Cloudflare announced they’re trying to replace Captchas , they’re saying that their “proof of manufacturer” is “non-traceable” but also “unique” ?
Is it really not traçable in a way that it could be used by Tor users or not ?
The threat model looks like this:
- they could assign a cookie to your request and make it trace users down to a single hardware token. They admit this in the announcement, saying they won’t do this, but I’m not sold.
- as far as I understand, they could also build up a list of profiles based on these certificates of personhood, which, as they say, are the same for 100k hardware keys. It should not sound super secure, as not all 100k keys will hit CloudFlare in a meaningful time period. If you, say, used it in Tor Browser and then used it on your regular browser the same day, it would drastically narrow the number of possible users.
So to me, it is not safe, unique but also kind of traceable.
Yeah thanks, nobody would accept to “trust” a company when using Tor, so this is clearly not a replacement of Captchas for the majority of cases.
Maybe for VPN users its a fine option, but an American company can’t ever be trusted, inteligence agencies would love to have backdoors in a service capable of identifying users behind VPN and Tor.