19
votes
Cloudflare introduces Cryptographic Attestation of Personhood, an experiment intended to replace CAPTCHAs
Link information
This data is scraped automatically and may be incorrect.
- Title
- Humanity wastes about 500 years per day on CAPTCHAs. It's time to end this madness
- Published
- May 13 2021
- Word count
- 2784 words
This seems like a reasonable idea. Servers are authenticated based on root certificates. Why not authenticate clients in the same way? The only question I have is whether hardware key manufacturers are prepared for the significantly expanded population of people who want to decipher their HSMs. There’s currently not much reason to crack into your own Yubikey, but if doing so means you can break CAPTCHAs for free there are some companies that will be well rewarded for that.
I like the general idea, but also dislike being tied to specific hardware.
How about they trust my PGP key, and if they see it being abused revoke it? I want to run personal scripts from home, and bypassing recaptcha would make that much easier for some things.
From an automation perspective, that's like having an API key that can be revoked. But the idea in this case is to prevent automation.
From a privacy perspective, it's like logging in with single-sign on and people don't want to trust most websites.
IMO automation should never be prevented, especially of the single-user variety.
As far as privacy, I'll take the non-SSO please. I already avoid using 3rd-party SSO logins as is.
I know I'm in a minority, but the way things go now, as soon as the option is there and I'm sufficiently small a minority, that option now goes away.
As long as there are people willing to abuse automation for malicious purposes, there will be a need to rate limit or outright prevent automated actions from happening.
Rate limiting isn't a problem, it's fairly easy to stay within rate limits for personal use.
I can't think of one scenario where automation should be outright banned. Bots are useful, particularily personal ones.
I'm into home automation, and web scraping is great at filling holes where other API are lacking. Perhaps that is some of the bias.
A hypothetical effective ban on automated purchases of hot items like concert tickets (in the before times) or GPUs (in modern times) would do a lot more good than harm, I think.
Lots of social platforms should be doing more to combat bots whose purpose is to spread misinformation or push a political agenda. A partial ban here might allow bots to post but with a clear indicator that the content was not posted by a human, allowing bot twitter accounts posting service statuses and other similar things to disseminate their information automatically while destroying the perceived authenticity of malicious bots.
I never liked first-come-first serve for online stuff. Nobody should be dependant on clicking at the precise millisecond and be subject to network problems. Do batch lottery signups for a 30 min window to buy Hot ticket stuff
For social media I want a personal intermeddiary layer. Aggregate all communication through a single medium, regardless of built in support.
You manage to tie 1 bot to one person/profile automation problems are easier to solve.
For popular items that aren't concert tickets, I like Apple's approach: First come first serve, but push out the delivery date as more and more stock gets claimed rather than just shutting down orders as soon as the stock on hand is claimed. I think this is why last year's iPhones and other goodies didn't see the same ridiculously inflated prices on eBay. The FOMO disappears when people can get their place in line, and see a reasonable estimate of when they will get their new toy.
I don't like the lottery signups, mostly because I'm not convinced they work. I've spent most of 2021 trying to get a Ryzen 5900x CPU through Newegg Shuffle with no luck. On Monday I joined a discord server that pushes stock drop notifications to my phone when tracked sites get new inventory, and I was able to get the chip I wanted by Thursday. Maybe the lottery approach would work better if every retailer was doing it, but right now the number of people signing up for Newegg's lottery is so high that your odds of getting anything are close to nil.
This is true. But probably just as true as having 50,000 people rush digital floodgates. Concert tickets can be an utter shitshow like that.
If you used the same PGP key to log into multiple websites then from a privacy standpoint, that seems equivalent to SSO? You're giving every website you visit a unique ID to identify you, which they could share to match up sessions.
Well yea, that's the idea. I would prefer not using the same key across sites. Even if I did, that would require a lot more coordination across other sites to build that profile. Opposed to Cloudflare just gathering it up themselves.
They claim they're not tracking users with a unique ID this way:
I don't understand how the user is supposed to know that they're doing what they claim, though. The same action (pressing a button on a Yubikey) is used for logging in to sites that support it.
I may be wrong but this could be another way of fingerprinting.
A unique cert that is used or tied to an account can very easily be used to track that user everywhere. I bet companies like facebook or google who have been known to track people who aren't even their users. The idea is good for cooperate or enterprise work but I feel like it would infringe on rights soon enough.
It could be done. Cloudflare says they haven't built it to be possible though - https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/#privacy-first
Ugh. I hate CAPTCHAs as much as the next person, but I have to wonder if this will end up being hacked to be able to track people.
But that aside, some of the article really ticked me off:
No, that's not the reason to get rid of them. We should get rid of them because they're inaccessible, fairly easy to circumvent for bots, don't work correctly, punish users who want privacy, and because they're annoying as hell. (They mention the accessibility issue in the article, but not the other stuff.)
Well that sounds dystopian. First off the very name "attestation of personhood" is like something from a sci-fi novel where some groups of people aren't given rights because they don't fit some new definition of "personhood" the state decides on. No human should have to attest to their own humanity. That's fucking sick.
But that point aside, what happens when my YubiKey breaks, or I lose it, or it's hacked? How do we stop bad actors from buying YubiKeys and hooking them up to bots? I own a YubiKey that I got for paying $50 for a subscription to a website I read. How does someone who can't afford that get one?
I mean we don't even have to ask questions about compatibility because they already tell us how it's not compatible with a whole bunch of stuff:
What about users on iOS 14.1, which is only a few months older than iOS 14.5? What about users running Firefox on Android? WTF? These aren't small edge cases that only highly technical users will ever hit. These are pretty straightforward cases with millions of users currently.
Well that sounds good, but I'll believe it when I see it. I want something better than CAPTCHA, but I don't see how this is better.
And sure enough, others have similar concerns:
In particular, on the privacy issue, they point out:
It also occurs to me that attestation can break if they're using certificates that can be revoked. What are you to do if you have a key that's in a batch that got hacked and the certificate in your key is revoked? Now you can't browse the web until you buy a new one?
I absolutely hate captcha, mainly because I was always failing the tests because of my privacy extensions and vpn. One time, I even made a "challenge" against recaptcha and I was 10 f* minutes resolving the captchas!!! Well, I gave up shortly after. Finally, I discovered the "trick" to it. You simply use audio instead of the photos!
Usually I only need to listen to one voice recording and I think I never had to hear more than three. I think, in the beginning, when I switched to audio, Google was not letting me switch and I guess it "learned" that I might be a person with a disabillity and never locked me out after all the time trying to switch. But Firefox's containers extension helps a lot and in some websites you can easily never clean your cookies.
Technically reCaptcha v3 doesn't even show a challenge. It just gives servers a spam score, and they make the decision to allow or deny the request.
You mean the client, right? As soon as you're on the tor network or using some sort of proxy recaptcha goes crazy and asks for about 10 sites of crosswalks and traffic lights.
I know, Tor and VPN services are often used for abuse etc., but IP addresses move between server providers and ISPs from time to time that I also get 10 pages of crosswalks from my home ISP as well or when I'm on mobile. It's annoying
I mean that it gives the server (as in, hands the server) a spam score between 0 and 1. It's returned in an API request after the client submits a form or other interaction.
I'm sure that's true as TOR would obfuscate most of the spam signals. If you're seeing challenges though, that's still reCaptcha v2. v3 did away with them completely.