privacy pass что это
Релиз Privacy Pass 2.0. Снижаем количество проверок CAPTCHA в Интернете
«Капчи» показываются на сайтах, чтобы убедиться, что пользователь является человеком, а не ботом. Cloudflare поддерживает одну из самых современных сетей для защиты от DoS атак и других целей, активно применяя технологию CAPTCHA.
Если вы пользуетесь сетью Tor или сервисами VPN, то вы могли замечать, какое большое количество проверок CAPTCHA приходится проходить в последнее время. Основная проблема заключается в том, что обычная система не принимает во внимание ранее пройденные «капчи». Если вы посетили сайты и ввели «капчу», то на другом ресурсе нужно будет снова проходить «проверку на человечность».
Расширение Privacy Pass было создано Cloudflare в сотрудничестве с исследователями из нескольких университетов для обхода «капчи» без ущерба для конфиденциальности:
Privacy Pass позволяет пользователям предоставлять подтверждение доверия, не раскрывая, когда и где оно было получено. Используемый протокол позволяет пользователю доказать доверие без риска, что сервер сможет отслеживать пользовательскую активность.
По сути, пользователи получают токены, которые впоследствии могут быть использованы для обхода проверок типа CAPTCHA.
При обычном посещении страницы с «капчей» можно получить до 30 токенов, которые затем будут автоматически использоваться при обнаружении страниц, требующих дополнительной проверки.
Privacy Pass 2.0
28 октября 2019 года была выпущена новая версия Privacy Pass 2.0 для Firefox и Chrome с поддержкой сети Cloudflare. Новая версия упрощает использование, поддерживает новых провайдеров (не только Cloudflare) и включает улучшенные технологии.
В Privacy Pass 2.0 добавлена поддержка сторонних сервисов. Разработчики сообщают, что скоро будет выпущена новая версия расширения, которая поддерживает провайдера hCaptcha.
Пользователи Интернета, которые пройдут «капчу», получат токены, позволяющие автоматически проходить «капчи» на сайтах, использующих того же провайдера.
Если вам часто приходится вводить «капчи», то Privacy Pass 2.0 должен эффективно снизить их количество. Для пользователей, которые не доверяют Cloudflare, новая версия Privacy Pass, скорее всего, не будет представлять интерес.
Privacy Pass
A privacy-enhancing protocol and browser extension.
Privacy Pass is a browser extension with the aim of making the internet more accessible.
Updates
Oct 2020: The Privacy Pass protocol is now in the process of being standardised by the IETF in the privacypass working group. All contributions are welcome! See the GitHub page for more details.
Oct 2019: Version 2.0 of the extension is now available in Chrome and Firefox!
Privacy Pass interacts with supporting websites to introduce an anonymous user-authentication mechanism. In particular, Privacy Pass is suitable for cases where a user is required to complete some proof-of-work (e.g. solving an internet challenge) to authenticate to a service. In short, the extension receives blindly signed ‘passes’ for each authentication and these passes can be used to bypass future challenge solutions using an anonymous redemption procedure. For example, Privacy Pass is supported by Cloudflare to enable users to redeem passes instead of having to solve CAPTCHAs to visit Cloudflare-protected websites.
The blind signing procedure ensures that passes that are redeemed in the future are not feasibly linkable to those that are signed. We use a privacy-preserving cryptographic protocol based on ‘Verifiable, Oblivious Pseudorandom Functions’ (VOPRFs) built from elliptic curves to enforce unlinkability. The protocol is exceptionally fast and guarantees privacy for the user. As such, Privacy Pass is safe to use for those with strict anonymity restrictions.
The Protocol
When an internet challenge is solved correctly by a user, Privacy Pass will generate a number of random nonces that will be used as tokens. These tokens will be cryptographically blinded and then sent to the challenge provider. If the solution is valid, the provider will sign the blinded tokens and return them to the client. Privacy Pass will unblind the tokens and store them for future use.
Privacy Pass will detect when an internet challenge is required in the future for the same provider. In these cases, an unblinded, signed token will be embedded into a privacy pass that will be sent to the challenge provider. The provider will verify the signature on the unblinded token, if this check passes the challenge will not be invoked.
