CINXE.COM
Privacy Pass
<!DOCTYPE html><html lang="en-us" dir="ltr"> <head><script async src="https://ot.www.cloudflare.com/public/vendor/onetrust/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" data-domain-script="b1e05d49-f072-4bae-9116-bdb78af15448"></script><meta name="HandheldFriendly" content="True"><meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="baidu-site-verification" content="KeThzeyMOr"><meta name="baidu-site-verification" content="code-NIlrS7gNhx"><meta charset="UTF-8"><meta name="description" content="Get the latest news on how products at Cloudflare are built, technologies used, and join the teams helping to build a better Internet."><title>Privacy Pass</title><meta name="title" content="Privacy Pass"><meta name="msvalidate.01" content="CF295E1604697F9CAD18B5A232E871F6"><meta class="swiftype" name="language" data-type="string" content="en"><script src="/static/z/i.js" type="text/javascript" referrerpolicy="origin"></script><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="apple-touch-icon" sizes="180x180" href="/images/favicon-32x32.png"><link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-32x32.png"><link rel="mask-icon" href="/images/favicon-32x32.png" color="#f78100"><link rel="stylesheet" href="/themes/ashes.min.css"><link rel="sitemap" href="/sitemap.xml"><meta name="msapplication-TileColor" content="#da532c"><meta name="theme-color" content="#ffffff"><link rel="canonical" href="https://blog.cloudflare.com/tag/privacy-pass/"><link rel="alternate" type="application/rss+xml" title="Cloudflare Privacy Pass RSS Feed" href="/tag/privacy-pass/rss"><link rel="alternate" hreflang="en-us" href="https://blog.cloudflare.com/tag/privacy-pass/"><link rel="alternate" hreflang="de-de" href="https://blog.cloudflare.com/de-de/tag/privacy-pass/"><link rel="alternate" hreflang="es-es" href="https://blog.cloudflare.com/es-es/tag/privacy-pass/"><link rel="alternate" hreflang="fr-fr" href="https://blog.cloudflare.com/fr-fr/tag/privacy-pass/"><link rel="alternate" hreflang="ja-jp" href="https://blog.cloudflare.com/ja-jp/tag/privacy-pass/"><link rel="alternate" hreflang="zh-tw" href="https://blog.cloudflare.com/zh-tw/tag/privacy-pass/"><link rel="alternate" hreflang="zh-cn" href="https://blog.cloudflare.com/zh-cn/tag/privacy-pass/"><!-- General Meta Tags --><meta property="article:publisher" content="https://www.facebook.com/cloudflare"><!-- Facebook Meta Tags --><meta property="og:site_name" content="The Cloudflare Blog"><meta property="og:type" content="website"><meta property="og:title" content="The Cloudflare Blog: Privacy Pass"><meta property="og:description" content="Collection of Cloudflare blog posts tagged 'Privacy Pass'"><meta property="og:url" content="https://blog.cloudflare.com/tag/privacy-pass/"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="628"><!-- Twitter/X Meta Tags --><meta name="twitter:title" content="The Cloudflare Blog: Privacy Pass"><meta name="twitter:description" content="Collection of Cloudflare blog posts tagged 'Privacy Pass'"><meta name="twitter:url" content="https://blog.cloudflare.com/tag/privacy-pass/"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:site" content="@cloudflare"><meta property="og:image"><meta name="twitter:image"><link rel="stylesheet" href="/_astro/index.Bpd2cWaZ.css"></head><style>astro-island,astro-slot,astro-static-slot{display:contents}</style><script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).only=e;window.dispatchEvent(new Event("astro:only"));})();;(()=>{var A=Object.defineProperty;var g=(i,o,a)=>o in i?A(i,o,{enumerable:!0,configurable:!0,writable:!0,value:a}):i[o]=a;var d=(i,o,a)=>g(i,typeof o!="symbol"?o+"":o,a);{let i={0:t=>m(t),1:t=>a(t),2:t=>new RegExp(t),3:t=>new Date(t),4:t=>new Map(a(t)),5:t=>new Set(a(t)),6:t=>BigInt(t),7:t=>new URL(t),8:t=>new Uint8Array(t),9:t=>new Uint16Array(t),10:t=>new Uint32Array(t),11:t=>1/0*t},o=t=>{let[l,e]=t;return l in i?i[l](e):void 0},a=t=>t.map(o),m=t=>typeof t!="object"||t===null?t:Object.fromEntries(Object.entries(t).map(([l,e])=>[l,o(e)]));class y extends HTMLElement{constructor(){super(...arguments);d(this,"Component");d(this,"hydrator");d(this,"hydrate",async()=>{var b;if(!this.hydrator||!this.isConnected)return;let e=(b=this.parentElement)==null?void 0:b.closest("astro-island[ssr]");if(e){e.addEventListener("astro:hydrate",this.hydrate,{once:!0});return}let c=this.querySelectorAll("astro-slot"),n={},h=this.querySelectorAll("template[data-astro-template]");for(let r of h){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("data-astro-template")||"default"]=r.innerHTML,r.remove())}for(let r of c){let s=r.closest(this.tagName);s!=null&&s.isSameNode(this)&&(n[r.getAttribute("name")||"default"]=r.innerHTML)}let p;try{p=this.hasAttribute("props")?m(JSON.parse(this.getAttribute("props"))):{}}catch(r){let s=this.getAttribute("component-url")||"<unknown>",v=this.getAttribute("component-export");throw v&&(s+=` (export ${v})`),console.error(`[hydrate] Error parsing props for component ${s}`,this.getAttribute("props"),r),r}let u;await this.hydrator(this)(this.Component,p,n,{client:this.getAttribute("client")}),this.removeAttribute("ssr"),this.dispatchEvent(new CustomEvent("astro:hydrate"))});d(this,"unmount",()=>{this.isConnected||this.dispatchEvent(new CustomEvent("astro:unmount"))})}disconnectedCallback(){document.removeEventListener("astro:after-swap",this.unmount),document.addEventListener("astro:after-swap",this.unmount,{once:!0})}connectedCallback(){if(!this.hasAttribute("await-children")||document.readyState==="interactive"||document.readyState==="complete")this.childrenConnectedCallback();else{let e=()=>{document.removeEventListener("DOMContentLoaded",e),c.disconnect(),this.childrenConnectedCallback()},c=new MutationObserver(()=>{var n;((n=this.lastChild)==null?void 0:n.nodeType)===Node.COMMENT_NODE&&this.lastChild.nodeValue==="astro:end"&&(this.lastChild.remove(),e())});c.observe(this,{childList:!0}),document.addEventListener("DOMContentLoaded",e)}}async childrenConnectedCallback(){let e=this.getAttribute("before-hydration-url");e&&await import(e),this.start()}async start(){let e=JSON.parse(this.getAttribute("opts")),c=this.getAttribute("client");if(Astro[c]===void 0){window.addEventListener(`astro:${c}`,()=>this.start(),{once:!0});return}try{await Astro[c](async()=>{let n=this.getAttribute("renderer-url"),[h,{default:p}]=await Promise.all([import(this.getAttribute("component-url")),n?import(n):()=>()=>{}]),u=this.getAttribute("component-export")||"default";if(!u.includes("."))this.Component=h[u];else{this.Component=h;for(let f of u.split("."))this.Component=this.Component[f]}return this.hydrator=p,this.hydrate},e,this)}catch(n){console.error(`[astro-island] Error hydrating ${this.getAttribute("component-url")}`,n)}}attributeChangedCallback(){this.hydrate()}}d(y,"observedAttributes",["props"]),customElements.get("astro-island")||customElements.define("astro-island",y)}})();</script><astro-island uid="Zxjr34" component-url="/_astro/GoogleAnalytics.DSjxwi8U.js" component-export="GoogleAnalytics" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"Privacy Pass"],"canonical":[0,"https://blog.cloudflare.com/tag/privacy-pass"],"info":[0],"tagInfo":[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"slug":[0,"privacy-pass"],"url":[0,"https://blog.cloudflare.com/privacy-pass"],"name":[0,"Privacy Pass"],"visibility":[0,"public"],"feature_image":[0,""]}],"authorInfo":[0],"translatedPosts":[1,[]]}" ssr client="only" opts="{"name":"GoogleAnalytics","value":"react"}"></astro-island><script>(()=>{var l=(n,t)=>{let i=async()=>{await(await n())()},e=typeof t.value=="object"?t.value:void 0,s={timeout:e==null?void 0:e.timeout};"requestIdleCallback"in window?window.requestIdleCallback(i,s):setTimeout(i,s.timeout||200)};(self.Astro||(self.Astro={})).idle=l;window.dispatchEvent(new Event("astro:idle"));})();</script><astro-island uid="DLSDj" prefix="r8" component-url="/_astro/Navigation.CSu6dGvY.js" component-export="Navigation" renderer-url="/_astro/client.DLO1yDVm.js" props="{"title":[0,"The Cloudflare Blog"],"logo":[0,"//images.ctfassets.net/zkvhlag99gkb/69RwBidpiEHCDZ9rFVVk7T/092507edbed698420b89658e5a6d5105/CF_logo_stacked_blktype.png"],"pagesStore":[0,{"page":[0,"Tag"],"slug":[0,"privacy-pass"],"translationsAvailable":[1,[[0,"de-de"],[0,"es-es"],[0,"fr-fr"],[0,"ja-jp"],[0,"zh-tw"],[0,"zh-cn"]]],"navData":[1,[[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"J61Eszqn98amrYHq4IhTx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:46.068Z"],"updatedAt":[0,"2025-02-24T08:02:58.555Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,67],"revision":[0,29],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Zero Trust"],"name":[0,"Zero Trust"],"slug":[0,"zero-trust"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"5kZtWqjqa7aOUoZr8NFGwI"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:26.040Z"],"updatedAt":[0,"2025-02-18T05:02:47.858Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,106],"revision":[0,33],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Cloudflare Radar"],"name":[0,"Radar"],"slug":[0,"cloudflare-radar"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:42:46.231Z"],"updatedAt":[0,"2025-02-18T05:02:46.749Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,66],"revision":[0,23],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Security"],"name":[0,"Security"],"slug":[0,"security"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6Foe3R8of95cWVnQwe5Toi"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T22:44:28.803Z"],"updatedAt":[0,"2025-02-10T05:02:55.192Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,62],"revision":[0,23],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"AI"],"name":[0,"AI"],"slug":[0,"ai"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:20.198Z"],"updatedAt":[0,"2025-02-04T17:23:05.518Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Product News"],"name":[0,"Product News"],"slug":[0,"product-news"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4HIPcb68qM0e26fIxyfzwQ"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:43:21.536Z"],"updatedAt":[0,"2025-02-04T17:19:33.689Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Developers"],"name":[0,"Developers"],"slug":[0,"developers"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"48r7QV00gLMWOIcM1CSDRy"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:54:22.790Z"],"updatedAt":[0,"2025-02-04T17:17:33.067Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,59],"revision":[0,26],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Speed & Reliability"],"name":[0,"Speed & Reliability"],"slug":[0,"speed-and-reliability"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"V86khSc459Yi1AhTlvtY7"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:53.657Z"],"updatedAt":[0,"2025-02-04T17:12:59.473Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,57],"revision":[0,21],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Partners"],"name":[0,"Partners"],"slug":[0,"partners"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"4g8tPriKOAUwdUT4jNPebe"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:46:40.927Z"],"updatedAt":[0,"2025-02-04T17:11:28.566Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,55],"revision":[0,24],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Life at Cloudflare"],"name":[0,"Life at Cloudflare"],"slug":[0,"life-at-cloudflare"],"featured":[0,true]}]}],[0,{"metadata":[0,{"tags":[1,[]],"concepts":[1,[]]}],"sys":[0,{"space":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"Space"],"id":[0,"zkvhlag99gkb"]}]}],"id":[0,"16yk8DVbNNifxov5cWvAov"],"type":[0,"Entry"],"createdAt":[0,"2024-10-09T19:56:23.848Z"],"updatedAt":[0,"2025-01-29T05:03:35.958Z"],"environment":[0,{"sys":[0,{"id":[0,"master"],"type":[0,"Link"],"linkType":[0,"Environment"]}]}],"publishedVersion":[0,63],"revision":[0,28],"contentType":[0,{"sys":[0,{"type":[0,"Link"],"linkType":[0,"ContentType"],"id":[0,"blogTag"]}]}],"locale":[0,"en-US"]}],"fields":[0,{"entryTitle":[0,"Policy & Legal"],"name":[0,"Policy & Legal"],"slug":[0,"policy"],"featured":[0,true]}]}]]]}],"locale":[0,"en-us"],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="idle" opts="{"name":"NavigationComponent","value":true}" await-children><header class="flex flex-row flex-wrap justify-between items-flex-end mw8 center mv3 pl3 pr1"><div class="w-100 flex items-flex-end justify-between justify-start-l"><div class="w-100 tr flex justify-end"><div class="flex justify-between items-center"><span class="dn di-l pr1"><a href="https://dash.cloudflare.com/sign-up" class="f1 blue1 dn di-l b no-underline underline-hover" target="_blank" rel="noreferrer">Get Started Free</a></span><span class="f1 gray4 dn di-l pr1">|</span><span class="dn di-l"><a target="_blank" href="https://www.cloudflare.com/plans/enterprise/contact/" class="f1 gray4 no-underline underline-hover pr1" rel="noreferrer">Contact Sales</a></span><span class="f1 gray4 dn di-l pr1">|</span><div class="relative flex cf-dropdown"><div class="flex items-center" dir="ltr"><button type="button" class="f1 gray4 no-underline language-picker js-language-picker" style="background:transparent;border:none;padding:0"><span class="language-picker__globe-icon"></span><span class="language-picker__caret-icon ph1">▼</span></button></div></div></div></div></div><div class="w-100 w-50-l flex items-end nb5 nb1-l"><a href="/" class="header-logo mr4 dn db-l"><img class="header-logo" src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/69RwBidpiEHCDZ9rFVVk7T/092507edbed698420b89658e5a6d5105/CF_logo_stacked_blktype.png" alt="The Cloudflare Blog" width="170" height="57"/></a><h2 class="mt0 mb1 dn di-l"><a href="/" class="fw5 f5 gray3 no-underline"><span class="dn di-l">The Cloudflare Blog</span></a></h2></div><div class="w-100 w-50-l dn db-l"><div class="w-100 tr mkto-sub-message"><p class="f2">Subscribe to receive notifications of new posts:</p></div><div class="w-100 tr"><div class="marketo-form-container"><form id="mktoForm_1653"><div class="top-subscribe-form-container"><div class="top-subscribe-form-field"><input placeholder="Email Address" class="top-subscribe-form-input" name="email" type="email" title="Must be valid email."