martin,

    Just a off-topic question. What do you think of BleachBit? Do you think it’s effective as CCleaner? And a request/suggestion: what do you think of a review of it here? I searched on your site and only found an article mentioning it in 2010.

    The reason: I’m using CCleaner and, besides the fact that they started to remove the slim package in the builds page[1], the program is causing problems with Firefox 55 and beyond: if you clear Firefox data with it, some of your bookmarks favicons are being lost[2]. I’m looking for an alternative, and maybe BleachBit is the one.

    I guess that could be one of the side effects of Piriform being bought by Avast appearing already. Needless to say, I’m looking for an alternative.

    [1] https://www.piriform.com/ccleaner/builds
    [2] https://support.mozilla.org/en-US/questions/1172862#answer-1000231

    1. Martin Brinkmann said on September 18, 2017 at 12:10 pm
      Reply

      John, the latest release 5.34 fixed the favicon issue according to the release announcement page: http://www.piriform.com/news/release-announcements/2017/9/12/ccleaner-v534

      I have to admit that I have not run Bleachbit in a long while. The program has a couple of things going for it, one being that it is open source. It is not the complete package that CCleaner is, but that is often not what you need anyway.

      Why don’t you give it a try and see how it goes? You can integrate CCEnhancer into Bleachbit, so that is definitely a plus.

      1. John said on September 18, 2017 at 12:18 pm
        Reply

        I installed CCleaner 5.34 today and the problem is still happening, although I should mention that I’m using Firefox 57.

        Can you reproduce this issue with the stable or nightly?

        Anyway, I will give BleachBit a try. Thanks!

      2. Martin Brinkmann said on September 18, 2017 at 12:58 pm
        Reply
    2. Martin Brinkmann said on September 20, 2017 at 6:03 pm
      Reply

      John, Slim packages are back on the download page.

  3. 424 said on September 18, 2017 at 6:50 pm
    Reply

    >This add-on has been removed by its author.
    Huh?

  4. 424 said on September 18, 2017 at 6:50 pm
    Reply

    >This add-on has been removed by its author.
    Huh?

    1. Martin Brinkmann said on September 18, 2017 at 9:22 pm
      Reply

      Wonder why they have done so?

  5. CHEF-KOCH said on September 18, 2017 at 8:59 pm
    Reply

    I can’t recommend this extension, due the simple reason that this will weak your security setup. CAPTCHAs are there to reveal who you really are.

    https://blog.torproject.org/trouble-cloudflare
    https://developers.google.com/recaptcha/docs/verify
    https://news.ycombinator.com/item?id=12122268

  6. Yuliya said on September 18, 2017 at 9:51 pm
    Reply

    Here’s a tip: there are two kinds of challenges for reCAPTCHA v2 which you’ll often encounter (there are more, but their occurrence frequency ranges from once every week to only screenshots seen on the internet).

    Anyway, here are screenshots: https://imgur.com/a/9XSdJ

    Note the wording:
    Easy one: Select all squares with […] If there are none, click skip
    Difficult one: Select all images with […] Click verify once there are none left

    One the easy one the lower right button also says “Skip”, instead of “Verify”. If you get the bad one simply click that refresh icon on lower left until you get the good captcha. You usually are allowed on sites after completing only one of that (worst case is two) and it’s a lot easier and faster as it’s just a grid with checkboxes.

    The difficult one is with the b/s fading images which sometimes it takes more than a second to just load a new image (one of those 3×3 small thumbnails I mean) and you have to complete four or five sometimes.

    tl;dr: click lower left refresh button (two, three times) until you get the easy captcha

  7. Anonymous said on September 19, 2017 at 12:01 am
    Reply

    Martin, captchas for Cloudflare have decreased dramatically way back in this year for Tor Browser users (if you’re user agent isn’t that of the Tor Browser and you connect using Tor then you’ll get a captcha, you can test this yourself). In fact, I rarely see them these days so this extension is at best unnecessary.

  8. sonya18.2 said on September 22, 2017 at 10:00 am
    Reply

    anybody grab it before it got yanked?

    1. Ali Sofyan Nasution said on September 22, 2017 at 11:09 pm
      Reply

      Same here. Would be glad if someone can share the xpi.

  9. wexafig said on September 26, 2017 at 12:22 am
    Reply
    1. Martin Brinkmann said on September 26, 2017 at 5:41 am
      Reply

      Thank you, I have updated the article to reflect the name change, and added the link.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.