This protocol allows a client to bypass a number of internet challenges proportional to the number of tokens that are signed. The blinding feature used in the signing process preserves the anonymity of the user involved by randomising the tokens that are signed — rendering them unlinkable from the tokens that are redeemed.
Read the full protocol specification here and the design choices that were made here.
Paper
We have written a paper that has been accepted into the 2018 edition of the Privacy Enhancing Technologies Symposium (PETS2018). In the paper, we formalize the protocol and are able prove (based on discrete-log-based cryptographic assumptions) some of the security properties that we require for guaranteeing anonymity and unforgeability. We also provide more details on the implementation of the browser extension and our collaboration with Cloudflare.
Contribute
The browser extension has been open-sourced under the BSD-3 license and is available on GitHub. We have also open-sourced a reference server implementation that is compatible with the extension.
Privacy Pass and the protocol that we use have undergone extensive testing and review but this is still a relatively youthful project. In particular, the implementation of DLEQ proof verification for checking that the server is using consistent keys has not been completed yet and is still under development. As such, it is possible that you may also find other issues when using the extension or within the protocol. In the case that you do then get in contact with a member of the Privacy Pass team. Code contributions to the projects are also welcome.
hCaptcha +В Privacy Pass (Beta)
Summary
Privacy Pass is an emerging standard for preserving user privacy that we are developing in conjunction with Cloudflare and others.
How it works: aВ browser extension provides users with the ability to create and sign cryptographically blind tokens for websites that support the Privacy Pass protocol. The extension generates passes containing cryptographically blinded tokens that are signed by hCaptcha when a challenge is solved on any site using the hCaptcha service, except challenges shown on other Privacy Pass-supporting services that also embed hCaptcha, e.g. Cloudflare.*
These tokens are unblinded and stored by the extension for future use. When the user visits a site using hCaptcha and needs to pass the challenge (whether invisible or via the «I am human» button)В they are redeemed automatically. The blinding procedure means that signed and redeemed tokens are cryptographically unlinkable from hCaptcha’s perspective, and thus user privacy is preserved.
As the IETFВ standardization process continues, we expect major browsers will adopt some form of Privacy Pass natively. This will eventually render the extension unnecessary. For the moment, however, please follow the instructions below.
*В In other words: you can get hCaptcha Privacy Pass tokens on hCaptcha.com, and use them on other sites directly using hCaptcha.com. You can not get or redeem hCaptcha Privacy Pass tokens to bypass the hCaptcha service as used by Cloudflare, since Cloudflare issues and redeems its own Privacy Pass tokens.
Getting started
First, install the extension for Firefox or Chrome. Make sure you’ve enabled the extension in incognito mode. Then, visit any website using hCaptcha and solve a captcha. As of version 2.0.3, you can redeem these tokens on websites using hCaptcha.
Once you’ve got the extension installed, click here (or on any hCaptcha-using website) to earn passes:
Please note: this feature is currently in beta, and may not work for all websites and users all of the time. In the event that it is not enabled or does not work for a particular user, the behavior will simply fall back to the standard hCaptcha experience with no loss of functionality.
‍
A new icon will appear next to your URLВ bar. Now visit a website using hCaptcha. It will look like this:
which means the wallet is empty, and you are on a site that includes an hCaptcha challenge. Once you complete the challenge, you will earn tokens that can be redeemed on any other website with hCaptcha.
A count of the current total in your wallet will be shown on the icon after completing the challenge.
You can confirm the extension is working by seeing the counter go down by 1 each time you click
the challenge after your initial solve.
And that’s it!В Your online browsing is now more private.
Developers and cryptographers:
‍
If you would like to track the standardization effort, efforts are currently underway at IETFВ CFRGВ to standardize the Oblivious Pseudorandom Functions underlying the cryptographic security of Privacy Pass. The protocol itself is going through the draft process as well. And the browser extension is of course open source for your contributions and review.
Q:В Is my IP and browsing history completely private from hCaptcha when using Privacy Pass?
A:В Privacy Pass users of hCaptcha will never expose their IP to hCaptcha unless their browser’s token wallet is empty or the site sends it. hCaptcha has no way to link the user to the token redemption, and does not ever interact directly with the user during redemption unless their token wallet is empty.
Q:В How does Privacy Pass affect hCaptcha earnings?