/></div><button class="top-subscribe-form-button" type="button">Subscribe</button></div></form></div></div></div></header><nav dir="ltr" class="bb b--black-10 db dn-l w-100 ph3 "><div class=" flex justify-between items-center" style="height:44px"><a href="/search/"><img class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"/></a><button type="button" style="background:transparent;border:none"><img src="/images/hamburger.svg" alt="hamburger menu"/></button></div><div class="js-mobile-nav-container dn"><div class="flex flex-column flex-wrap bg-gray9 o-95 absolute w-90 ph3 z-1"><div class="pv3 ph2 tl"><a href="/tag/zero-trust/" class="no-underline gray1 f4 fw7">Zero Trust</a></div><div class="pv3 ph2 tl"><a href="/tag/cloudflare-radar/" class="no-underline gray1 f4 fw7">Radar</a></div><div class="pv3 ph2 tl"><a href="/tag/security/" class="no-underline gray1 f4 fw7">Security</a></div><div class="pv3 ph2 tl"><a href="/tag/ai/" class="no-underline gray1 f4 fw7">AI</a></div><div class="pv3 ph2 tl"><a href="/tag/product-news/" class="no-underline gray1 f4 fw7">Product News</a></div><div class="pv3 ph2 tl"><a href="/tag/developers/" class="no-underline gray1 f4 fw7">Developers</a></div><div class="pv3 ph2 tl"><a href="/tag/speed-and-reliability/" class="no-underline gray1 f4 fw7">Speed & Reliability</a></div><div class="pv3 ph2 tl"><a href="/tag/partners/" class="no-underline gray1 f4 fw7">Partners</a></div><div class="pv3 ph2 tl"><a href="/tag/life-at-cloudflare/" class="no-underline gray1 f4 fw7">Life at Cloudflare</a></div><div class="pv3 ph2 tl"><a href="/tag/policy/" class="no-underline gray1 f4 fw7">Policy & Legal</a></div></div></div></nav><nav id="nav" class="w-100 bb-0 bb-l b--black-10 z-1"><div id="desktop-nav-items-container" class="flex flex-wrap justify-between items-center mw8 center mv3 mv0-l"><div data-tag="zero-trust" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/zero-trust/" class="no-underline gray1 f2 fw5 pv3">Zero Trust</a></div><div data-tag="cloudflare-radar" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/cloudflare-radar/" class="no-underline gray1 f2 fw5 pv3">Radar</a></div><div data-tag="security" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/security/" class="no-underline gray1 f2 fw5 pv3">Security</a></div><div data-tag="ai" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/ai/" class="no-underline gray1 f2 fw5 pv3">AI</a></div><div data-tag="product-news" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/product-news/" class="no-underline gray1 f2 fw5 pv3">Product News</a></div><div data-tag="developers" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/developers/" class="no-underline gray1 f2 fw5 pv3">Developers</a></div><div data-tag="speed-and-reliability" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/speed-and-reliability/" class="no-underline gray1 f2 fw5 pv3">Speed & Reliability</a></div><div data-tag="partners" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/partners/" class="no-underline gray1 f2 fw5 pv3">Partners</a></div><div data-tag="life-at-cloudflare" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/life-at-cloudflare/" class="no-underline gray1 f2 fw5 pv3">Life at Cloudflare</a></div><div data-tag="policy" class="nav-item nav-item-desktop ml3 mr2 dn db-l pv3"><a href="/tag/policy/" class="no-underline gray1 f2 fw5 pv3">Policy & Legal</a></div><div class="nav-item ml2 mr3 dn db-l pv3" data-tag="search icon"><a href="/search/"><img id="search-icon" class="h-6 w-6" src="/images/magnifier.svg" alt="magnifier icon"/></a></div></div></nav><!--astro:end--></astro-island> <script>(()=>{var e=async t=>{await(await t())()};(self.Astro||(self.Astro={})).load=e;window.dispatchEvent(new Event("astro:load"));})();</script> <div class="flex flex-row flex-wrap mw8 center bb b--gray8 ph3"> <h1 class="site-title f7 fw4 mt4 mb3 mv4-l">Privacy Pass</h1> </div> <main id="site-main" class="flex flex-row flex-wrap mw8 center pt0 pt3-l mt4-l"> <astro-island uid="4GBCd" prefix="r0" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,true],"post":[0,{"id":[0,"47vZ5BZfqt5cU38XabKyUA"],"title":[0,"Privacy Pass: upgrading to the latest protocol version"],"slug":[0,"privacy-pass-standard"],"excerpt":[0,"In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters"],"featured":[0,false],"html":[0,"<p></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2LZJxp89GI8PxGwGSPRQJL/9cfe61e756369dcad6cb78f5ad89ec1f/image9.png\" alt=\"Privacy Pass: Upgrading to the latest protocol version\" class=\"kg-image\" width=\"1800\" height=\"1013\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"enabling-anonymous-access-to-the-web-with-privacy-preserving-cryptography\">Enabling anonymous access to the web with privacy-preserving cryptography</h2>\n <a href=\"#enabling-anonymous-access-to-the-web-with-privacy-preserving-cryptography\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The challenge of telling humans and bots apart is almost as old as the web itself. From online ticket vendors to dating apps, to ecommerce and finance — there are many legitimate reasons why you&#39;d want to know if it&#39;s a person or a machine knocking on the front door of your website.</p><p>Unfortunately, the tools for the web have traditionally been clunky and sometimes involved a bad user experience. None more so than the CAPTCHA — an irksome solution that humanity wastes a <a href=\"/introducing-cryptographic-attestation-of-personhood/\">staggering</a> amount of time on. A more subtle but intrusive approach is IP tracking, which uses IP addresses to identify and take action on suspicious traffic, but that too can come with <a href=\"/consequences-of-ip-blocking/\">unforeseen consequences</a>.</p><p>And yet, the problem of distinguishing legitimate human requests from automated bots remains as vital as ever. This is why for years Cloudflare has invested in the Privacy Pass protocol — a novel approach to establishing a user’s identity by relying on cryptography, rather than crude puzzles — all while providing a streamlined, privacy-preserving, and often frictionless experience to end users.</p><p>Cloudflare began <a href=\"/cloudflare-supports-privacy-pass/\">supporting Privacy Pass</a> in 2017, with the release of browser extensions for Chrome and Firefox. Web admins with their sites on Cloudflare would have Privacy Pass enabled in the Cloudflare Dash; users who installed the extension in their browsers would see fewer CAPTCHAs on websites they visited that had Privacy Pass enabled.</p><p>Since then, Cloudflare <a href=\"/end-cloudflare-captcha/\">stopped issuing CAPTCHAs</a>, and Privacy Pass has come a long way. Apple uses a version of Privacy Pass for its <a href=\"https://developer.apple.com/news/?id=huqjyh7k\">Private Access Tokens</a> system which works in tandem with a device’s secure enclave to attest to a user’s humanity. And Cloudflare uses Privacy Pass as an important signal in our Web Application Firewall and Bot Management products — which means millions of websites natively offer Privacy Pass.</p><p>In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the <a href=\"https://www.ietf.org/archive/id/draft-ietf-privacypass-protocol-16.html\">Privacy Pass protocol</a> — including a <a href=\"https://github.com/cloudflare?q=pp-&type=all&language=&sort=#org-repositories\">set of open-source templates</a> that can be used to implement Privacy Pass <a href=\"https://github.com/cloudflare/pp-origin\"><i>Origins</i></a><i>,</i> <a href=\"https://github.com/cloudflare/pp-issuer\"><i>Issuers</i></a>, and <a href=\"https://github.com/cloudflare/pp-attester\"><i>Attesters</i></a>. These are based on Cloudflare Workers, and are the easiest way to get started with a new deployment of Privacy Pass.</p><p>To complement the updated implementations, we are releasing a new version of our Privacy Pass browser extensions (<a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>, <a href=\"https://chromewebstore.google.com/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a>), which are rolling out with the name: <i>Silk - Privacy Pass Client</i>. Users of these extensions can expect to see fewer bot-checks around the web, and will be contributing to research about privacy preserving signals via a set of trusted attesters, which can be configured in the extension’s settings panel.</p><p>Finally, we will discuss how Privacy Pass can be used for an array of scenarios beyond differentiating bot from human traffic.</p><p><b>Notice to our users</b></p><ul><li><p>If you use the Privacy Pass API that controls Privacy Pass configuration on Cloudflare, you can remove these calls. This API is no longer needed since Privacy Pass is now included by default in our Challenge Platform. Out of an abundance of caution for our customers, we are doing a <a href=\"https://developers.cloudflare.com/fundamentals/api/reference/deprecations/\">four-month deprecation notice</a>.</p></li><li><p>If you have the Privacy Pass extension installed, it should automatically update to <i>Silk - Privacy Pass Client</i> (<a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>, <a href=\"https://chromewebstore.google.com/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a>) over the next few days. We have renamed it to keep the distinction clear between the protocol itself and a client of the protocol.</p></li></ul>\n <div class=\"flex anchor relative\">\n <h2 id=\"brief-history\">Brief history</h2>\n <a href=\"#brief-history\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In the last decade, we&#39;ve seen the <a href=\"/next-generation-privacy-protocols/\">rise of protocols</a> with privacy at their core, including <a href=\"/building-privacy-into-internet-standards-and-how-to-make-your-app-more-private-today/\">Oblivious HTTP (OHTTP)</a>, <a href=\"/deep-dive-privacy-preserving-measurement/\">Distributed aggregation protocol (DAP)</a>, and <a href=\"/unlocking-quic-proxying-potential/\">MASQUE</a>. These protocols improve privacy when browsing and interacting with services online. By protecting users&#39; privacy, these protocols also ask origins and website owners to revise their expectations around the data they can glean from user traffic. This might lead them to reconsider existing assumptions and mitigations around suspicious traffic, such as <a href=\"/consequences-of-ip-blocking/\">IP filtering</a>, which often has unintended consequences.</p><p>In 2017, Cloudflare announced <a href=\"/cloudflare-supports-privacy-pass/\">support for Privacy Pass</a>. At launch, this meant improving content accessibility for web users who would see a lot of interstitial pages (such as <a href=\"https://www.cloudflare.com/learning/bots/how-captchas-work/\">CAPTCHAs</a>) when browsing websites protected by Cloudflare. Privacy Pass tokens provide a signal about the user’s capabilities to website owners while protecting their privacy by ensuring each token redemption is unlinkable to its issuance context. Since then, the technology has turned into a <a href=\"https://datatracker.ietf.org/wg/privacypass/documents/\">fully fledged protocol</a> used by millions thanks to academic and industry effort. The existing browser extension accounts for hundreds of thousands of downloads. During the same time, Cloudflare has dramatically evolved the way it allows customers to challenge their visitors, being <a href=\"/end-cloudflare-captcha/\">more flexible about the signals</a> it receives, and <a href=\"/turnstile-ga/\">moving away from CAPTCHA</a> as a binary legitimacy signal.</p><p>Deployments of this research have led to a broadening of use cases, opening the door to different kinds of attestation. An attestation is a cryptographically-signed data point supporting facts. This can include a signed token indicating that the user has successfully solved a CAPTCHA, having a user’s hardware attest it’s untampered, or a piece of data that an attester can verify against another data source.</p><p>For example, in 2022, Apple hardware devices began to offer Privacy Pass tokens to websites who wanted to reduce how often they show CAPTCHAs, by using the hardware itself as an attestation factor. Before showing images of buses and fire hydrants to users, CAPTCHA providers can request a <a href=\"https://developer.apple.com/news/?id=huqjyh7k\">Private Access Token</a> (PAT). This native support does not require installing extensions, or any user action to benefit from a smoother and more private web browsing experience.</p><p>Below is a brief overview of changes to the protocol we participated in:</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3YImfph78oDPj3kgEcyvV6/37bcd89ffcfff8b636b00c8e931f3218/image8.png\" alt=\"\" class=\"kg-image\" width=\"1808\" height=\"631\" loading=\"lazy\"/>\n \n </figure><p>The timeline presents cryptographic changes, community inputs, and industry collaborations. These changes helped shape better standards for the web, such as VOPRF (<a href=\"https://www.rfc-editor.org/rfc/rfc9497\">RFC 9497</a>), or RSA Blind Signatures (<a href=\"https://www.rfc-editor.org/rfc/rfc9474\">RFC 9474</a>). In the next sections, we dive in the Privacy Pass protocol to understand its ins and outs.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"anonymous-credentials-in-real-life\">Anonymous credentials in real life</h2>\n <a href=\"#anonymous-credentials-in-real-life\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Before explaining the protocol in more depth, let&#39;s use an analogy. You are at a music festival. You bought your ticket online with a student discount. When you arrive at the gates, an agent scans your ticket, checks your student status, and gives you a yellow wristband and two drink tickets.</p><p>During the festival, you go in and out by showing your wristband. When a friend asks you to grab a drink, you pay with your tickets. One for your drink and one for your friend. You give your tickets to the bartender, they check the tickets, and give you a drink. The characteristics that make this interaction private is that the drinks tickets cannot be traced back to you or your payment method, but they can be verified as having been unused and valid for purchase of a drink.</p><p>In the web use case, the Internet is a festival. When you arrive at the gates of a website, an agent scans your request, and gives you a session cookie as well as two Privacy Pass tokens. They could have given you just one token, or more than two, but in our example ‘two tokens’ is the given website’s policy. You can use these tokens to attest your humanity, to authenticate on certain websites, or even to confirm the legitimacy of your hardware.</p><p>Now, you might wonder if this is a technique we have been using for years, why do we need fancy cryptography and standardization efforts? Well, unlike at a real-world music festival where most people don’t carry around photocopiers, on the Internet it is pretty easy to copy tokens. For instance, how do we stop people using a token twice? We could put a unique number on each token, and check it is not spent twice, but that would allow the gate attendant to tell the bartender which numbers were linked to which person. So, we need cryptography.</p><p>When another website presents a challenge to you, you provide your Privacy Pass token and are then allowed to view a gallery of beautiful cat pictures. The difference with the festival is this challenge might be interactive, which would be similar to the bartender giving you a numbered ticket which would have to be signed by the agent before getting a drink. The website owner can verify that the token is valid but has no way of tracing or connecting the user back to the action that provided them with the Privacy Pass tokens. With Privacy Pass terminology, you are a Client, the website is an Origin, the agent is an Attester, and the bar an Issuer. The next section goes through these in more detail.