For Control of the Internet, It’s Bots v Humans: Solving CAPTCHAs In a Crediable and Secret Way

Don’t you find that CAPCHAs are annoying and are just ways of tracking you?

For Control of the Internet, It’s Bots v Humans: Solving CAPTCHAs In a Credible and Secret Way

Don’t you find that CAPCHAs are annoying and are just ways of tracking you?

A demo of the method I will present is [here].

There are some companies that I respect for the approach to privacy, and they aren’t Facebook, Google and Twitter. We thus need to turn to a company like Cloudflare for investing in privacy-preserving methods, and in their general leadership in driving forward improvements in security. There will be no Australian backdoor protocols for Clouldflare, as they have generally put the right of the citizen to privacy at the heart of their work.

With the Tor network, privacy is seen as the core attribute. But what happens when a user is faced with a CAPTCHA challenge? Well Tor users use the VOPRF (Verifiable Oblivious Pseudo-Random Function) method to bypass these, and thus preserve a user’s privacy. Within this system the client (C) connects to an edge server (E) with content. The server then sends a CAPTCHA challenge to the client, and if they solve it, E sends back n blinded values (tokens) which can be used in the future for the same site. When the client reconnects, it will use one of the previously generated values to re-authenicate (and without the user being faced with a challenge).

Now Cloudflare — in collaboration with Royal Holloway and the University of Waterloo — have build on the method used by Tor and have released Privacy Pass. This is a method of identifying a person as a human while preserving your privacy. It does this with zero-knowledge proof (ZPK) methods and which are used to anonymously identify users across a number of sites, and where they are not tracked. This method is defined in a paper [here] can now be added to Chrome [here] and Firefox:

This method stops companies such as Google in cross-correlating Internet activity across different sites and aims to provide a credible method of proving that you are a human and not a bot.

Overall Cloudflare define the key tensions between accessibility, security and convenience, and hope that the pass system can overcome these tensions. In order to differentiate between a bot and a human, the Cloudflare challenge system uses a cookie (CF_CLEARANCE) set on the domain. This cookie is not tied to the user’s identity, but to a bot challenge, they have solved in the past.

  1. Person sends Request
  2. Server responds with a challenge
  3. Person sends solution
  4. Server responds with set-cookie and bypass cookie
  5. Person sends new request with cookie
  6. Server responds with content from origin

The zero-knowledge privacy method that has been used is Elliptic Curve Verifiable Oblivious Pseudo-Random Function (EC-VOPRF) [here].

When a client wants to identify itself, it creates 30 random numbers (x1 to x30) and then hashes these onto an elliptic curve (P-256) (X1 … X30)). These are then blinded by a value (b) by multiply the points. These are then sent to the server with the CAPTCHA challenge solution. These points are then sent back and multiplied by the private key of the server (k). The resulting pairs [xn,kXN] are then passed when a puzzle needs to be solved. The 30 random numbers will then generate 30 passes:

Within the browser, the user then builds up challenge solution and gains credits. In the following, I have generated 60 passes by solving two CAPTCHAs exercises:

Every time we use a pass it will run the credit down. If the user runs low, they can regenerate the passes.

Conclusions

Well done to the team here. They have built something that overcomes the annoying bot detection features while preserving your privacy. For Cloudflare, keep up the great work!