19 votes

Cloudflare introduces Cryptographic Attestation of Personhood, an experiment intended to replace CAPTCHAs

21 comments

  1. [15]
    teaearlgraycold
    Link
    This seems like a reasonable idea. Servers are authenticated based on root certificates. Why not authenticate clients in the same way? The only question I have is whether hardware key...

    This seems like a reasonable idea. Servers are authenticated based on root certificates. Why not authenticate clients in the same way? The only question I have is whether hardware key manufacturers are prepared for the significantly expanded population of people who want to decipher their HSMs. There’s currently not much reason to crack into your own Yubikey, but if doing so means you can break CAPTCHAs for free there are some companies that will be well rewarded for that.

    9 votes
    1. [12]
      vord
      Link Parent
      I like the general idea, but also dislike being tied to specific hardware. How about they trust my PGP key, and if they see it being abused revoke it? I want to run personal scripts from home, and...

      I like the general idea, but also dislike being tied to specific hardware.

      How about they trust my PGP key, and if they see it being abused revoke it? I want to run personal scripts from home, and bypassing recaptcha would make that much easier for some things.

      7 votes
      1. [11]
        skybrian
        Link Parent
        From an automation perspective, that's like having an API key that can be revoked. But the idea in this case is to prevent automation. From a privacy perspective, it's like logging in with...

        From an automation perspective, that's like having an API key that can be revoked. But the idea in this case is to prevent automation.

        From a privacy perspective, it's like logging in with single-sign on and people don't want to trust most websites.

        4 votes
        1. [10]
          vord
          Link Parent
          IMO automation should never be prevented, especially of the single-user variety. As far as privacy, I'll take the non-SSO please. I already avoid using 3rd-party SSO logins as is. I know I'm in a...

          IMO automation should never be prevented, especially of the single-user variety.

          As far as privacy, I'll take the non-SSO please. I already avoid using 3rd-party SSO logins as is.

          I know I'm in a minority, but the way things go now, as soon as the option is there and I'm sufficiently small a minority, that option now goes away.

          5 votes
          1. [6]
            babypuncher
            Link Parent
            As long as there are people willing to abuse automation for malicious purposes, there will be a need to rate limit or outright prevent automated actions from happening.

            IMO automation should never be prevented

            As long as there are people willing to abuse automation for malicious purposes, there will be a need to rate limit or outright prevent automated actions from happening.

            2 votes
            1. [5]
              vord
              Link Parent
              Rate limiting isn't a problem, it's fairly easy to stay within rate limits for personal use. I can't think of one scenario where automation should be outright banned. Bots are useful,...

              Rate limiting isn't a problem, it's fairly easy to stay within rate limits for personal use.

              I can't think of one scenario where automation should be outright banned. Bots are useful, particularily personal ones.

              I'm into home automation, and web scraping is great at filling holes where other API are lacking. Perhaps that is some of the bias.

              2 votes
              1. [4]
                babypuncher
                Link Parent
                A hypothetical effective ban on automated purchases of hot items like concert tickets (in the before times) or GPUs (in modern times) would do a lot more good than harm, I think. Lots of social...

                A hypothetical effective ban on automated purchases of hot items like concert tickets (in the before times) or GPUs (in modern times) would do a lot more good than harm, I think.

                Lots of social platforms should be doing more to combat bots whose purpose is to spread misinformation or push a political agenda. A partial ban here might allow bots to post but with a clear indicator that the content was not posted by a human, allowing bot twitter accounts posting service statuses and other similar things to disseminate their information automatically while destroying the perceived authenticity of malicious bots.

                2 votes
                1. [3]
                  vord
                  Link Parent
                  I never liked first-come-first serve for online stuff. Nobody should be dependant on clicking at the precise millisecond and be subject to network problems. Do batch lottery signups for a 30 min...

                  I never liked first-come-first serve for online stuff. Nobody should be dependant on clicking at the precise millisecond and be subject to network problems. Do batch lottery signups for a 30 min window to buy Hot ticket stuff

                  For social media I want a personal intermeddiary layer. Aggregate all communication through a single medium, regardless of built in support.

                  You manage to tie 1 bot to one person/profile automation problems are easier to solve.

                  1 vote
                  1. [2]
                    babypuncher
                    Link Parent
                    For popular items that aren't concert tickets, I like Apple's approach: First come first serve, but push out the delivery date as more and more stock gets claimed rather than just shutting down...