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"privacy-pass-protocol\">Privacy Pass protocol</h2>\n <a href=\"#privacy-pass-protocol\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Privacy Pass specifies an extensible protocol for creating and redeeming anonymous and transferable tokens. In fact, Apple has their own implementation with Private Access Tokens (PAT), and later we will describe another implementation with the Silk browser extension. Given PAT was the first to implement the IETF defined protocol, Privacy Pass is sometimes referred to as PAT in the literature.</p><p>The protocol is generic, and defines four components:</p><ul><li><p>Client: Web user agent with a Privacy Pass enabled browser. This could be your <a href=\"/eliminating-captchas-on-iphones-and-macs-using-new-standard/\">Apple device with PAT</a>, or your web browser with <a href=\"https://github.com/cloudflare/pp-browser-extension\">the Silk extension installed</a>. Typically, this is the actor who is requesting content and is asked to share some attribute of themselves.</p></li><li><p>Origin: Serves content requested by the Client. The Origin trusts one or more Issuers, and presents Privacy Pass challenges to the Client. For instance, Cloudflare Managed Challenge is a Privacy Pass origin serving two Privacy Pass challenges: one for Apple PAT Issuer, one for Cloudflare Research Issuer.</p></li><li><p>Issuer: Signs Privacy Pass tokens upon request from a trusted party, either an Attester or a Client depending on the deployment model. Different Issuers have their own set of trusted parties, depending on the security level they are looking for, as well as their privacy considerations. An Issuer validating device integrity should use different methods that vouch for this attribute to acknowledge the diversity of Client configurations.</p></li><li><p>Attester: Verifies an attribute of the Client and when satisfied requests a signed Privacy Pass token from the Issuer to pass back to the Client. Before vouching for the Client, an Attester may ask the Client to complete a specific task. This task could be a CAPTCHA, a location check, or age verification or some other check that will result in a single binary result. The Privacy Pass token will then share this one-bit of information in an unlinkable manner.</p></li></ul><p>They interact as illustrated below.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7tX1xRQv6Ltif1NRj2fCOa/eeb412fa39d73e2232f4b062d95cd708/Frame-699-1-.png\" alt=\"\" class=\"kg-image\" width=\"1492\" height=\"780\" loading=\"lazy\"/>\n \n </figure><p>Let&#39;s dive into what&#39;s really happening with an example. The User wants to access an Origin, say store.example.com. This website has suffered attacks or abuse in the past, and the site is using Privacy Pass to help avoid these going forward. To that end, the Origin returns <a href=\"https://www.rfc-editor.org/rfc/rfc9110#field.www-authenticate\">an authentication request</a> to the Client: <code>WWW-Authenticate: PrivateToken challenge=&quot;A==&quot;,token-key=&quot;B==&quot;</code>. In this way, the Origin signals that it accepts tokens from the Issuer with public key “B==” to satisfy the challenge. That Issuer in turn trusts reputable Attesters to vouch for the Client not being an attacker by means of the presence of a cookie, CAPTCHA, Turnstile, or <a href=\"/introducing-cryptographic-attestation-of-personhood/\">CAP challenge</a> for example. For accessibility reasons for our example, let us say that the Client likely prefers the Turnstile method. The User’s browser prompts them to solve a Turnstile challenge. On success, it contacts the Issuer “B==” with that solution, and then replays the initial requests to store.example.com, this time sending along the token header <code>Authorization: PrivateToken token=&quot;C==&quot;</code>, which the Origin accepts and returns your desired content to the Client. And that’s it.</p><p>We’ve described the Privacy Pass authentication protocol. While Basic authentication (<a href=\"https://www.rfc-editor.org/rfc/rfc7617\">RFC 7671</a>) asks you for a username and a password, the PrivateToken authentication scheme allows the browser to be more flexible on the type of check, while retaining privacy. The Origin store.example.com does not know your attestation method, they just know you are reputable according to the token issuer. In the same spirit, the Issuer &quot;B==&quot; does not see your IP, nor the website you are visiting. This separation between issuance and redemption, also referred to as unlinkability, is what <a href=\"https://www.ietf.org/archive/id/draft-ietf-privacypass-architecture-16.html\">makes Privacy Pass private</a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"demo-time\">Demo time</h2>\n <a href=\"#demo-time\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>To put the above in practice, let’s see how the protocol works with Silk, a browser extension providing Privacy Pass support. First, download the relevant <a href=\"https://chromewebstore.google.com/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a> or <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a> extension.</p><p>Then, head to <a href=\"https://demo-pat.research.cloudflare.com/login\">https://demo-pat.research.cloudflare.com/login</a>. The page returns a 401 Privacy Pass Token not presented. In fact, the origin expects you to perform a PrivateToken authentication. If you don’t have the extension installed, the flow stops here. If you have the extension installed, the extension is going to orchestrate the flow required to get you a token requested by the Origin.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2ZPDrhytZNVoB81Q7RILu5/7c115c9ed069aa09694373ec1adcc4d0/image10.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"1105\" loading=\"lazy\"/>\n \n </figure><p>With the extension installed, you are directed to a new tab <a href=\"https://pp-attester-turnstile.research.cloudflare.com/challenge\">https://pp-attester-turnstile.research.cloudflare.com/challenge</a>. This is a page provided by an Attester able to deliver you a token signed by the Issuer request by the Origin. In this case, the Attester checks you’re able to solve a Turnstile challenge.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7fmDWo3548oMK8jgZ7V0Kd/94ee9ab9bc1df6fee6e6a76dc4fb3e02/image2.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"1105\" loading=\"lazy\"/>\n \n </figure><p>You click, and that’s it. The Turnstile challenge solution is sent to the Attester, which upon validation, sends back a token from the requested Issuer. This page appears for a very short time, as once the extension has the token, the challenge page is no longer needed.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3KROIlp9njiXlfceDzRU7W/d1e306da3012c949e3fa5b80934f83a4/image11.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"1105\" loading=\"lazy\"/>\n \n </figure><p>The extension, now having a token requested by the Origin, sends your initial request for a second time, with an Authorization header containing a valid Issuer PrivateToken. Upon validation, the Origin allows you in with a 200 Privacy Pass Token valid!</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3qOSkMc5wIqS50CuNNNoZY/b36b88ba01ffa1c5f4d78727e602062f/image3.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"1105\" loading=\"lazy\"/>\n \n </figure><p>If you want to check behind the scenes, you can right-click on the extension logo and go to the preference/options page. It contains a list of attesters trusted by the extension, one per line. You can add your own attestation method (API described below). This allows the Client to decide on their preferred attestation methods.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/78BCHYQuOBC2aFlnPshu83/c6ee6b54d1d24b6f92f34577267a1146/image7.png\" alt=\"\" class=\"kg-image\" width=\"1596\" height=\"1105\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h2 id=\"privacy-pass-protocol-extended\">Privacy Pass protocol — extended</h2>\n <a href=\"#privacy-pass-protocol-extended\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Privacy Pass protocol is new and not a standard yet, which implies that it’s not uniformly supported on all platforms. To improve flexibility beyond the existing standard proposal, we are introducing two mechanisms: an API for Attesters, and a replay API for web clients. The API for attesters allows developers to build new attestation methods, which only need to provide their URL to interface with the Silk browser extension. The replay API for web clients is a mechanism to enable websites to cooperate with the extension to make PrivateToken authentication work on browsers with Chrome user agents.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2TLz1CPx9OHczqLabCRmyc/c54b0b4bb637a97812c637ca0eebc78c/image12.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1119\" loading=\"lazy\"/>\n \n </figure><p>Because more than one Attester may be supported on your machine, your Client needs to understand which Attester to use depending on the requested Issuer. As mentioned before, you as the Client do not communicate directly with the Issuer because you don’t necessarily know their relation with the attester, so you cannot retrieve its public key. To this end, the Attester API exposes all Issuers reachable by the said Attester via an endpoint: /v1/private-token-issuer-directory. This way, your client selects an appropriate Attester - one in relation with an Issuer that the Origin trusts, before triggering a validation.</p><p>In addition, we propose a replay API. Its goal is to allow clients to fetch a resource a second time if the first response presented a Privacy pass challenge. Some platforms do this automatically, like Silk on Firefox, but some don’t. That’s the case with the Silk Chrome extension for instance, which in its support of <a href=\"https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/manifest_version\">manifest v3</a> cannot block requests and only supports Basic authentication in the onAuthRequired extension event. The Privacy Pass Authentication scheme proposes the request to be sent once to get a challenge, and then a second time to get the actual resource. Between these requests to the Origin, the platform orchestrates the issuance of a token. To keep clients informed about the state of this process, we introduce a <code>private-token-client-replay: UUID header</code> alongside WWW-Authenticate. Using a platform defined endpoint, this UUID informs web clients of the current state of authentication: pending, fulfilled, not-found.</p><p>To learn more about how you can use these today, and to deploy your own attestation method, read on.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"how-to-use-privacy-pass-today\">How to use Privacy Pass today?</h2>\n <a href=\"#how-to-use-privacy-pass-today\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As seen in the section above, Privacy Pass is structured around four components: Origin, Client, Attester, Issuer. That’s why we created four repositories: <a href=\"https://github.com/cloudflare/pp-origin\">cloudflare/pp-origin</a>, <a href=\"https://github.com/cloudflare/pp-browser-extension\">cloudflare/pp-browser-extension</a>, <a href=\"https://github.com/cloudflare/pp-attester\">cloudflare/pp-attester</a>, <a href=\"https://github.com/cloudflare/pp-issuer\">cloudflare/pp-issuer</a>. In addition, the underlying cryptographic libraries are available <a href=\"https://github.com/cloudflare/privacypass-ts\">cloudflare/privacypass-ts</a>, <a href=\"https://github.com/cloudflare/blindrsa-ts\">cloudflare/blindrsa-ts</a>, and <a href=\"https://github.com/cloudflare/voprf-ts\">cloudflare/voprf-ts</a>. In this section, we dive into how to use each one of these depending on your use case.</p><blockquote><p>Note: All examples below are designed in JavaScript and targeted at Cloudflare Workers. Privacy Pass is also implemented in <a href=\"https://github.com/ietf-wg-privacypass/base-drafts#existing-implementations\">other languages</a> and can be deployed with a configuration that suits your needs.</p></blockquote>\n <div class=\"flex anchor relative\">\n <h3 id=\"as-an-origin-website-owners-service-providers\">As an Origin - website owners, service providers</h3>\n <a href=\"#as-an-origin-website-owners-service-providers\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>You are an online service that people critically rely upon (health or messaging for instance). You want to provide private payment options to users to maintain your users’ privacy. You only have one subscription tier at $10 per month. You have <a href=\"https://datatracker.ietf.org/doc/html/draft-davidson-pp-architecture-00#autoid-60\">heard</a> people are making privacy preserving apps, and want to use the latest version of Privacy Pass.</p><p>To access your service, users are required to prove they&#39;ve paid for the service through a payment provider of their choosing (that you deem acceptable). This payment provider acknowledges the payment and requests a token for the user to access the service. As a sequence diagram, it looks as follows:</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3CDt5NsDY4c2DuYbggdleT/c2084b1b7cb141a8b528de78392833b3/image4.png\" alt=\"\" class=\"kg-image\" width=\"1615\" height=\"903\" loading=\"lazy\"/>\n \n </figure><p>To implement it in Workers, we rely on the <a href=\"https://www.npmjs.com/package/@cloudflare/privacypass-ts\"><code>@cloudflare/privacypass-ts</code></a> library, which can be installed by running:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">npm i @cloudflare/privacypass-ts</pre></code>\n <p>This section is going to focus on the Origin work. We assume you have an Issuer up and running, which is described in a later section.</p><p>The Origin defines two flows:</p><ol><li><p>User redeeming token</p></li><li><p>User requesting a token issuance</p></li></ol>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">import { Client } from &#039;@cloudflare/privacypass-ts&#039;\n\nconst issuer = &#039;static issuer key&#039;\n\nconst handleRedemption =&gt; (req) =&gt; {\n const token = TokenResponse.parse(req.headers.get(&#039;authorization&#039;))\n const isValid = token.verify(issuer.publicKey)\n}\n\nconst handleIssuance = () =&gt; {\n return new Response(&#039;Please pay to access the service&#039;, {\n status: 401,\n headers: { &#039;www-authenticate&#039;: &#039;PrivateToken challenge=, token-key=, max-age=300&#039; }\n })\n}\n\nconst handleAuth = (req) =&gt; {\n const authorization = req.headers.get(&#039;authorization&#039;)\n if (authorization.startsWith(`PrivateToken token=`)) {\n return handleRedemption(req)\n }\n return handleIssuance(req)\n}\n\nexport default {\n fetch(req: Request) {\n return handleAuth(req)\n }\n}</pre></code>\n <p>From the user’s perspective, the overhead is minimal. Their client (possibly the Silk browser extension) receives a WWW-Authenticate header with the information required for a token issuance. Then, depending on their client configuration, they are taken to the payment provider of their choice to validate their access to the service.