Privacy Pass : Bypassing Internet Challenges Anonymously. / Davidson, Alexander.

In: Proceedings on Privacy Enhancing Technologies, Vol. 2018, No. 3, 2018, p. 164-180.

Research output: Contribution to journalArticlepeer-review

Published

Standard

Privacy Pass : Bypassing Internet Challenges Anonymously. / Davidson, Alexander.

In: Proceedings on Privacy Enhancing Technologies, Vol. 2018, No. 3, 2018, p. 164-180.

Research output: Contribution to journalArticlepeer-review

Harvard

Davidson, A 2018, 'Privacy Pass: Bypassing Internet Challenges Anonymously', Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 3, pp. 164-180. https://doi.org/10.1515/popets-2018-0026

APA

Davidson, A. (2018). Privacy Pass: Bypassing Internet Challenges Anonymously. Proceedings on Privacy Enhancing Technologies, 2018(3), 164-180. https://doi.org/10.1515/popets-2018-0026

Vancouver

Davidson A. Privacy Pass: Bypassing Internet Challenges Anonymously. Proceedings on Privacy Enhancing Technologies. 2018;2018(3):164-180. https://doi.org/10.1515/popets-2018-0026

Author

Davidson, Alexander. / Privacy Pass : Bypassing Internet Challenges Anonymously. In: Proceedings on Privacy Enhancing Technologies. 2018 ; Vol. 2018, No. 3. pp. 164-180.

BibTeX

@article{fcb651e0d8c943a683d039d900cdc7e7,
title = "Privacy Pass: Bypassing Internet Challenges Anonymously",
abstract = "The growth of content delivery networks (CDNs) has engendered centralized control over the serving of internet content. An unwanted by-product of this growth is that CDNs are fast becoming global arbiters for which content requests are allowed and which are blocked in an attempt to stanch malicious traffic. In particular, in some cases honest users-especially those behind shared IP addresses, including users of privacy tools such as Tor, VPNs, and I2P - can be unfairly targeted by attempted {\textquoteleft}catch-all solutions{\textquoteright} that assume these users are acting maliciously. In this work, we provide a solution to prevent users from being exposed to a disproportionate amount of internet challenges such as CAPTCHAs. These challenges are at the very least annoying and at their worst - when coupled with bad implementations - can completely block access from web resources. We detail a 1-RTT cryptographic protocol (based on an implementation of an oblivious pseudorandom function) that allows users to receive a significant amount of anonymous tokens for each challenge solution that they provide. These tokens can be exchanged in the future for access without having to interact with a challenge. We have implemented our initial solution in a browser extension named “Privacy Pass”, and have worked with the Cloudflare CDN to deploy compatible server-side components in their infrastructure. However, we envisage that our solution could be used more generally for many applications where anonymous and honest access can be granted (e.g., anonymous wiki editing). The anonymity guarantee of our solution makes it immediately appropriate for use by users of Tor/VPNs/ I2P. We also publish figures from Cloudflare indicating the potential impact from the global release of Privacy Pass.",
keywords = "Blinded Tokens, Anonymity, Oblivious PRF, Tor, CAPTCHA, Privacy, DLEQ, Content delivery networks",
author = "Alexander Davidson",
year = "2018",
doi = "10.1515/popets-2018-0026",
language = "English",
volume = "2018",
pages = "164--180",
journal = "Proceedings on Privacy Enhancing Technologies",
issn = "2299-0984",
publisher = "de Gruyter",
number = "3",

}

RIS

TY - JOUR

T1 - Privacy Pass

T2 - Bypassing Internet Challenges Anonymously

AU - Davidson, Alexander

PY - 2018

Y1 - 2018

N2 - The growth of content delivery networks (CDNs) has engendered centralized control over the serving of internet content. An unwanted by-product of this growth is that CDNs are fast becoming global arbiters for which content requests are allowed and which are blocked in an attempt to stanch malicious traffic. In particular, in some cases honest users-especially those behind shared IP addresses, including users of privacy tools such as Tor, VPNs, and I2P - can be unfairly targeted by attempted ‘catch-all solutions’ that assume these users are acting maliciously. In this work, we provide a solution to prevent users from being exposed to a disproportionate amount of internet challenges such as CAPTCHAs. These challenges are at the very least annoying and at their worst - when coupled with bad implementations - can completely block access from web resources. We detail a 1-RTT cryptographic protocol (based on an implementation of an oblivious pseudorandom function) that allows users to receive a significant amount of anonymous tokens for each challenge solution that they provide. These tokens can be exchanged in the future for access without having to interact with a challenge. We have implemented our initial solution in a browser extension named “Privacy Pass”, and have worked with the Cloudflare CDN to deploy compatible server-side components in their infrastructure. However, we envisage that our solution could be used more generally for many applications where anonymous and honest access can be granted (e.g., anonymous wiki editing). The anonymity guarantee of our solution makes it immediately appropriate for use by users of Tor/VPNs/ I2P. We also publish figures from Cloudflare indicating the potential impact from the global release of Privacy Pass.

AB - The growth of content delivery networks (CDNs) has engendered centralized control over the serving of internet content. An unwanted by-product of this growth is that CDNs are fast becoming global arbiters for which content requests are allowed and which are blocked in an attempt to stanch malicious traffic. In particular, in some cases honest users-especially those behind shared IP addresses, including users of privacy tools such as Tor, VPNs, and I2P - can be unfairly targeted by attempted ‘catch-all solutions’ that assume these users are acting maliciously. In this work, we provide a solution to prevent users from being exposed to a disproportionate amount of internet challenges such as CAPTCHAs. These challenges are at the very least annoying and at their worst - when coupled with bad implementations - can completely block access from web resources. We detail a 1-RTT cryptographic protocol (based on an implementation of an oblivious pseudorandom function) that allows users to receive a significant amount of anonymous tokens for each challenge solution that they provide. These tokens can be exchanged in the future for access without having to interact with a challenge. We have implemented our initial solution in a browser extension named “Privacy Pass”, and have worked with the Cloudflare CDN to deploy compatible server-side components in their infrastructure. However, we envisage that our solution could be used more generally for many applications where anonymous and honest access can be granted (e.g., anonymous wiki editing). The anonymity guarantee of our solution makes it immediately appropriate for use by users of Tor/VPNs/ I2P. We also publish figures from Cloudflare indicating the potential impact from the global release of Privacy Pass.

KW - Blinded Tokens

KW - Anonymity

KW - Oblivious PRF

KW - Tor

KW - CAPTCHA

KW - Privacy

KW - DLEQ

KW - Content delivery networks

U2 - 10.1515/popets-2018-0026

DO - 10.1515/popets-2018-0026

M3 - Article

VL - 2018

SP - 164

EP - 180

JO - Proceedings on Privacy Enhancing Technologies

JF - Proceedings on Privacy Enhancing Technologies

SN - 2299-0984

IS - 3

ER -