Cloudflare is working with the makers of Chrome, Edge, and Firefox on a new way for websites to tell whether incoming traffic is legitimate – without resorting to the usual mix of CAPTCHAs, logins, and extra tracking.
The system is called Private Access Control Tokens, or PACT, and it arrives at a time when bots have surpassed human traffic online.
Please stop supporting Cloudflare so the internet spent become one single company.
This sounds a lot like fingerprinting under the false flag of making user experience better.
MOZILLA WAS THE CHOSEN ONE. You were supposed to bring balance!
Do not lump autonomous agents in with humans wtf
The basic idea is that sites with strong knowledge of “personhood” can issue anonymous tokens. A user’s browser can then present those tokens elsewhere as proof that a human is involved, or that an automated agent is acting on behalf of one, without revealing the person’s identity or browsing history.
These issuers will 100% sell these identifiers to be matched up with other databases.
Why do you assume it’s one static unchanging token? That’s not how cryptography works, you can issue virtually unlimited signatures or challenges/responses without the other party knowing your private key
It really depends on the implementation tho. Since Firefox is foss i hope this wont be a proprietary blob so we can actually hold them accountable
There’s what companies admit to publicly, and then there’s what they’re working on behind closed doors.
Most EULA have vague lines like “We will use your data to improve our services” which translates to something like: Your data is used in the services we sell.
Perhaps there would be a legal argument against shit like this, but how do you prove it in court? Even if you get discovery the odds of them offering up database tables they’ve hidden away that key up users to the data is never gonna happen. You’d have to report it as an insider.
Maybe we should be offering up $10m+ whistleblower bounties for stuff like this, because short of giving someone a golden parachute they’re sure as shit not going to lose their careers over it.
Clearly, they haven’t heard of proof of work.
Ask tor, it helps tremendously.
Hidden services went from being absolutely horribly unreliable to being very reliable.
It only slows down bots. If a bot is willing to do the PoW then it can get right through.
That’s true, but I don’t really truly think bots need to be entirely stopped. I think they need to be more limited so that they can’t just overwhelm a website. And proof of work will do that.
It depends on the site. For a blog PoW is perfect, however if someone like Facebook or YouTube switched to only PoW then the spam would entirely dominate and make the site unusable.
You make it sound like thats a bad thing.
I think that would depend a lot on the amount of servers serving that service.
If you’ve only got one server, then the proof of work is going to ramp up quite quickly because of the fact that it can only serve so many requests at a time. If you have 10,000 servers serving the same website, then the proof of work would ramp up pretty slowly because then you can serve a ton more requests at once before needing to kick the proof of work up. Tor currently has a zero proof of work if the service is not under load at all, and then ramps the proof of work up as the service comes under more requests. My thought would be to not have any point where there’s a zero proof of work and have a minimum proof of work required of one.
I don’t see any details here that make me understand how sites couldn’t just save the PACT and collude to build profiles.
I assume it would be something like a key that gets used to generate disposable signatures, not transmitted directly. But I’ve also been unable to find actual technical details, the article mentions a “GitHub proposal” without linking to it but i couldn’t find anything in their repos. Their blog has nothing either
Yeah I’m assuming the goal is some kind of cryptographic process that meets the stated goals. Publishing this news before actually having anything is obviously going to lead to nothing but skepticism though.
Yes. I would be quite surprised if that detail were present, since these folks seem to just want another way to track people and sell a higher quality profile.
This sounds a bit like a passport-stamping scheme. But the passport doesn’t have your name and photo on it. Hopefully it only stores verifiable stamps, but not who stamped it.
I hope they use this to tackle age verification. I’d like to just have a token to prove my age without handing over an actual ID to questionable companies.
I hope they use this to tackle age verification. I’d like to just have a token to prove my age without handing over an actual ID to questionable companies.
Nope, because what they want is not age verification. They want identity verification.
I had to solve two captchas last time I tried ordering groceries online.
Same here. I’m just going back to cash.
All of this “artificial intelligence security” just gets in the way of basic legal transactions, but all the yes men running it are too spineless to tell their bosses and shareholders how much money they’re losing.
“DO WE LOOK LIKE BOTS?”
No, but you look like bicycles 😁