</p><p>With a successful response to the PrivateToken challenge a session is established, and the traditional web service flow continues.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"as-an-attester-captcha-providers-authentication-provider\">As an Attester - CAPTCHA providers, authentication provider</h3>\n <a href=\"#as-an-attester-captcha-providers-authentication-provider\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>You are the author of a new attestation method, such as <a href=\"/introducing-cryptographic-attestation-of-personhood/\">CAP,</a> a new CAPTCHA mechanism, or a new way to validate cookie consent. You know that website owners already use Privacy Pass to trigger such challenges on the user side, and an Issuer is willing to trust your method because it guarantees a high security level. In addition, because of the Privacy Pass protocol you never see which website your attestation is being used for.</p><p>So you decide to expose your attestation method as a Privacy Pass Attester. An Issuer with public key B== trusts you, and that&#39;s the Issuer you are going to request a token from. You can check that with the Yes/No Attester below, whose code is on <a href=\"https://cloudflareworkers.com/#eedc5a7a6560c44b23a24cc1414b29d7:https://tutorial.cloudflareworkers.com/v1/challenge\">Cloudflare Workers playground</a></p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const ISSUER_URL = &#039;https://pp-issuer-public.research.cloudflare.com/token-request&#039;\n\nconst b64ToU8 = (b) =&gt; Uint8Array.from(atob(b), c =&gt; c.charCodeAt(0))\n\nconst handleGetChallenge = (req) =&gt; {\n return new Response(`\n &lt;html&gt;\n &lt;head&gt;\n &lt;title&gt;Challenge Response&lt;/title&gt;\n &lt;/head&gt;\n &lt;body&gt;\n \t&lt;button onclick=&quot;sendResponse(&#039;Yes&#039;)&quot;&gt;Yes&lt;/button&gt;\n\t\t&lt;button onclick=&quot;sendResponse(&#039;No&#039;)&quot;&gt;No&lt;/button&gt;\n\t&lt;/body&gt;\n\t&lt;script&gt;\n\tfunction sendResponse(choice) {\n\t\tfetch(location.href, { method: &#039;POST&#039;, headers: { &#039;private-token-attester-data&#039;: choice } })\n\t}\n\t&lt;/script&gt;\n\t&lt;/html&gt;\n\t`, { status: 401, headers: { &#039;content-type&#039;: &#039;text/html&#039; } })\n}\n\nconst handlePostChallenge = (req) =&gt; {\n const choice = req.headers.get(&#039;private-token-attester-data&#039;)\n if (choice !== &#039;Yes&#039;) {\n return new Response(&#039;Unauthorised&#039;, { status: 401 })\n }\n\n // hardcoded token request\n // debug here https://pepe-debug.research.cloudflare.com/?challenge=PrivateToken%20challenge=%22AAIAHnR1dG9yaWFsLmNsb3VkZmxhcmV3b3JrZXJzLmNvbSBE-oWKIYqMcyfiMXOZpcopzGBiYRvnFRP3uKknYPv1RQAicGVwZS1kZWJ1Zy5yZXNlYXJjaC5jbG91ZGZsYXJlLmNvbQ==%22,token-key=%22MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEApqzusqnywE_3PZieStkf6_jwWF-nG6Es1nn5MRGoFSb3aXJFDTTIX8ljBSBZ0qujbhRDPx3ikWwziYiWtvEHSLqjeSWq-M892f9Dfkgpb3kpIfP8eBHPnhRKWo4BX_zk9IGT4H2Kd1vucIW1OmVY0Z_1tybKqYzHS299mvaQspkEcCo1UpFlMlT20JcxB2g2MRI9IZ87sgfdSu632J2OEr8XSfsppNcClU1D32iL_ETMJ8p9KlMoXI1MwTsI-8Kyblft66c7cnBKz3_z8ACdGtZ-HI4AghgW-m-yLpAiCrkCMnmIrVpldJ341yR6lq5uyPej7S8cvpvkScpXBSuyKwIDAQAB%22\n const body = b64ToU8(&#039;AALoAYM+fDO53GVxBRuLbJhjFbwr0uZkl/m3NCNbiT6wal87GEuXuRw3iZUSZ3rSEqyHDhMlIqfyhAXHH8t8RP14ws3nQt1IBGE43Q9UinwglzrMY8e+k3Z9hQCEw7pBm/hVT/JNEPUKigBYSTN2IS59AUGHEB49fgZ0kA6ccu9BCdJBvIQcDyCcW5LCWCsNo57vYppIVzbV2r1R4v+zTk7IUDURTa4Mo7VYtg1krAWiFCoDxUOr+eTsc51bWqMtw2vKOyoM/20Wx2WJ0ox6JWdPvoBEsUVbENgBj11kB6/L9u2OW2APYyUR7dU9tGvExYkydXOfhRFJdKUypwKN70CiGw==&#039;)\n // You can perform some check here to confirm the body is a valid token request\n\n console.log(&#039;requesting token for tutorial.cloudflareworkers.com&#039;)\n return fetch(ISSUER_URL, {\n method: &#039;POST&#039;,\n headers: { &#039;content-type&#039;: &#039;application/private-token-request&#039; },\n body: body,\n })\n}\n\nconst handleIssuerDirectory = async () =&gt; {\n // These are fake issuers\n // Issuer data can be fetch at https://pp-issuer-public.research.cloudflare.com/.well-known/private-token-issuer-directory\n const TRUSTED_ISSUERS = {\n &quot;issuer1&quot;: { &quot;token-keys&quot;: [{ &quot;token-type&quot;: 2, &quot;token-key&quot;: &quot;A==&quot; }] },\n &quot;issuer2&quot;: { &quot;token-keys&quot;: [{ &quot;token-type&quot;: 2, &quot;token-key&quot;: &quot;B==&quot; }] },\n }\n return new Response(JSON.stringify(TRUSTED_ISSUERS), { headers: { &quot;content-type&quot;: &quot;application/json&quot; } })\n}\n\nconst handleRequest = (req) =&gt; {\n const pathname = new URL(req.url).pathname\n console.log(pathname, req.url)\n if (pathname === &#039;/v1/challenge&#039;) {\n if (req.method === &#039;POST&#039;) {\n return handlePostChallenge(req)\n }\n return handleGetChallenge(req)\n }\n if (pathname === &#039;/v1/private-token-issuer-directory&#039;) {\n return handleIssuerDirectory()\n }\n return new Response(&#039;Not found&#039;, { status: 404 })\n}\n\naddEventListener(&#039;fetch&#039;, event =&gt; {\n event.respondWith(handleRequest(event.request))\n})</pre></code>\n <p>The validation method above is simply checking if the user selected yes. Your method might be more complex, the wrapping stays the same.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5PnBuinoRKUpYjrBsHQbn/966c266e7de411503c5bf9a5dc9a184d/Screenshot-2024-01-04-at-10.30.04.png\" alt=\"\" class=\"kg-image\" width=\"1356\" height=\"206\" loading=\"lazy\"/>\n \n </figure><p><i>Screenshot of the Yes/No Attester example</i></p><p>Because users might have multiple Attesters configured for a given Issuer, we recommend your Attester implements one additional endpoint exposing the keys of the issuers you are in contact with. You can try this code on <a href=\"https://cloudflareworkers.com/#4eeeef2fa895e519addb3ae442ee351d:https://tutorial.cloudflareworkers.com/v1/private-token-issuer-directory\">Cloudflare Workers playground</a>.</p>\n <pre class=\"language-javascript\"><code class=\"language-javascript\">const handleIssuerDirectory = () =&gt; {\n const TRUSTED_ISSUERS = {\n &quot;issuer1&quot;: { &quot;token-keys&quot;: [{ &quot;token-type&quot;: 2, &quot;token-key&quot;: &quot;A==&quot; }] },\n &quot;issuer2&quot;: { &quot;token-keys&quot;: [{ &quot;token-type&quot;: 2, &quot;token-key&quot;: &quot;B==&quot; }] },\n }\n return new Response(JSON.stringify(TRUSTED_ISSUERS), { headers: { &quot;content-type&quot;: &quot;application/json&quot; } })\n}\n\nexport default {\n fetch(req: Request) {\n const pathname = new URL(req.url).pathname\n if (pathname === &#039;/v1/private-token-issuer-directory&#039;) {\n return handleIssuerDirectory()\n }\n }\n}</pre></code>\n <p>Et voilà. You have an Attester that can be used directly with the Silk browser extension (<a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>, <a href=\"https://chromewebstore.google.com/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a>). As you progress through your deployment, it can also be directly integrated into your applications.</p><p>If you would like to have a more advanced Attester and deployment pipeline, look at <a href=\"https://github.com/cloudflare/pp-attester\">cloudflare/pp-attester</a> template.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"as-an-issuer-foundation-consortium\">As an Issuer - foundation, consortium</h3>\n <a href=\"#as-an-issuer-foundation-consortium\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We&#39;ve mentioned the Issuer multiple times already. The role of an Issuer is to select a set of Attesters it wants to operate with, and communicate its public key to Origins. The whole cryptographic behavior of an Issuer is specified <a href=\"https://www.ietf.org/archive/id/draft-ietf-privacypass-protocol-16.html\">by the IETF</a> draft. In contrast to the Client and Attesters which have discretionary behavior, the Issuer is fully standardized. Their opportunity is to choose a signal that is strong enough for the Origin, while preserving privacy of Clients.</p><p>Cloudflare Research is operating a public Issuer for experimental purposes to use on <a href=\"https://pp-issuer-public.research.cloudflare.com\">https://pp-issuer-public.research.cloudflare.com</a>. It is the simplest solution to start experimenting with Privacy Pass today. Once it matures, you can consider joining a production Issuer, or deploying your own.</p><p>To deploy your own, you should:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">git clone github.com/cloudflare/pp-issuer</pre></code>\n <p>Update wrangler.toml with your Cloudflare Workers account id and zone id. The open source Issuer API works as follows:</p><ul><li><p>/.well-known/private-token-issuer-directory returns the issuer configuration. Note it does not expose non-standard token-key-legacy</p></li><li><p>/token-request returns a token. This endpoint should be gated (by Cloudflare Access for instance) to only allow trusted attesters to call it</p></li><li><p>/admin/rotate to generate a new public key. This should only be accessible by your team, and be called prior to the issuer being available.</p></li></ul><p>Then, <code>wrangler publish</code>, and you&#39;re good to onboard Attesters.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"development-of-silk-extension\">Development of Silk extension</h2>\n <a href=\"#development-of-silk-extension\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Just like the protocol, the browser technology on which Privacy Pass was proven viable has changed as well. For 5 years, the protocol got deployed along with a browser extension for Chrome and Firefox. In 2021, Chrome released a new version of extension configurations, usually referred to as <a href=\"https://developer.chrome.com/docs/extensions/mv3/intro/platform-vision/\">Manifest version 3</a> (MV3). Chrome also started enforcing this new configuration for all newly released extensions.</p><p>Privacy Pass <i>the extension</i> is based on an agreed upon Privacy Pass <a href=\"https://datatracker.ietf.org/doc/draft-ietf-privacypass-auth-scheme/\"><i>authentication protocol</i></a>. Briefly looking at <a href=\"https://developer.chrome.com/docs/extensions/reference/webRequest/\">Chrome’s API documentation</a>, we should be able to use the onAuthRequired event. However, with PrivateToken authentication not yet being standard, there are no hooks provided by browsers for extensions to add logic to this event.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1iQsRopHuLfmHqjsppwImc/1a379a0cdd3de3e17de04811b1c08ac0/Screenshot-2024-01-04-at-10.32.44.png\" alt=\"\" class=\"kg-image\" width=\"2000\" height=\"932\" loading=\"lazy\"/>\n \n </figure><p><i>Image available under CC-BY-SA 4.0 provided by</i> <a href=\"https://developer.chrome.com/docs/extensions/reference/webRequest/\"><i>Google For Developers</i></a></p><p>The approach we decided to use is to define a client side replay API. When a response comes with 401 WWW-Authenticate PrivateToken, the browser lets it through, but triggers the private token redemption flow. The original page is notified when a token has been retrieved, and replays the request. For this second request, the browser is able to attach an authorization token, and the request succeeds. This is an active replay performed by the client, rather than a transparent replay done by the platform. A specification is available on <a href=\"https://github.com/cloudflare/pp-browser-extension#chrome-support-via-client-replay-api\">GitHub</a>.</p><p>We are looking forward to the standard progressing, and simplifying this part of the project. This should improve diversity in attestation methods. As we see in the next section, this is key to identifying new signals that can be leveraged by origins.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"a-standard-for-anonymous-credentials\">A standard for anonymous credentials</h2>\n <a href=\"#a-standard-for-anonymous-credentials\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>IP remains as a key identifier in the anti abuse system. At the same time, IP fingerprinting techniques have become a bigger concern and platforms have started to remove some of these ways of tracking users. To enable anti abuse systems to not rely on IP, while ensuring user privacy, Privacy Pass offers a reasonable alternative to deal with potentially abusive or suspicious traffic. The attestation methods vary and can be chosen as needed for a particular deployment. For example, Apple decided to back their attestation with hardware when using Privacy Pass as the authorization technology for iCloud Private Relay. Another example is Cloudflare Research which decided to deploy a Turnstile attester to signal a successful solve for Cloudflare’s challenge platform.</p><p>In all these deployments, Privacy Pass-like technology has allowed for specific bits of information to be shared. Instead of sharing your location, past traffic, and possibly your name and phone number simply by connecting to a website, your device is able to prove specific information to a third party in a privacy preserving manner. Which user information and attestation methods are sufficient to prevent abuse is an open question. We are looking to empower researchers with the release of this software to help in the quest for finding these answers. This could be via new experiments such as testing out new attestation methods, or fostering other privacy protocols by providing a framework for specific information sharing.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"future-recommendations\">Future recommendations</h2>\n <a href=\"#future-recommendations\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Just as we expect this latest version of Privacy Pass to lead to new applications and ideas we also expect further evolution of the standard and the clients that use it. Future development of Privacy Pass promises to cover topics like batch token issuance and rate limiting. From our work building and deploying this version of Privacy Pass we have encountered limitations that we expect to be resolved in the future as well.