A:В You will earn a reward for the initial solve if the user completes it on your site. Redemptions follow the same response pattern as if the user had auto-passed on your site due to high client confidence:В no earning occurs, and the siteverify call from your server receives a `credit:В False` in the pass results.
Q:В If IВ have Privacy Pass passes issued by another provider, can IВ redeem them on hCaptcha?
A:В No, passes are not interoperable:В they must be issued and redeemed by the same authority, in this case hCaptcha. Note that if you have passes from both Cloudflare and hCaptcha in your extension, the number available will change to the correct amount depending on the requirement of the page you are visiting. In other words, if you have 100 Cloudflare passes in your wallet and 10 hCaptcha passes, you should see 10 on the extension icon on pages with hCaptcha embedded.
Q:В What other applications of Privacy Pass are you working on?
A:В We are very interested in Privacy Pass for the Accessibility («a11y») use case. Previously popular options like audio captchas discriminate against many a11y users. We believe combining our current a11y approach with Privacy Pass issuance will allow a11y users to browse safely, secure in the knowledge that their traffic is more private, while restricting the abuse by bot operators that inevitably occurs when a11y options are available.
Q:В Do other online security services support Privacy Pass?
A:В hCaptcha is the first service of its kind that supports Privacy Pass, and is currently the only one to do so. However, we expect other services to recognize the advantages of increasing user privacy online, and expect that in the future more will undertake implementations as the IETFВ standards that we are helping to develop are formally adopted.
User Guide:В Debugging Issues with Privacy Pass Issuance and Validation
Privacy Pass is a new invention by the standards of the Web, and it is possible for other applications and browser extensions that are not aware of it to interfere with its functionality.
If you have issues getting or redeeming tokens:
‍
1. Try one of the other supported browsers:В if you’re on Chrome, try using Firefox without importing your settings from Chrome, and install the plugin there. If that works, you may have a browser configuration issue.
‍
2. Try disabling other extensions. If that solves it, turn them on one by one until you find the problem, and let the developer of that extension know about it, as well as giving us a heads up at [email protected]
3. If none of the above suggestions works, send us a support email and we’ll be happy to help figure out what’s going on.
CovPass 12+
Ihr Corona-Impfnachweis
Robert Koch-Institut
Entwickelt für iPhone
iPhone-Screenshots
Beschreibung
Mit der CovPass-App können Sie digitale COVID-Zertifikate der EU auf das Smartphone laden und sicher nachweisen.
Das Robert Koch-Institut (RKI) als zentrale Einrichtung des Bundes im Bereich der Öffentlichen Gesundheit und als nationales Public-Health-Institut veröffentlicht die CovPass-App für die deutsche Bundesregierung. Mit der App lassen sich die digitalen COVID-Zertifikate der EU direkt auf dem Smartphone speichern. Wer sie nutzt, kann seinen Impfschutz oder seine Genesung schnell und sicher nachweisen. Mit der App können auch die digitalen COVID-Zertifikate der EU von anderen Personen (zum Beispiel Familienangehörige) auf dem Smartphone gespeichert werden. Die Nutzerinnen und Nutzer der App entscheiden, wann und wem sie ihre Informationen und Daten vorzeigen.
WIE DIE APP FUNKTIONIERT
Der Nachweis über Corona-Impfungen und über die Genesung von einer Corona-Infektion ist die zentrale Funktion der CovPass-App. Wann immer Nutzerinnen und Nutzer ihren Corona-Status nachweisen, werden nur die für die Überprüfung notwendigen Informationen und Daten per QR-Code angezeigt.
Der QR-Code gibt Auskunft über die Gültigkeit eines Impf- oder Genesenenzertifikats. Zur eindeutigen Identifikation werden zudem der Name und das Geburtsdatum bei einer Überprüfung angezeigt.
Corona-Impfungen werden auf Wunsch mit dem digitalen COVID-Impfzertifikat der EU bescheinigt. Das Zertifikat wird nach der Impfung vom medizinischen Personal erstellt. Es enthält einen QR-Code, der mit der CovPass-App gescannt werden kann. Halten Sie dazu die Kamera des Smartphones über den QR-Code. Anschließend werden alle Informationen des Zertifikats direkt auf das Smartphone geladen und der aktuelle QR-Code erscheint auf dem Startbildschirm der App. Dieser kann nun bei Bedarf mit der CovPass-App vorgezeigt werden.
