This is a good article, but it has a fatal flaw. Cloudflare doesnât actually respect their own Privacy Pass implementation or Appleâs.
Interesting, could you elaborate?
The privacy pass attestor endpoints in the official extension are just prototypes for testing. Not for production usage. And youâll eg. still get captchas every time from Cloudflare.
You can also use the demo page on an iPhone with PAT enabled and see it not recognized: https://demo-pat.research.cloudflare.com/login
Yeah, been a known issue with Cloudflare captchas for a long time. Very unfortunate
Good article on an important topic. Small request but is it possible to change the formatting of the Privacy Pass: The New Protocol for Private Authentication - Privacy Guides section so that it is more clear that CAPTCHA, Client State and Trusted Device are subsections? It is clear from the context and the Table of contents, but a bit visually disorienting when reading through.
A few initial thoughts open to anyone for reply or explanation:
- Itâs unclear to me whether it would be better to modify the title such that the article is about âPrivate Authenticationâ rather than Privacy Pass. It seems Privacy Pass is a web/webservice-specific protocol hence being bound to a browser. Private Authentication can broadly encompass Zero Knowledge Proofs and the mentioned Blind Signature Schemes which seem to be used in production in quite a few different places.
- Most minor nitpick. I donât know whether it makes sense to tout Privacy Pass as a new thing, because it has been around for quite a few years now.
- Is it possible to organise the information so that it presents Private Access Tokens as an Apple-specific implementation of Privacy Pass for website access (CAPTCHA circumvention)? I donât know if Apple use Private Access Tokens for anything else.
- Would it be worth adding private authentication schemes as a best-case criteria for all service-based recommendations on Privacy Guides?
Really a great read, keep up the good work!
Can I get some more info on the PrivacyGuides subscription that was referenced in the article? Whatâs the release date??
Sorry that was sort of a joke, thatâs not real. Just had to come up with a fake subscription service as an example.
- Fair point, I wanted to focus on Privacy Pass since itâs an IETF standard. A lot of services like Appleâs Private Relay and Googleâs VPN just say they use blind signatures without really going into whether they adhere to a specific standard. I wanted to highlight places where this type of thing is being done, and maybe I shouldâve talked about how it should be standardized more. The IETF page for Privacy Pass describes an âecosystemâ of clients which I think would be cool to see, although I might be misinterpreting it. Iâm imagining lots of different Issuers and Attesters all working together in an interoperable network of anonymous verification.
- Thatâs true, itâs evolved and changed so much from the original browser extension though. Cloudflare has a great blog post about the upgrades theyâve made that I shouldâve linked in the article somewhere.
- Itâs not really clear to me that Private Access Tokens were meant to be Apple only but theyâre the only ones Iâve seen implement it. They only say theyâre used for CAPTCHAs but I donât know if thereâs anything strictly preventing them from being used for other things as well.
- I like that idea, but itâs a bit too early I think for that. Kagi is the only service I can think of besides private relay and Googleâs VPN using blind signatures to authenticate users. Iâd love to see other VPNs like Proton and Mullvad using them.