</p><p>The division of labor between Attesters and Issuers and the clear directions of trust relationships between the Origin and Issuer, and the Issuer and Attester make reasoning about the implications of a breach of trust clear. Issuers can trust more than one Attester, but since many current deployments of Privacy Pass do not identify the Attester that lead to issuance, a breach of trust in one Attester would render all tokens issued by any Issuer that trusts the Attester untrusted. This is because it would not be possible to tell which Attester was involved in the issuance process. Time will tell if this promotes a 1:1 correspondence between Attesters and Issuers.</p><p>The process of developing a browser extension supported by both Firefox and Chrome-based browsers can at times require quite baroque (and brittle) code paths. Privacy Pass the protocol seems a good fit for an extension of the <a href=\"https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/onAuthRequired\">webRequest.onAuthRequired</a> browser event. Just as Privacy Pass appears as an alternate authentication message in the WWW-Authenticate HTTP header, browsers could fire the onAuthRequired event for Private Token authentication too and include and allow request blocking support within the onAuthRequired event. This seems a natural evolution of the use of this event which currently is limited to the now rather long-in-the-tooth Basic authentication.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"conclusion\">Conclusion</h2>\n <a href=\"#conclusion\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Privacy Pass provides a solution to one of the longstanding challenges of the web: anonymous authentication. By leveraging cryptography, the protocol allows websites to get the information they need from users, and solely this information. It&#39;s already used by millions to help distinguish human requests from automated bots in a manner that is privacy protective and often seamless. We are excited by the protocol’s broad and growing adoption, and by the novel use cases that are unlocked by this latest version.</p><p>Cloudflare’s Privacy Pass implementations are available on GitHub, and are compliant with the standard. We have open-sourced a <a href=\"https://github.com/cloudflare?q=pp-&type=all&language=&sort=#org-repositories\">set of templates</a> that can be used to implement Privacy Pass <a href=\"https://github.com/cloudflare/pp-origin\"><i>Origins</i></a><i>,</i> <a href=\"https://github.com/cloudflare/pp-issuer\"><i>Issuers</i></a>, and <a href=\"https://github.com/cloudflare/pp-attester\"><i>Attesters</i></a>, which leverage Cloudflare Workers to get up and running quickly.</p><p>For those looking to try Privacy Pass out for themselves right away, download the <i>Silk - Privacy Pass Client</i> browser extensions (<a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>, <a href=\"https://chromewebstore.google.com/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a>, <a href=\"https://github.com/cloudflare/pp-browser-extension\">GitHub</a>) and start browsing a web with fewer bot checks today.</p>"],"published_at":[0,"2024-01-04T16:07:22.000+00:00"],"updated_at":[0,"2024-10-09T23:26:44.495Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4wJwHdYhUiKvoSlAgSrFhG/cce2fbba90dbd93ef3cbc3e710e6f53b/privacy-pass-standard.png"],"tags":[1,[[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"kn8Lmy4luvCeAabblVvHH"],"name":[0,"Firefox"],"slug":[0,"firefox"]}],[0,{"id":[0,"3skwJ34K0c3CEY1cNogR4n"],"name":[0,"Chrome"],"slug":[0,"chrome"]}],[0,{"id":[0,"3BWeMuiOShelE7QM48sW9j"],"name":[0,"Privacy"],"slug":[0,"privacy"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Thibault Meunier"],"slug":[0,"thibault"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1CqrdcRymVgEs1zRfSE6Xr/b8182164b0a8435b162bdd1246b7e91f/thibault.png"],"location":[0,null],"website":[0,null],"twitter":[0,"@thibmeu"],"facebook":[0,null]}],[0,{"name":[0,"Cefan Daniel Rubin"],"slug":[0,"cdrubin"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5EziMHboXmLjqS6FXaUODB/8f0daa841b1c260fae1be2a9d863457f/cdrubin.png"],"location":[0,null],"website":[0,"https://github.com/cdrubin"],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Armando Faz-Hernández"],"slug":[0,"armfazh"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1KZECWa5TCEPjjcRmbx9iT/c62263899934ff326df2b6864e42b104/armfazh.png"],"location":[0,null],"website":[0,"https://research.cloudflare.com/people/armando-faz/"],"twitter":[0,"@armfazh"],"facebook":[0,null]}]]],"meta_description":[0,"In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Privacy Pass: upgrading to the latest protocol version Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"Translated for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/privacy-pass-standard"],"metadata":[0,{"title":[0,"Privacy Pass: upgrading to the latest protocol version"],"description":[0,"In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/22RHi3sA2tR4yPZCvPKYLe/87cdf4737a0d11148e569ff370819e38/privacy-pass-standard-fxK0y1.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children><article class="w-100 featured-post flex flex-row flex-wrap mb4 items-center bb b--gray8 bn-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"><div class="w-50-l"><a href="/privacy-pass-standard/" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Privacy Pass: upgrading to the latest protocol version</h2></a><p class="f3 fw5 gray5 my" data-testid="post-date">2024-01-04</p><p class="f4 fw3 lh-copy " data-testid="post-content">In this post, we explore the latest changes to Privacy Pass protocol. We are also excited to introduce a public implementation of the latest IETF draft of the Privacy Pass protocol — including a set of open-source templates that can be used to implement Privacy Pass Origins, Issuers, and Attesters<!-- -->...</p><a href="/privacy-pass-standard/" class="no-underline gray1 f4 lh-copy fw3 underline-hover" data-testid="post-continue-reading">Continue reading »</a><ul class="author-lists flex pl0"><li class="list flex items-center pr2 mb3"><a href="/author/thibault/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1CqrdcRymVgEs1zRfSE6Xr/b8182164b0a8435b162bdd1246b7e91f/thibault.png" alt="Thibault Meunier" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/thibault/" class="fw5 f4 no-underline black">Thibault Meunier</a></div></li><li class="list flex items-center pr2 mb3"><a href="/author/cdrubin/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5EziMHboXmLjqS6FXaUODB/8f0daa841b1c260fae1be2a9d863457f/cdrubin.png" alt="Cefan Daniel Rubin" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/cdrubin/" class="fw5 f4 no-underline black">Cefan Daniel Rubin</a></div></li><li class="list flex items-center pr2 mb3"><a href="/author/armfazh/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1KZECWa5TCEPjjcRmbx9iT/c62263899934ff326df2b6864e42b104/armfazh.png" alt="Armando Faz-Hernández" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/armfazh/" class="fw5 f4 no-underline black">Armando Faz-Hernández</a></div></li></ul></div><div class="w-50-l"><img class="dn di-l " src="https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4wJwHdYhUiKvoSlAgSrFhG/cce2fbba90dbd93ef3cbc3e710e6f53b/privacy-pass-standard.png" alt="Privacy Pass: upgrading to the latest protocol version"/></div></article><!--astro:end--></astro-island><astro-island uid="Z3mDX1" prefix="r1" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"nnk7WdvORjw4nOJUFyE1z"],"title":[0,"Privacy Pass v3: the new privacy bits"],"slug":[0,"privacy-pass-v3"],"excerpt":[0,"A new version of Privacy Pass for reducing the number of CAPTCHAs."],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/115kIQcQAjoVFKaUFIy2hU/84df256d7d1a70332d79880d6aee8635/image1-32.png\" alt=\"privacy pass v3 logo\" class=\"kg-image\" width=\"1812\" height=\"1008\" loading=\"lazy\"/>\n \n </figure><p>In November 2017, we <a href=\"/cloudflare-supports-privacy-pass/\">released</a> our implementation of a privacy preserving protocol to let users prove that they are humans without enabling tracking. When you install <a href=\"https://privacypass.github.io/\">Privacy Pass’s browser extension</a>, you get tokens when you solve a Cloudflare CAPTCHA which can be used to avoid needing to solve one again... The redeemed token is cryptographically unlinkable to the token originally provided by the server. That is why Privacy Pass is privacy preserving.</p><p>In October 2019, Privacy Pass reached another milestone. We released <a href=\"/supporting-the-latest-version-of-the-privacy-pass-protocol/\">Privacy Pass Extension v2.0</a> that includes a <a href=\"https://www.hcaptcha.com/privacy-pass\">new service provider</a> (hCaptcha) which provides a way to redeem a token not only with CAPTCHAs in the Cloudflare challenge pages but also hCaptcha CAPTCHAs in any website. When you encounter any hCaptcha CAPTCHA in any website, including the ones not behind Cloudflare, you can redeem a token to pass the CAPTCHA.</p><p>We believe Privacy Pass solves an important problem — balancing privacy and security for bot mitigation— but we think there’s more to be done in terms of both the <a href=\"https://github.com/privacypass/challenge-bypass-extension/tree/v3-rc\">codebase</a> and the protocol. We improved the codebase by redesigning how the service providers interact with the core extension. At the same time, we made progress on the standardization at IETF and improved the protocol by adding metadata which allows us to do more fabulous things with Privacy Pass.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"announcing-privacy-pass-extension-v3-0\">Announcing Privacy Pass Extension v3.0</h2>\n <a href=\"#announcing-privacy-pass-extension-v3-0\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The current implementation of our extension is functional, but it is difficult to maintain two Privacy Pass service providers: Cloudflare and hCaptcha. So we decided to refactor the browser extension to improve its maintainability. We also used this opportunity to make following improvements:</p><ul><li><p>Implement the extension using TypeScript instead of plain JavaScript.</p></li><li><p>Build the project using a module bundler instead of custom build scripts.</p></li><li><p>Refactor the code and define the API for the cryptographic primitive.</p></li><li><p>Treat provider-specific code as an encapsulated software module rather than a list of configuration properties.</p></li></ul><p>As a result of the improvements listed above, the extension will be less error-prone and each service provider will have more flexibility and can be integrated seamlessly with other providers.</p><p>In the new extension we use TypeScript instead of plain JavaScript because its syntax is a kind of extension to JavaScript, and we already use TypeScript in <a href=\"/bootstrapping-a-typescript-worker/\">Workers</a>. One of the things that makes TypeScript special is that it has features that are only available in modern programming languages, like <a href=\"https://en.wikipedia.org/wiki/Void_safety\">null safety</a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"support-for-future-service-providers\">Support for Future Service Providers</h2>\n <a href=\"#support-for-future-service-providers\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Another big improvement in v3.0 is that it is designed for modularity, meaning that it will be very easy to add a new potential service provider in the future. A new provider can use an API provided by us to implement their own request flow to use the Privacy Pass protocol and to handle the HTTP requests. By separating the provider-specific code from the core extension code using the API, the extension will be easier to update when there is a need for more service providers.</p><p>On a technical level, we allow each service provider to have its own <a href=\"https://developer.chrome.com/extensions/webRequest\">WebRequest API</a> event listeners instead of having central event listeners for all the providers. This allows providers to extend the browser extension&#39;s functionality and implement any request handling logic they want.</p><p>Another major change that enables us to do this is that we moved away from configuration to programmable modularization.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"configuration-vs-modularization\">Configuration vs Modularization</h2>\n <a href=\"#configuration-vs-modularization\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p><a href=\"/supporting-the-latest-version-of-the-privacy-pass-protocol/\">As mentioned in 2019</a>, it would be impossible to expect different service providers to all abide by the same exact request flow, so we decided to use a JSON configuration file in v2.0 to define the request flow. The configuration allows the service providers to easily modify the extension characteristics without dealing too much with the core extension code. However, recently we figured out that we can improve it without using a configuration file, and using modules instead.</p><p>Using a configuration file limits the flexibility of the provider by the number of possible configurations. In addition, when the logic of each provider evolves and deviates from one another, the size of configuration will grow larger and larger which makes it hard to document and keep track of. So we decided to refactor how we determine the request flow from using a configuration file to using a module file written specifically for each service provider instead.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/34G52zSZ9ukkaa0h079EBV/287aaf7e3245f7fe1071ee0d4270a95f/image2-19.png\" alt=\"Configuration to modularization refactoring.\" class=\"kg-image\" width=\"1020\" height=\"493\" loading=\"lazy\"/>\n \n </figure><p>By using a programmable module, the providers are not limited by the available fields in the configuration. In addition, the providers can use the available implementations of the necessary cryptographic primitives in any point of the request flow because we factored out the crypto bits into a separate module which can be used by any provider. In the future, if the cryptographic primitives ever change, the providers can update the code and use it any time.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"towards-standard-interoperability\">Towards Standard Interoperability</h2>\n <a href=\"#towards-standard-interoperability\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Privacy Pass protocol was first published at the <a href=\"https://www.petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf\">PoPETS</a> symposium in 2018. As explained in this <a href=\"/privacy-pass-the-math/\">previous post</a>, the core of the Privacy Pass protocol is a secure way to generate tokens between server and client. To that end, the protocol requires evaluating a pseudorandom function that is oblivious and verifiable. The first property prevents the server from learning information about the client’s tokens, while the client learns nothing about the server’s private key. This is useful to protect the privacy of users. The token generation must also be verifiable in the sense that the client can attest to the fact that its token was minted using the server’s private key.