Replace CAPTCHAs with Private Access Tokens(developer.apple.com)
developer.apple.com
Replace CAPTCHAs with Private Access Tokens
https://developer.apple.com/videos/play/wwdc2022/10077/
18 コメント
This sounds like a great way to track people
Not enough info to track. The website only sees the url you’re going to and the fact you have a token.
So the token doesn't get recorded anywhere? I find that hard to believe
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
>The website knows only your URL and IP, which it has to know to make a connection.
>The device manufacturer (attester) knows only the device data required to attest your device, but can't tell what website you visited, and doesn’t know your IP.
>Cloudflare knows the site you visited, but doesn’t know any of your device or interaction information.
>The website knows only your URL and IP, which it has to know to make a connection.
>The device manufacturer (attester) knows only the device data required to attest your device, but can't tell what website you visited, and doesn’t know your IP.
>Cloudflare knows the site you visited, but doesn’t know any of your device or interaction information.
With how much data cloudflare has access to and how the market for data is, I don't believe it for a second that they can't correlate connections even if what you say is true
Then I guess its widespread adoption is inevitable, because if there's one thing corporations seem to be incapable of resisting is a more effective way of tracking people.
I can't upvote this enough, there's money in that and whoever owns the infrastructure stands to make money off the data.
"can't upvote this enough" because you think the cryptography is wrong, or because you didn't read the description?
Or because they think tracking is bad....?
The cryptography says tracking a token is not possible. So would you like to elaborate on that point?
I see you made a different comment about correlating connections but you can get a bunch of tokens at once and slowly go through the pile over several hours, as far as I know.
I see you made a different comment about correlating connections but you can get a bunch of tokens at once and slowly go through the pile over several hours, as far as I know.
Why would it not be possible? Is the code available for inspection?
Basically, the client picks some numbers, gets one derivative of those numbers signed, and presents a different derivative of its numbers to be verified.
With the right math, there's no way to connect the two transactions.
https://www.ietf.org/id/draft-ietf-privacypass-protocol-04.h...
https://privacypass.github.io/protocol/
With the right math, there's no way to connect the two transactions.
https://www.ietf.org/id/draft-ietf-privacypass-protocol-04.h...
https://privacypass.github.io/protocol/
In what situation does a proof-I-have-a-free-account (token) replace a proof-a-human-initiated-this-action (captcha)? Don't they have completely unrelated goals?
Related text-based explanation of Private Access Tokens.
Privacy Pass: Protocol Design Explanation
https://news.ycombinator.com/item?id=31818700
Privacy Pass: Protocol Design Explanation
https://news.ycombinator.com/item?id=31818700
mTLS and apple/google/other-idp signed short-lived client certs would acheive the same thing in my opinion. Bypass captcha if the client has a cert issued by a trusted idp.