                    For popular items that aren't concert tickets, I like Apple's approach: First come first serve, but push out the delivery date as more and more stock gets claimed rather than just shutting down orders as soon as the stock on hand is claimed. I think this is why last year's iPhones and other goodies didn't see the same ridiculously inflated prices on eBay. The FOMO disappears when people can get their place in line, and see a reasonable estimate of when they will get their new toy.

                    I don't like the lottery signups, mostly because I'm not convinced they work. I've spent most of 2021 trying to get a Ryzen 5900x CPU through Newegg Shuffle with no luck. On Monday I joined a discord server that pushes stock drop notifications to my phone when tracked sites get new inventory, and I was able to get the chip I wanted by Thursday. Maybe the lottery approach would work better if every retailer was doing it, but right now the number of people signing up for Newegg's lottery is so high that your odds of getting anything are close to nil.

                    1 vote
                    1. vord
                      Link Parent
                      This is true. But probably just as true as having 50,000 people rush digital floodgates. Concert tickets can be an utter shitshow like that.

                      right now the number of people signing up for Newegg's lottery is so high that your odds of getting anything are close to nil.

                      This is true. But probably just as true as having 50,000 people rush digital floodgates. Concert tickets can be an utter shitshow like that.

          2. [3]
            skybrian
            Link Parent
            If you used the same PGP key to log into multiple websites then from a privacy standpoint, that seems equivalent to SSO? You're giving every website you visit a unique ID to identify you, which...

            If you used the same PGP key to log into multiple websites then from a privacy standpoint, that seems equivalent to SSO? You're giving every website you visit a unique ID to identify you, which they could share to match up sessions.

            1. [2]
              vord
              Link Parent
              Well yea, that's the idea. I would prefer not using the same key across sites. Even if I did, that would require a lot more coordination across other sites to build that profile. Opposed to...

              Well yea, that's the idea. I would prefer not using the same key across sites. Even if I did, that would require a lot more coordination across other sites to build that profile. Opposed to Cloudflare just gathering it up themselves.

              1. skybrian
                Link Parent
                They claim they're not tracking users with a unique ID this way: I don't understand how the user is supposed to know that they're doing what they claim, though. The same action (pressing a button...

                They claim they're not tracking users with a unique ID this way:

                Completing this flow takes five seconds. More importantly, this challenge protects users' privacy since the attestation is not uniquely linked to the user device. All device manufacturers trusted by Cloudflare are part of the FIDO Alliance. As such, each hardware key shares its identifier with other keys manufactured in the same batch (see Universal 2nd Factor Overview, Section 8). From Cloudflare’s perspective, your key looks like all other keys in the batch.

                I don't understand how the user is supposed to know that they're doing what they claim, though. The same action (pressing a button on a Yubikey) is used for logging in to sites that support it.

                1 vote
    2. [2]
      prairir001
      Link Parent
      I may be wrong but this could be another way of fingerprinting. A unique cert that is used or tied to an account can very easily be used to track that user everywhere. I bet companies like...

      I may be wrong but this could be another way of fingerprinting.

      A unique cert that is used or tied to an account can very easily be used to track that user everywhere. I bet companies like facebook or google who have been known to track people who aren't even their users. The idea is good for cooperate or enterprise work but I feel like it would infringe on rights soon enough.

      2 votes
  2. [2]
    joplin
    Link
    Ugh. I hate CAPTCHAs as much as the next person, but I have to wonder if this will end up being hacked to be able to track people. But that aside, some of the article really ticked me off: No,...

    Ugh. I hate CAPTCHAs as much as the next person, but I have to wonder if this will end up being hacked to be able to track people.

    But that aside, some of the article really ticked me off:

    Why get rid of CAPTCHAs?

    Put simply: we all hate them.

    No, that's not the reason to get rid of them. We should get rid of them because they're inaccessible, fairly easy to circumvent for bots, don't work correctly, punish users who want privacy, and because they're annoying as hell. (They mention the accessibility issue in the article, but not the other stuff.)

    From a user perspective, a Cryptographic Attestation of Personhood works as follows:

    The user accesses a website protected by Cryptographic Attestation of Personhood, such as cloudflarechallenge.com.
    Cloudflare serves a challenge.
    The user clicks I am human (beta) and gets prompted for a security device.
    User decides to use a Hardware Security Key.
    The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC).
    A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test.

    Well that sounds dystopian. First off the very name "attestation of personhood" is like something from a sci-fi novel where some groups of people aren't given rights because they don't fit some new definition of "personhood" the state decides on. No human should have to attest to their own humanity. That's fucking sick.