</p><p>The original implementation of Privacy Pass has seen real-world use in our browser extension, helping to reduce CAPTCHAs for hundreds of thousands of people without compromising privacy. But to guarantee interoperability between services implementing Privacy Pass, what&#39;s required is an accurate specification of the protocol and its operations. With this motivation, the Privacy Pass protocol was proposed as an Internet draft at the <a href=\"https://www.ietf.org/\">Internet Engineering Task Force</a> (IETF) — to know more about our participation at IETF <a href=\"/cloudflare-and-the-ietf\">look at the post</a>.</p><p>In March 2020, the protocol was presented at IETF-107 for the first time. The session was a <a href=\"https://www.ietf.org/how/bofs/\">Birds-of-a-Feather</a>, a place where the IETF community discusses the creation of new working groups that will write the actual standards. In the session, the working group’s charter is presented and proposes to develop a secure protocol for redeeming unforgeable tokens that attest to the validity of some attribute being held by a client. The charter was later approved, and three documents were integrated covering the protocol, the architecture, and an HTTP API for supporting Privacy Pass. The working group at IETF can be found at <a href=\"https://datatracker.ietf.org/wg/privacypass/about/\">https://datatracker.ietf.org/wg/privacypass/</a>.</p><p>Additionally, to its core functionality, the Privacy Pass protocol can be extended to improve its usability or to add new capabilities. For instance, adding a mechanism for public verifiability will allow a third party, someone who did not participate in the protocol, to verify the validity of tokens. Public verifiability can be implemented using a <i>blind-signature scheme</i> — this is a special type of digital signatures firstly proposed by <a href=\"https://link.springer.com/chapter/10.1007/978-1-4757-0602-4_18\">David Chaum</a> in which signers can produce signatures on messages without learning the content of the message. A diversity of algorithms to implement blind-signatures exist; however, there is still work to be done to define a good candidate for public verifiability.</p><p>Another extension for Privacy Pass is the support for including metadata in the tokens. As this is a feature with high impact on the protocol, we devote a larger section to explain the benefits of supporting metadata in the face of hoarding attacks.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"future-work-metadata\">Future work: metadata</h2>\n <a href=\"#future-work-metadata\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>What is research without new challenges that arise? What does development look like if there are no other problems to solve? During the design and development of Privacy Pass (both as a service, as an idea, and as a protocol), a potential vector for abuse was noted, which will be referred to as a “hoarding” or “farming” attack. This attack consists of individual users or groups of users that can gather tokens over a long period of time and redeem them all at once with the aim of, for example, overwhelming a website and making the service unavailable for other users. In a more complex scenario, an attacker can build up a stock of tokens that they could then redistribute amongst other clients. This redistribution ability is possible as tokens are not linked to specific clients, which is a property of the Privacy Pass protocol.</p><p>There have been several proposed solutions to this attack. One can, for example, make the verification of tokens procedure very efficient, so attackers will need to hoard an even larger amount of tokens in order to overwhelm a service. But the problem is not only about making verification times faster, and, therefore, this does not completely solve the problem. Note that in Privacy Pass, a successful token redemption could be exchanged for a single-origin cookie. These cookies allow clients to avoid future challenges for a particular domain without using more tokens. In the case of a hoarding attack, an attacker could trade in their hoarded number of tokens for a number of cookies. An attacker can, then, mount a layer 7 DDoS attack with the “hoarded” cookies, which would render the service unavailable.</p><p>In the next sections, we will explore other different solutions to this attack.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"a-simple-solution-and-its-limitations-key-rotation\">A simple solution and its limitations: key rotation</h3>\n <a href=\"#a-simple-solution-and-its-limitations-key-rotation\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>What does “key rotation” mean in the context of Privacy Pass? In Privacy Pass, each token is attested by keys held by the service. These keys are further used to verify the honesty of a token presented by a client when trying to access a challenge-protected service. “Key rotation” means updating these keys with regard to a chosen epoch (meaning, for example, that every two weeks — the epoch —, the keys will be rotated). Regular key rotation, then, implies that tokens belong to these epochs and cannot be used outside them, which prevents stocks of tokens from being useful for longer than the epoch they belong to.</p><p>Keys, however, should not be rotated frequently as:</p><ul><li><p>Rotating a key can lead to security implications</p></li><li><p>Establishing trust in a frequently-rotating key service can be a challenging problem</p></li><li><p>The unlinkability of the client when using tokens can be diminished</p></li></ul><p>Let’s explore these problems one by one now:</p><p><b>Rotating a key can lead to security implications</b>, as past keys need to be deleted from secure storage locations and replaced with new ones. This process is prone to failure if done regularly, and can lead to potential key material leakage.</p><p><b>Establishing trust in a frequently-rotating key service</b> can be a challenging problem, as keys will have to be verified by the needed parties each time they are regenerated. Keys need to be verified as it has to be attested that they belong to the entity one is trying to communicate with. If keys rotate too frequently, this verification procedure will have to happen frequently as well, so that an attacker will not be able to impersonate the honest entity with a “fake” public key.</p><p><b>The unlinkability of the client when using tokens can be diminished</b> as a savvy attacker (a malicious server, for example) could link token generation and token future-use. In the case of a malicious server, it can, for example, rotate their keys too often to violate unlinkability or could pick a separate public key for each client issuance. In these cases, this attack can be solved by the usage of public mechanisms to record which server’s public keys are used; but this requires further infrastructure and coordination between actors. Other cases are not easily solvable by this “public verification”: if keys are rotated every minute, for example, and a client was the only one to visit a “privacy pass protected” site in that minute, then, it&#39;s not hard to infer (to “link”) that the token came only from this specific client.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"a-novel-solution-metadata\">A novel solution: Metadata</h3>\n <a href=\"#a-novel-solution-metadata\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>A novel solution to this “hoarding” problem that does not require key rotation or further optimization of verification times is the addition of metadata. This approach was introduced in the paper “<a href=\"https://eprint.iacr.org/2021/864.pdf\">A Fast and Simple Partially Oblivious PRF, with Applications</a>”, and it is called the “POPRF with metadata” construction. The idea is to add a metadata field to the token generation procedure in such a way that tokens are cryptographically linked to this added metadata. The added metadata can be, for example, a number that signals which epoch this token belongs to. The service, when presented with this token on verification, promptly checks that it corresponds to its internal epoch number (this epoch number can correspond to a period of time, a threshold of number of tokens issued, etc.). If it does not correspond, this token is expired and cannot be further used. Metadata, then, can be used to expire tokens without performing key rotations, thereby avoiding some issues outlined above.</p><p>Other kinds of metadata can be added to the Partially Oblivious PRF (PO-PRF) construction as well. Geographic location can be added, which signals that tokens can only be used in a specific region.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-limits-of-metadata\">The limits of metadata</h3>\n <a href=\"#the-limits-of-metadata\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Note, nevertheless, that the addition of this “metadata” should be carefully considered as adding, in the case of “time-metadata”, an explicit time bound signal will diminish the unlikability set of the tokens. If an explicit time-bound signal is added (for example, the specific time — year, month, day, hour, minute and seconds — in which this token was generated and the amount of time it is valid for), it will allow a malicious server to link generation and usage. The recommendation is to use “opaque metadata”: metadata that is public to both client and service but that only the service knows its precise meaning. A server, for example, can set a counter that gets increased after a period of time (for example, every two weeks). The server will add this counter as metadata rather than the period of time. The client, in this case, publicly knows what this counter is but does not know to which period it refers to.</p><p>Geographic location metadata should be coarse as well: it should refer to a large geographical area, such as a continent, or political and economic union rather than an explicit location.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"wrap-up\">Wrap up</h2>\n <a href=\"#wrap-up\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The Privacy Pass protocol provides users with a secure way for redeeming tokens. At Cloudflare, we use the protocol to reduce the number of CAPTCHAs improving the user experience while browsing websites. A natural evolution of the protocol is expected, ranging from its standardization to innovating with new capabilities that help to prevent abuse of the service.</p><p>On the service side, we refactored the Privacy Pass browser extension aiming to improve the quality of the code, so bugs can be detected in earlier phases of the development. The code is available at the <a href=\"https://github.com/privacypass/challenge-bypass-extension/tree/v3-rc\">challenge-bypass-extension</a> repository, and we invite you to try the release candidate version.</p><p>An appealing extension for Privacy Pass is the inclusion of metadata as it provides a non-cumbersome way to solve hoarding attacks, while preserving the anonymity (in general, the privacy) of the protocol itself. <a href=\"https://eprint.iacr.org/2021/864.pdf\">Our paper</a> provides you more information about the technical details behind this idea.</p><p>The application of the Privacy Pass protocol in other use cases or to create other service providers requires a certain degree of compatibility. People wanting to implement Privacy Pass must be able to have a standard specification, so implementations can interoperate. The efforts along these lines are centered on the <a href=\"https://datatracker.ietf.org/wg/privacypass/about/\">Privacy Pass working group</a> at IETF, a space open for anyone to participate in delineating the future of the protocol. Feel free to be part of these efforts too.</p><p>We are continuously working on new ways of improving our services and helping the Internet be a better and a more secure place. You can join us on this effort and can reach us at <a href=\"https://research.cloudflare.com\">research.cloudflare.com</a>. See you next time.</p>"],"published_at":[0,"2021-10-12T13:59:19.000+01:00"],"updated_at":[0,"2024-10-09T23:15:42.120Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/73TY3K8DifXIxRpIz0wpXA/479f12bdecc30cdbb80a843cdd844ed0/privacy-pass-v3.png"],"tags":[1,[[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"11uq7RpwEtvy8Ic53C6cMR"],"name":[0,"CAPTCHA"],"slug":[0,"captcha"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Pop Chunhapanya"],"slug":[0,"pop-chun"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6K0jmiXQd3Xip6uGnAvQWE/e68fcde2d6960d531bb54c05fd0fc519/pop-chun.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}],[0,{"name":[0,"Armando Faz-Hernández"],"slug":[0,"armfazh"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1KZECWa5TCEPjjcRmbx9iT/c62263899934ff326df2b6864e42b104/armfazh.png"],"location":[0,null],"website":[0,"https://research.cloudflare.com/people/armando-faz/"],"twitter":[0,"@armfazh"],"facebook":[0,null]}],[0,{"name":[0,"Sofía Celi"],"slug":[0,"sofia"],"bio":[0,"Cryptography researcher and implementer at Cloudflare."],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2waJR10lPQ4007cOdOJQ5P/b525f38d9cf9e9d7df248f7134f31add/sofia.jpg"],"location":[0,"Lisbon"],"website":[0,"http://claucece.github.io/"],"twitter":[0,"@claucece"],"facebook":[0,null]}]]],"meta_description":[0,"A new version of Privacy Pass for reducing the number of CAPTCHAs."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Privacy Pass v3: the new privacy bits Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/privacy-pass-v3"],"metadata":[0,{"title":[0,"Privacy Pass v3: the new privacy bits"],"description":[0,"A new version of Privacy Pass for reducing the number of CAPTCHAs."],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4H6QCTjjsMQeXf6B2hUCAc/1436601dd782130cef4e175c28445aec/privacy-pass-v3-43ibix.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children><article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"><div class="w-100"><a href="/privacy-pass-v3/" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Privacy Pass v3: the new privacy bits</h2></a><p class="f3 fw5 gray5 my" data-testid="post-date">2021-10-12</p><div class=""><a href="/tag/research/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Research</a><a href="/tag/security/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="/tag/privacy-pass/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Privacy Pass</a><a href="/tag/captcha/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">CAPTCHA</a></div><p class="f3 fw4 gray1 lh-copy " data-testid="post-content">A new version of Privacy Pass for reducing the number of CAPTCHAs.<!-- -->...