Genesungen von einer Corona-Infektion werden mit dem digitalen COVID-Genesenenzertifikat der EU bescheinigt. Das Genesenenzertifikat erhalten Sie nach überstandener Corona-Erkrankung von Ihrer Hausärztin oder Ihrem Hausarzt oder vom ortsansässigen Gesundheitsamt. Es enthält einen QR-Code, der mit der App gescannt werden kann. Das Genesenenzertifikat wird anschließend auf dem Smartphone dokumentiert.
Auch digitale COVID-Zertifikate der EU von anderen Personen (zum Beispiel Familienangehörige) können auf dem Smartphone verwaltet werden.
Die Daten des digitalen COVID-Zertifikats der EU sind lokal auf dem Smartphone gespeichert. Nur die Nutzerinnen und Nutzer entscheiden, wann und wem sie die Informationen und Daten vorzeigen.
WIE DIE DATEN SICHER BLEIBEN
Der Datenschutz bleibt über die gesamte Nutzungsdauer gewahrt.
• Keine Anmeldung: Es ist keine Registrierung mit einer E-Mail-Adresse notwendig.
• Lokale Datenspeicherung: Ihre vollständigen Daten sind nur auf Ihrem Smartphone gespeichert.
• Datensparsamkeit: Der QR-Code wird mit dem in der EU abgestimmten minimalen Datenumfang angezeigt. Nach der Prüfung des QR-Codes werden nur der Status des Zertifikats, der Name und das Geburtsdatum angezeigt.
• Kryptografische Sicherheit: Der QR-Code ist mit einer starken Signatur geschützt und kann nicht gefälscht werden.
Privacy pass что это
Privacy Pass Extension
The Privacy Pass protocol is now being standardised by the privacypass IETF working group. All contributions are welcome! See the GitHub page for more details.
The Privacy Pass browser extension implements the Privacy Pass protocol for providing a private authentication mechanism during web browsing. Privacy Pass is currently supported by Cloudflare to allow users to redeem validly signed tokens instead of completing CAPTCHA solutions. The extension is compatible with Chrome and Firefox (v48+). An example server implementation that is compatible with this extension is available here.
The protocol we use is based on a realization of a ‘Verifiable, Oblivious Pseudorandom Function’ (VOPRF) first established by Jarecki et al.. We also detail the entire protocol and results from this deployment in a research paper that appeared at PETS 2018 (Issue 3).
In October 2021, we announced a new major version (v3) as mentioned in the blog post which makes the code base more resilient, extensible, and maintainable.
After that, the dist folder will contain all files required by the extension.
Cryptography is implemented using the elliptic-curve library SJCL and compression of points is done in accordance with the standard SEC1. This work uses the NIST standard P256 elliptic curve for performing operations. Third-party implementers should note that the outputs of the hash-to-curve, key derivation, and point encoding functions must match their Go equivalents exactly for interaction with our server implementation. More information about this will be provided when the edge implementation is open-sourced.
The creation of the Privacy Pass protocol was a joint effort by the team made up of George Tankersley, Ian Goldberg, Nick Sullivan, Filippo Valsorda and Alex Davidson.
We would also like to thank Eric Tsai for creating the logo and extension design, Dan Boneh for helping us develop key parts of the protocol, as well as Peter Wu and Blake Loring for their helpful code reviews. We would also like to acknowledge Sharon Goldberg, Christopher Wood, Peter Eckersley, Brian Warner, Zaki Manian, Tony Arcieri, Prateek Mittal, Zhuotao Liu, Isis Lovecruft, Henry de Valence, Mike Perry, Trevor Perrin, Zi Lin, Justin Paine, Marek Majkowski, Eoin Brady, Aaran McGuire, and many others who were involved in one way or another and whose efforts are appreciated.
What do I have to do to acquire new passes?
Are passes stored after a browser restart?
Depending on your browser settings, the local storage of your browser may be cleared when it is restarted. Privacy Pass stores passes in local storage and so these will also be cleared. This behavior may also be observed if you clear out the cache of your browser.
About
Privacy Pass: a privacy-enhancing protocol and browser extension.