    But that point aside, what happens when my YubiKey breaks, or I lose it, or it's hacked? How do we stop bad actors from buying YubiKeys and hooking them up to bots? I own a YubiKey that I got for paying $50 for a subscription to a website I read. How does someone who can't afford that get one?

    I mean we don't even have to ask questions about compatibility because they already tell us how it's not compatible with a whole bunch of stuff:

    Platform Compatible Browsers
    iOS 14.5 All browsers
    Android 10 and later Chrome

    What about users on iOS 14.1, which is only a few months older than iOS 14.5? What about users running Firefox on Android? WTF? These aren't small edge cases that only highly technical users will ever hit. These are pretty straightforward cases with millions of users currently.

    Windows All browsers
    macOS All browsers
    Ubuntu All browsers

    Well that sounds good, but I'll believe it when I see it. I want something better than CAPTCHA, but I don't see how this is better.

    4 votes
    1. joplin
      Link Parent
      And sure enough, others have similar concerns: In particular, on the privacy issue, they point out: It also occurs to me that attestation can break if they're using certificates that can be...

      And sure enough, others have similar concerns:

      1. Automation of FIDO security keys is really easy.

      2. Popups are optional for attackers.

      3. Security Keys are quite fast

      4. Attestation is not a good mechanism for CAPTCHA

      In particular, on the privacy issue, they point out:

      1. Privacy — FIDO mandates that attestation Batch Certificate usage is at least ONE batch certificate per 100,000 devices. So if you know that Alice has Security Key with this certificate, and you see this certificate on another site, there is 1/100,000 chance that this is Alice. This does not sound like a lot, but when you combine together with all other tracking info that sites may keep on you, this becomes another piece of info that can be used against you, and as we all know, everything is run by Cloudflare today.

      It also occurs to me that attestation can break if they're using certificates that can be revoked. What are you to do if you have a key that's in a batch that got hacked and the certificate in your key is revoked? Now you can't browse the web until you buy a new one?

      3 votes
  3. alcappuccino
    Link
    I absolutely hate captcha, mainly because I was always failing the tests because of my privacy extensions and vpn. One time, I even made a "challenge" against recaptcha and I was 10 f* minutes...

    I absolutely hate captcha, mainly because I was always failing the tests because of my privacy extensions and vpn. One time, I even made a "challenge" against recaptcha and I was 10 f* minutes resolving the captchas!!! Well, I gave up shortly after. Finally, I discovered the "trick" to it. You simply use audio instead of the photos!

    Usually I only need to listen to one voice recording and I think I never had to hear more than three. I think, in the beginning, when I switched to audio, Google was not letting me switch and I guess it "learned" that I might be a person with a disabillity and never locked me out after all the time trying to switch. But Firefox's containers extension helps a lot and in some websites you can easily never clean your cookies.

    4 votes
  4. [3]
    Wes
    Link
    Technically reCaptcha v3 doesn't even show a challenge. It just gives servers a spam score, and they make the decision to allow or deny the request.

    Today marks the beginning of the end for fire hydrants, crosswalks, and traffic lights on the Internet.

    Technically reCaptcha v3 doesn't even show a challenge. It just gives servers a spam score, and they make the decision to allow or deny the request.

    2 votes
    1. [2]
      pew
      Link Parent
      You mean the client, right? As soon as you're on the tor network or using some sort of proxy recaptcha goes crazy and asks for about 10 sites of crosswalks and traffic lights. I know, Tor and VPN...

      You mean the client, right? As soon as you're on the tor network or using some sort of proxy recaptcha goes crazy and asks for about 10 sites of crosswalks and traffic lights.

      I know, Tor and VPN services are often used for abuse etc., but IP addresses move between server providers and ISPs from time to time that I also get 10 pages of crosswalks from my home ISP as well or when I'm on mobile. It's annoying

      3 votes
      1. Wes
        Link Parent
        I mean that it gives the server (as in, hands the server) a spam score between 0 and 1. It's returned in an API request after the client submits a form or other interaction. I'm sure that's true...

        You mean the client, right?

        I mean that it gives the server (as in, hands the server) a spam score between 0 and 1. It's returned in an API request after the client submits a form or other interaction.

        As soon as you're on the tor network or using some sort of proxy recaptcha goes crazy and asks for about 10 sites of crosswalks and traffic lights.

        I'm sure that's true as TOR would obfuscate most of the spam signals. If you're seeing challenges though, that's still reCaptcha v2. v3 did away with them completely.

        1 vote