</p><ul class="author-lists flex pl0"><li class="list flex items-center pr2 mb3"><a href="/author/pop-chun/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6K0jmiXQd3Xip6uGnAvQWE/e68fcde2d6960d531bb54c05fd0fc519/pop-chun.jpg" alt="Pop Chunhapanya" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/pop-chun/" class="fw4 f3 no-underline black">Pop Chunhapanya</a></div></li><li class="list flex items-center pr2 mb3"><a href="/author/armfazh/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1KZECWa5TCEPjjcRmbx9iT/c62263899934ff326df2b6864e42b104/armfazh.png" alt="Armando Faz-Hernández" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/armfazh/" class="fw4 f3 no-underline black">Armando Faz-Hernández</a></div></li><li class="list flex items-center pr2 mb3"><a href="/author/sofia/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2waJR10lPQ4007cOdOJQ5P/b525f38d9cf9e9d7df248f7134f31add/sofia.jpg" alt="Sofía Celi" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/sofia/" class="fw4 f3 no-underline black">Sofía Celi</a></div></li></ul></div></article><!--astro:end--></astro-island><astro-island uid="2iox63" prefix="r2" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"3Zpj2uDmshq6ssT51N9alr"],"title":[0,"Supporting the latest version of the Privacy Pass Protocol"],"slug":[0,"supporting-the-latest-version-of-the-privacy-pass-protocol"],"excerpt":[0,"At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the Privacy Pass protocol, a piece of work developed in collaboration with the academic community."],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/445gSyr8pFihUh221BqGV5/0e704d8d2ecd834689eea53c04554be5/Privacy-Pass-_2x-2.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"1017\" loading=\"lazy\"/>\n \n </figure><p>At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the <a href=\"/cloudflare-supports-privacy-pass/\">Privacy Pass protocol</a>, a piece of work developed in <a href=\"https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf\">collaboration with the academic community</a>. Privacy Pass, in a nutshell, allows clients to provide proof of trust <a href=\"https://privacypass.github.io/protocol/\">without revealing where and when the trust was provided</a>. The aim of the protocol is then to allow anyone to prove they are trusted by a server, without that server being able to track the user via the trust that was assigned.</p><p>On a technical level, Privacy Pass clients receive attestation tokens from a server, that can then be redeemed in the future. These tokens are provided when a server deems the client to be trusted; for example, after they have logged into a service or if they prove certain characteristics. The redeemed tokens are cryptographically unlinkable to the attestation originally provided by the server, and so they do not reveal anything about the client.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7LVQnmDxgw0kv43MipnEO5/ed93518b30730567d1780e22fa46e606/imageLikeEmbed--2-.png\" alt=\"\" class=\"kg-image\" width=\"721\" height=\"382\" loading=\"lazy\"/>\n \n </figure>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/62mh0kvdwZSIUQhkLHmqLt/ea96c6a856a3b53c7ceb8a3b52c6dd3d/imageLikeEmbed--1-.png\" alt=\"\" class=\"kg-image\" width=\"721\" height=\"382\" loading=\"lazy\"/>\n \n </figure><p>To use Privacy Pass, clients can install an <a href=\"https://github.com/privacypass/challenge-bypass-extension\">open-source</a> browser extension available in <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi?hl=en\">Chrome</a> &amp; <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>. There have been over 150,000 individual downloads of Privacy Pass worldwide; approximately 130,000 in Chrome and more than 20,000 in Firefox. The extension is supported by Cloudflare to make websites more accessible for users. This complements previous work, including the launch of <a href=\"/cloudflare-onion-service/\">Cloudflare onion services</a> to help improve accessibility for users of the Tor Browser.</p><p>The initial release was almost two years ago, and it was followed up with a <a href=\"https://petsymposium.org/2018/files/papers/issue3/popets-2018-0026.pdf\">research publication</a> that was presented at the <a href=\"https://www.youtube.com/watch?v=9DsUi-UF2pM&list=PLWSQygNuIsPd6YJmGV9kn1mP2A6-IBCoU&index=10\">Privacy Enhancing Technologies Symposium 2018</a> (winning a Best Student Paper award). Since then, Cloudflare has been working with the wider community to build on the initial design and improve Privacy Pass. We’ll be talking about the work that we have done to develop the existing implementations, alongside the protocol itself.</p><h1>What’s new?</h1><p><b>Support for Privacy Pass v2.0 browser extension:</b></p><ul><li><p>Easier configuration of workflow.</p></li><li><p>Integration with new service provider (hCaptcha).</p></li><li><p>Compliance with hash-to-curve draft.</p></li><li><p>Possible to rotate keys outside of extension release.</p></li><li><p>Available in <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi?hl=en\">Chrome</a> and <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a> (works best with up-to-date browser versions).</p></li></ul><p><b>Rolling out a new server backend using Cloudflare Workers platform:</b></p><ul><li><p>Cryptographic operations performed using internal V8 engine.</p></li><li><p>Provides public redemption API for Cloudflare Privacy Pass v2.0 tokens.</p></li><li><p>Available by making POST requests to <a href=\"https://privacypass.cloudflare.com/api/redeem\">https://privacypass.cloudflare.com/api/redeem</a>. See the documentation for <a href=\"https://privacypass.github.io/api-redeem\">example usage</a>.</p></li><li><p>Only compatible with extension v2.0 (check that you have updated!).</p></li></ul><p><b>Standardization:</b></p><ul><li><p>Continued development of oblivious pseudorandom functions (OPRFs) <a href=\"https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/\">draft</a> in prime-order groups with CFRG@IRTF.</p></li><li><p><a href=\"https://github.com/alxdavids/draft-privacy-pass\">New draft</a> specifying Privacy Pass protocol.</p></li></ul><h1>Extension v2.0</h1><p>In the time since the release, we’ve been working on a number of new features. Today we’re excited to announce support for version 2.0 of the extension, the first update since the original release. The extension continues to be available for <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi?hl=en\">Chrome</a> and <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>. You may need to download v2.0 manually from the store if you have auto-updates disabled in your browser.</p><p>The extension remains under active development and we still regard our support as in the beta phase. This will continue to be the case as the draft specification of the protocol continues to be written in collaboration with the wider community.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6WHnz7X5VULjd2rQPvSCYM/3fb47ca24f01788504fd4768813267fc/pasted-image-0-2.png\" alt=\"\" class=\"kg-image\" width=\"1280\" height=\"800\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"new-integrations\">New Integrations</h3>\n <a href=\"#new-integrations\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The client implementation uses the <a href=\"https://developer.chrome.com/extensions/webRequest\">WebRequest API</a> to look for certain types of HTTP requests. When these requests are spotted, they are rewritten to include some cryptographic data required for the Privacy Pass protocol. This allows Privacy Pass providers receiving this data to authorize access for the user.</p><p>For example, a user may receive Privacy Pass tokens for completing some server security checks. These tokens are stored by the browser extension, and any future request that needs similar security clearance can be modified to add a stored token as an extra HTTP header. The server can then check the client token and verify that the client has the correct authorization to proceed.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1EOFEhhNfe23pe6Beqsprx/f11bd08106711abf443dd53afd45f013/imageLikeEmbed--4-.png\" alt=\"\" class=\"kg-image\" width=\"546\" height=\"350\" loading=\"lazy\"/>\n \n </figure><p>While Cloudflare supports a particular type of request flow, it would be impossible to expect different service providers to all abide by the same exact interaction characteristics. One of the major changes in the v2.0 extension has been a technical rewrite to instead use a central configuration file. The config is specified in the <a href=\"https://github.com/privacypass/challenge-bypass-extension/blob/master/src/ext/config.js\">source code</a> of the extension and allows easier modification of the browsing characteristics that initiate Privacy Pass actions. This makes adding new, completely different request flows possible by simply cloning and adapting the configuration for new providers.</p><p>To demonstrate that such integrations are now possible with other services beyond Cloudflare, a new version of the extension will soon be rolling out that is supported by the CAPTCHA provider <a href=\"https://www.hcaptcha.com/\">hCaptcha</a>. Users that solve ephemeral challenges provided by hCaptcha will receive privacy-preserving tokens that will be redeemable at other hCaptcha customer sites.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/66fIxiUIFsXF1mShWhpp9U/8e1e7cf73b844e2128b8766a8dde95dc/image-8-1.png\" alt=\"\" class=\"kg-image\" width=\"436\" height=\"116\" loading=\"lazy\"/>\n \n </figure><p><i>“hCaptcha is focused on user privacy, and supporting Privacy Pass is a natural extension of our work in this area. We look forward to working with Cloudflare and others to make this a common and widely adopted standard, and are currently exploring other applications. Implementing Privacy Pass into our globally distributed service was relatively straightforward, and we have enjoyed working with the Cloudflare team to improve the open source Chrome browser extension in order to deliver the best experience for our users.”</i></p><p></p><p>— <b>Eli-Shaoul Khedouri</b>, founder of hCaptcha</p><p>This hCaptcha integration with the Privacy Pass browser extension acts as a proof-of-concept in establishing support for new services. Any new providers that would like to integrate with the Privacy Pass browser extension can do so simply by making a PR to the <a href=\"https://github.com/privacypass/challenge-bypass-extension/\">open-source repository</a>.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"improved-cryptographic-functionality\">Improved cryptographic functionality</h2>\n <a href=\"#improved-cryptographic-functionality\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>After the release of v1.0 of the extension, there were features that were still unimplemented. These included proper zero-knowledge proof validation for checking that the server was always using the same committed key. In v2.0 this functionality has been completed, verifiably preventing a malicious server from attempting to deanonymize users by using a different key for each request.</p><p>The cryptographic operations required for Privacy Pass are performed using <a href=\"/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/\">elliptic curve cryptography</a> (ECC). The extension currently uses the <a href=\"https://www.secg.org/SEC2-Ver-1.0.pdf\">NIST P-256</a> curve, for which we have included some optimisations. Firstly, this makes it possible to store elliptic curve points in compressed and uncompressed data formats. This means that browser storage can be reduced by 50%, and that server responses can be made smaller too.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6k9bRq8TswnyzrNdFxl0km/9db49e7d648d03b225077aecb6ee0fa0/imageLikeEmbed--5-.png\" alt=\"\" class=\"kg-image\" width=\"958\" height=\"406\" loading=\"lazy\"/>\n \n </figure><p>Secondly, support has been added for hashing to the P-256 curve using the “Simplified Shallue-van de Woestijne-Ulas” (SSWU) method specified in an ongoing draft (<a href=\"https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03\">https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-03</a>) for standardizing encodings for hashing to elliptic curves. The implementation is compliant with the specification of the “P256-SHA256-SSWU-” ciphersuite in this draft.</p><p>These changes have a dual advantage, firstly ensuring that the P-256 hash-to-curve specification is compliant with the draft specification. Secondly this ciphersuite removes the necessity for using probabilistic methods, such as <a href=\"https://tools.ietf.org/html/draft-irtf-cfrg-vrf-05#section-5.4.1.1\">hash-and-increment</a>. The hash-and-increment method has a non-negligible chance of failure, and the running time is highly dependent on the hidden client input. While it is not clear how to abuse timing attack vectors currently, using the SSWU method should reduce the potential for attacking the implementation, and learning the client input.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"key-rotation\">Key rotation</h2>\n <a href=\"#key-rotation\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>As we mentioned above, verifying that the server is always using the same key is an important part of ensuring the client’s privacy. This ensures that the server cannot segregate the user base and reduce client privacy by using different secret keys for each client that it interacts with. The server guarantees that it’s always using the same key by publishing a commitment to its public key somewhere that the client can access.</p><p>Every time the server issues Privacy Pass tokens to the client, it also produces a <a href=\"https://en.wikipedia.org/wiki/Zero-knowledge_proof\">zero-knowledge proof</a> that it has produced these tokens using the correct key.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4SUH19vNZ1MZ3G7hvTNN40/6717cc2c64b8fc3a69efb014d76411c8/imageLikeEmbed--6-.png\" alt=\"\" class=\"kg-image\" width=\"721\" height=\"382\" loading=\"lazy\"/>\n \n </figure><p>Before the extension stores any tokens, it first verifies the proof against the commitments it knows. Previously, these commitments were stored directly in the source code of the extension. This meant that if the server wanted to rotate its key, then it required releasing a new version of the extension, which was unnecessarily difficult. The extension has been modified so that the commitments are stored in a <a href=\"https://github.com/privacypass/ec-commitments\">trusted location</a> that the client can access when it needs to verify the server response. Currently this location is a separate Privacy Pass <a href=\"https://github.com/privacypass/ec-commitments\">GitHub repository</a>. For those that are interested, we have provided a more detailed description of the new commitment format in Appendix A at the end of this post.