Less CloudFlare captchas with Privacy Pass

Martin Brinkmann
Nov 10, 2017
Firefox add-ons, Google Chrome extensions, Internet
|
10

Privacy Pass is a new browser extension for Mozilla Firefox and Google Chrome to reduce the number of captchas that legitimate users get when they access CloudFlare protected properties on the Web.

CloudFlare protects a large part of the Internet, and that is why the company's captcha solutions designed to determine whether a visitor is a human or a bot are found on many different sites.

The current system throws a captcha at users regularly when they visit different sites. It is not a "prove once that you are human and you are done" kind of system.

Privacy Pass is not the first browser extension of its kind. The browser extension CloudHole came out in 2016, and while it is still available for Firefox, it has not been updated for nearly a year.

A more recent extension is Cloudflare Privacy Pass. It was based on the challenge bypass specification, and while it has been pulled, Privacy Pass appears to use the same interface and icon.

Challenge Bypass Extension

Challenge Bypass Extension is available for Firefox and Google Chrome. The extension works on websites using a "blind signature" protocol, and reduces the number of captchas that are shown to users by gaining tokens when completing captchas that are spent to pass future challenges.

The "blinding" procedure means that signed and redeemed tokens are cryptographically unlinkable from the server perspective and, as such, are suitable for usage in conjunction with external privacy measures (such as VPNs).

Privacy Pass has been developed by members of the Royal Holloway University of London, and the University of Waterloo.

Cloudflare supports Privacy Pass currently, and clients get 30 signed tokens for each captcha that is solved in the browser while the extension is enabled.

This reduces the number of captchas displayed to users significantly, and is probably most appealing to users who connect to VPN networks, Tor, or are assigned IP addresses with bad track records.

Privacy Pass stores data locally that relates to the created tokens. The extension adds an icon to the browser's toolbar that lists a -- somewhat broken -- interface right now listing the number of available passes (before another captcha needs to be solved). The "get more passes" link opens the project's site on GitHub, and the only other option is to clear the available passes.

Check out the FAQ for additional details.

Closing words

Privacy Pass improves web browsing for Internet users who run into CloudFlare captchas regularly. Tor users are probably prime candidates for the extension, but certain VPN IP addresses and regular  IP addresses may throw captchas fairly regularly as well.

Summary
software image
Author Rating
1star1star1star1stargray
4 based on 6 votes
Software Name
Privacy Pass
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. DropZz said on February 24, 2020 at 8:51 am
    Reply

    Firefox Containers are awesome.
    I recommend using “Multi-Account Containers” in combination with “Temporary Containers” and “First Party Isolation”.
    They are a hassle to setup at first but after that they are great.
    To make it easier you should first enable “Multi-Account Containers” and save all your relevant Accounts in them. After that you can enable the other two.

    https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
    https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/
    https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/

    1. thebrowser said on February 24, 2020 at 6:38 pm
      Reply

      What exactly is the difference between temporary containers and multi-account containers? I don’t see how they can be combined since they seem to achieve the same goal in the same way.

      First party isolation is a preference that you can disable manually from about:config so you can save one addon installation. Considering that would already make your browser fingerprint more unique and easier to track, which is the whole point of going through this trouble, is a good idea to look to reduce the number of addons like this one.

      Just my observation, not criticizing, thank you for sharing this!

      1. notanon said on February 25, 2020 at 12:39 am
        Reply

        @thebrowser, disabling first party isolation is stupid.

        First party isolation protects your privacy.

        Read about it here: https://www.ghacks.net/2017/11/22/how-to-enable-first-party-isolation-in-firefox/

        BTW, privacy.firstparty.isolate = “true” is the default of the ghack user.js, so you don’t have to worry about leaving a unique “fingerprint”, you’ll have plenty of company (other user.js also borrow heavily from the ghack user.js).

      2. thebrowser said on February 25, 2020 at 8:26 am
        Reply

        Oops, I didn’t mean disable by toggle it, my bad. But still, what’s the difference between the first two addons? I’m really curious if there’s a benefit in using them separately.

      3. Damien said on February 25, 2020 at 4:06 pm
        Reply

        “But still, what’s the difference between the first two addons?”

        From what I understand, multi-account containers can provide permanent containers while temporary provides only temporary containers.

    2. Dav said on October 25, 2020 at 4:51 pm
      Reply

      Tried and tested it. It just does not work as intended, it’s such a pain to use and configure. Plus it is of course not integrated so if, say, I want less fingerprints with, for instance, User Agent Switcher then I need to configure it for each container which, in the case of Temporary Containers, means every and each domain…

      So, at the end, you will definitely be tracked as if you haven’t those extensions.

      This concepts should be:
      – builtin Firefox
      – usable out-of-the-box with decent default values
      – invisible to non tech users.

      If not, then it just like recommanding Tor and NetBSD to grandma.

  2. Mr. Hand said on February 24, 2020 at 8:57 am
    Reply

    Good idea, but many years overdue for me, as I already use 3 different computers for different uses and each of those has at least 2 operating systems and a VM, and I use VPNs and clear/avoid all cookies and block trackers and ads, and I don’t share accounts between systems, and more… Also, I no longer use Firefox, but good info to know, thanks.

    I’m giving you an A+ for this report.

    1. Anon said on February 24, 2020 at 9:54 am
      Reply

      @Mr. Hand: You go on great lengths to play Minecraft, I give you that.

      1. Mr. Hand said on February 25, 2020 at 7:06 am
        Reply

        @Anon

        Well, whatever you gave me, it’s retarded blather.

  3. CraigS26 said on February 24, 2020 at 11:58 am
    Reply

    I use ESET EIS Security Suite with a Banking & Payment Protection feature (Protection against KeyStroke Loggers) and the two don’t seem to mix. The Ext installs for regular FF use BUT (ie) Financial sites setup to open in a Green-bordered BPP Window don’t recognize the Containers Ext and an attempt to Install it netted Install failed-Ext appears to be corrupt.
    I’m valuing Keystroke Logging over Privacy, so I uninstalled the Ext.
    IF anyone knows how to marry the two, much appreciated by a Not-An-IT-Pro.

  4. Anonymous said on February 24, 2020 at 1:27 pm
    Reply

    What about the tracking via Localstorage?

    1. Danniello said on February 24, 2020 at 3:24 pm
      Reply

      Not good.

      Firefox is not supporting removing site localStorage per container – it means that you could remove all localStorage or nothing (for example removing youtube.com localStorage in “Default” container will also remove YouTube settings in “Google YouTube” container).

      https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/Documentation#enable-localstorage-support

    2. Anonymous said on February 24, 2020 at 4:35 pm
      Reply

      Except the type of problems Danniello wrote about, the local storage is supposed to be separated by containers, like cookies, indexedDB, HTTP data cache, image cache, and any other areas supported by originAttributes, according to this source:

      https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers#What_is_.28and_isn.27t.29_separated_between_Containers

      History, bookmarks and Security Exceptions for Invalid TLS Certificates are not separated (yet).

      Saved passwords, saved search and form data, HSTS flags and OCSP responses are not separated, on purpose.

  5. Anonymous said on February 24, 2020 at 2:40 pm
    Reply

    I’ve tried it. It’s useless for me because the history is not isolated to each containers.

    1. skierpage said on February 24, 2020 at 4:50 pm
      Reply

      Why do you need history isolation? Web sites don’t have access to your history.

      1. Jonas said on February 24, 2020 at 11:05 pm
        Reply

        “Web sites don’t have access to your history.”

        Actually, there used to be a hack whereby websites could sometimes infer your history regarding other sites you had previously visited. It was an evil derivation of innocent code that some web developers (including me) had implemented: custom CSS code to change the color or style of a visited link, in a different way from the default style that websites back then used for visited links.

        Unfortunately for me, after I put a lot of work into my snazzy visited-links styling, the browsers all blocked such custom styling because of the evil tracking hacks (which didn’t even exist at the time I wrote my code). I (and other developers) were furious that the browser companies didn’t implement the fix in a more fine-grained way: they should have just blocked that kind of styling on links to _other websites_, but not to links on the same site, since the site owner can log what pages you visited on his own site anyway.

        I’m not aware of any history-sniffing hacks since then, but I wouldn’t bet that it’s not possible in some other way.

      2. Anonymous said on February 25, 2020 at 6:08 am
        Reply

        @skierpage
        read gerdneuman’s comment here
        https://github.com/mozilla/multi-account-containers/issues/47

    2. Anonymous said on February 25, 2020 at 5:35 am
      Reply

      That’s what profiles are for. Containers is about site isolation and for using multiple accounts / cookies of a site in the same profile.

  6. notanon said on February 25, 2020 at 12:56 am
    Reply

    @Ashwin, my reccommendation for your next article is DNS-over-HTTPS (Martin covered it, but he hasn’t used it & reported back about a longer-term user experience).

    IMO, everyone on Firefox should be using it (Chrome promised a general roll-out of DNS-over-HTTPS, but it hasn’t happened due to “technical issues” according to Google).

    You can add ESNI for even better results.

    And use a VPN, although, a good VPN cost money every month (whereas, DNS-over-HTTPS is free on Firefox).

    1. Ashwin said on February 25, 2020 at 8:09 am
      Reply

      Thank you for the suggestion. I’ll add it to my list.

  7. Torin Doyle said on February 29, 2020 at 5:54 pm
    Reply

    Can I have some containers with all/most addons disabled (i.e. as if they were in safe mode) and other containers with addons enabled?

  8. James said on May 12, 2020 at 4:29 am
    Reply

    I get the basics of conatiners but I don’t understand the difference between the containers that now come with Firefox, and the add-ons – why do I need the extension? Is it because I can “reopen in container” but need the add-on/extension to make sure that whenever I open a particular webpage it opens within the container?

    1. James said on May 12, 2020 at 4:32 am
      Reply

      Ah – yes – the add-on just does the job automatically each time.

  9. RandomPasserBy said on August 31, 2020 at 4:06 pm
    Reply

    A mix of uBlock and Firefox’s own tracking settings can block the vast majority of the tracking content that is fed to a page, which makes the use of containers a bit redundant unless you are looking to have multiple tabs open with different accounts logged into the same website (or service) – which I have no need for.

    That said, I having nothing against the concept of containers, just feel they are something that might have been beneficial years ago rather than now.

    What’s more, if you genuinely want to stop the tracking, you could just use a private browsers session.

  10. TelV said on September 29, 2020 at 1:10 pm
    Reply

    I’m surprised that container tabs isn’t part of the default installation yet even in the latest FF version which is 81.0 at the time of writing.

    I’m using Waterfox Classic which supports XUL/XCOM extensions and is probably regarded as old fashioned by some; yet container tabs are available in prefs without the need to install an addon. Here’s a pix.
    https://i.postimg.cc/43zKXb8K/container-tabs.png

  11. Glen Cooper said on January 8, 2022 at 7:59 pm
    Reply

    I love Firefox Containers. Started using them about a year ago. Then the screen on the laptop I set them all up on died. Setting up a new laptop now and found that they’re not carried over to a new computer, even with Sync enabled. Ugh. Revived the old laptop specifically for the purpose of figuring out how to move them over to a new computer. Haven’t figured it out yet. Beware of this limitation if you use them.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.