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1ak9ZJ0QWKpWnQBAa4oOpe/59a1907df42318f2e63dbd889c80f839/imageLikeEmbed--7-.png\" alt=\"\" class=\"kg-image\" width=\"721\" height=\"382\" loading=\"lazy\"/>\n \n </figure><h1>Implementing server-side support in Workers</h1><p>So far we have focused on client-side updates. As part of supporting v2.0 of the extension, we are rolling out some major changes to the server-side support that Cloudflare uses. For version 1.0, we used a <a href=\"https://github.com/privacypass/challenge-bypass-server\">Go implementation</a> of the server. In v2.0 we are introducing a new server implementation that runs in the <a href=\"https://www.cloudflare.com/products/cloudflare-workers/\">Cloudflare Workers</a> platform. This server implementation is only compatible with v2.0 releases of Privacy Pass, so you may need to update your extension if you have auto-updates turned off in your browser.</p><p>Our server will run at <a href=\"https://privacypass.cloudflare.com\">https://privacypass.cloudflare.com</a>, and all Privacy Pass requests sent to the Cloudflare edge are handled by Worker scripts that run on this domain. Our implementation has been rewritten using Javascript, with cryptographic operations running in the <a href=\"https://v8.dev/\">V8 engine</a> that powers Cloudflare Workers. This means that we are able to run highly efficient and constant-time cryptographic operations. On top of this, we benefit from the enhanced performance provided by running our code in the Workers Platform, as close to the user as possible.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"webcrypto-support\">WebCrypto support</h2>\n <a href=\"#webcrypto-support\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Firstly, you may be asking, how do we manage to implement cryptographic operations in Cloudflare Workers? Currently, support for performing cryptographic operations is provided in the Workers platform via the <a href=\"https://developers.cloudflare.com/workers/reference/apis/web-crypto/\">WebCrypto API</a>. This API allows users to compute functionality such as cryptographic hashing, alongside more complicated operations like ECDSA signatures.</p><p>In the Privacy Pass protocol, as we’ll discuss a bit later, the main cryptographic operations are performed by a protocol known as a verifiable oblivious pseudorandom function (VOPRF). Such a protocol allows a client to learn function outputs computed by a server, without revealing to the server what their actual input was. The verifiable aspect means that the server must also prove (in a publicly verifiable way) that the evaluation they pass to the user is correct. Such a function is pseudorandom because the server output is indistinguishable from a random sequence of bytes.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2KJRvlrFMHsy9QlSofzWVs/b208b4b31a1169d2a3b60ffb396049a8/imageLikeEmbed--8-.png\" alt=\"\" class=\"kg-image\" width=\"721\" height=\"382\" loading=\"lazy\"/>\n \n </figure><p>The VOPRF functionality requires a server to perform low-level ECC operations that are not currently exposed in the WebCrypto API. We balanced out the possible ways of getting around this requirement. First we trialled trying to use the WebCrypto API in a non-standard manner, using EC Diffie-Hellman key exchange as a method for performing the scalar multiplication that we needed. We also tried to implement all operations using pure JavaScript. Unfortunately both methods were unsatisfactory in the sense that they would either mean integrating with large external cryptographic libraries, or they would be far too slow to be used in a performant Internet setting.</p><p>In the end, we settled on a solution that adds functions necessary for Privacy Pass to the internal WebCrypto interface in the Cloudflare V8 Javascript engine. This algorithm mimics the sign/verify interface provided by signature algorithms like ECDSA. In short, we use the <code>sign()</code> function to issue Privacy Pass tokens to the client. While <code>verify()</code> can be used by the server to verify data that is redeemed by the client. These functions are implemented directly in the V8 layer and so they are much more performant and secure (running in constant-time, for example) than pure JS alternatives.</p><p>The Privacy Pass WebCrypto interface is not currently available for public usage. If it turns out there is enough interest in using this additional algorithm in the Workers platform, then we will consider making it public.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"applications\">Applications</h3>\n <a href=\"#applications\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>In recent times, VOPRFs have been shown to be a highly useful primitive in establishing many cryptographic tools. Aside from Privacy Pass, they are also essential for constructing password-authenticated key exchange protocols such as <a href=\"https://datatracker.ietf.org/doc/draft-krawczyk-cfrg-opaque/\">OPAQUE</a>. They have also been used in designs of <a href=\"https://eprint.iacr.org/2016/799\">private set intersection</a>, <a href=\"https://eprint.iacr.org/2014/650\">password-protected secret-sharing</a> protocols, and <a href=\"https://medium.com/least-authority/the-path-from-s4-to-privatestorage-ae9d4a10b2ae\">privacy-preserving access-control</a> for private data storage.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"public-redemption-api\">Public redemption API</h2>\n <a href=\"#public-redemption-api\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Writing the server in Cloudflare Workers means that we will be providing server-side support for Privacy Pass on a <a href=\"https://privacypass.cloudflare.com\">public domain</a>! While we only issue tokens to clients after we are sure that we can trust them, anyone will be able to redeem the tokens using our public redemption API at <a href=\"https://privacypass.cloudflare.com/api/redeem\">https://privacypass.cloudflare.com/api/redeem</a>. As we roll-out the server-side component worldwide, you will be able to interact with this API and verify Cloudflare Privacy Pass tokens <a href=\"https://privacypass.github.io/api-redeem\">independently of the browser extension</a>.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7zI9w6HIR8cXOr884kCw8m/601fe8c196b434ac50fdb12eaca63927/imageLikeEmbed--9-.png\" alt=\"\" class=\"kg-image\" width=\"828\" height=\"465\" loading=\"lazy\"/>\n \n </figure><p>This means that any service can accept Privacy Pass tokens from a client that were issued by Cloudflare, and then verify them with the Cloudflare redemption API. Using the result provided by the API, external services can check whether Cloudflare has authorized the user in the past.</p><p>We think that this will benefit other service providers because they can use the attestation of authorization from Cloudflare in their own decision-making processes, without sacrificing the privacy of the client at any stage. We hope that this ecosystem can grow further, with potentially more services providing public redemption APIs of their own. With a more diverse set of issuers, these attestations will become more useful.</p><p>By running our server on a public domain, we are effectively a customer of the Cloudflare Workers product. This means that we are also able to make use of <a href=\"https://developers.cloudflare.com/workers/reference/storage/\">Workers KV</a> for protecting against malicious clients. In particular, servers must check that clients are not re-using tokens during the redemption phase. The performance of Workers KV in analyzing reads makes this an obvious choice for providing double-spend protection globally.</p><p>If you would like to use the public redemption API, we provide documentation for using it at <a href=\"https://privacypass.github.io/api-redeem\">https://privacypass.github.io/api-redeem</a>. We also provide some example requests and responses in Appendix B at the end of the post.</p><h1>Standardization &amp; new applications</h1><p>In tandem with the recent engineering work that we have been doing on supporting Privacy Pass, we have been collaborating with the wider community in an attempt to standardize both the <a href=\"https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/\">underlying VOPRF functionality</a>, and the <a href=\"https://github.com/alxdavids/draft-privacy-pass\">protocol itself</a>. While the process of standardization for oblivious pseudorandom functions (OPRFs) has been running for over a year, the recent efforts to standardize the Privacy Pass protocol have been driven by very recent applications that have come about in the last few months.</p><p>Standardizing protocols and functionality is an important way of providing interoperable, secure, and performant interfaces for running protocols on the Internet. This makes it easier for developers to write their own implementations of this complex functionality. The process also provides helpful peer reviews from experts in the community, which can lead to better surfacing of potential security risks that should be mitigated in any implementation. Other benefits include coming to a consensus on the most reliable, scalable and performant protocol designs for all possible applications.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"oblivious-pseudorandom-functions\">Oblivious pseudorandom functions</h2>\n <a href=\"#oblivious-pseudorandom-functions\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Oblivious pseudorandom functions (OPRFs) are a generalization of VOPRFs that do not require the server to prove that they have evaluated the functionality properly. Since July 2019, we have been collaborating <a href=\"https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/\">on a draft</a> with the <a href=\"https://irtf.org/cfrg\">Crypto Forum Research Group</a> (CFRG) at the Internet Research Task Force (IRTF) to standardize an OPRF protocol that operates in prime-order groups. This is a generalisation of the setting that is provided by <a href=\"/tag/elliptic-curves/\">elliptic curves</a>. This is the same VOPRF construction that was <a href=\"/privacy-pass-the-math/\">originally specified</a> by the Privacy Pass protocol and is based heavily on the original protocol design from the <a href=\"https://eprint.iacr.org/2014/650.pdf\">paper of Jarecki, Kiayias and Krawczyk</a>.</p><p>One of the recent changes that we&#39;ve made in the draft is to increase the size of the key that we consider for performing OPRF operations on the server-side. Existing research suggests that it is possible to create specific queries that can lead to small amounts of the key being leaked. For keys that provide only 128 bits of security this can be a problem as leaking too many bits would reduce security <a href=\"https://www.keylength.com/en/4/\">beyond currently accepted levels</a>. To counter this, we have effectively increased the minimum key size to 192 bits. This prevents this leakage becoming an attack vector using any practical methods. We discuss these attacks in more detail later on when discussing our future plans for VOPRF development.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"recent-applications-and-standardizing-the-protocol\">Recent applications and standardizing the protocol</h2>\n <a href=\"#recent-applications-and-standardizing-the-protocol\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The application that we demonstrated when originally supporting Privacy Pass was always intended as a proof-of-concept for the protocol. Over the past few months, a number of new possibilities have arisen in areas that go far beyond what was previously envisaged.</p>\n <figure class=\"kg-card kg-image-card kg-width-wide\">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/SceyvCGOJ7quMiDSyPxR5/9785c42a79cf313d05ef5eb5a113d2f2/imageLikeEmbed--10-.png\" alt=\"\" class=\"kg-image\" width=\"546\" height=\"350\" loading=\"lazy\"/>\n \n </figure><p>For example, the <a href=\"https://github.com/WICG/trust-token-api\">trust token API</a>, developed by the <a href=\"https://wicg.io/\">Web Incubator Community Group</a>, has been proposed as an interface for using Privacy Pass. This applications allows third-party vendors to check that a user has received a trust attestation from a set of central issuers. This allows the vendor to make decisions about the honesty of a client without having to associate a behaviour profile with the identity of the user. The objective is to prevent against fraudulent activity from users who are not trusted by the central issuer set. Checking trust attestations with central issuers would be possible using similar redemption APIs to the one that <a href=\"https://privacypass.cloudflare.com\">we have introduced</a>.</p><p>A <a href=\"https://engineering.fb.com/security/partially-blind-signatures/\">separate piece of work from Facebook</a> details a similar application for preventing fraudulent behavior that may also be compatible with the Privacy Pass protocol. Finally, other applications have arisen in the areas of providing access to <a href=\"https://medium.com/least-authority/the-path-from-s4-to-privatestorage-ae9d4a10b2ae\">private storage</a> and <a href=\"https://github.com/brave/brave-browser/wiki/Security-and-privacy-model-for-ad-confirmations\">establishing security and privacy models in advertisement confirmations</a>.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"a-new-draft\">A new draft</h3>\n <a href=\"#a-new-draft\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>With the applications above in mind, we have recently started collaborative work on a <a href=\"https://github.com/alxdavids/draft-privacy-pass\">new IETF draft</a> that specifically lays out the required functionality provided by the Privacy Pass protocol as a whole. Our aim is to develop, alongside wider industrial partners and the academic community, a functioning specification of the Privacy Pass protocol. We hope that by doing this we will be able to design a base-layer protocol, that can then be used as a cryptographic primitive in wider applications that require some form of lightweight authorization. Our plan is to present the first version of this draft at the upcoming <a href=\"https://www.ietf.org/how/meetings/106/\">IETF 106 meeting</a> in Singapore next month.</p><p>The draft is still in the early stages of development and we are actively looking for people who are interested in helping to shape the protocol specification. We would be grateful for any help that contributes to this process. See <a href=\"https://github.com/alxdavids/draft-privacy-pass\">the GitHub repository</a> for the current version of the document.</p><h1>Future avenues</h1><p>Finally, while we are actively working on a number of different pathways in the present, the future directions for the project are still open. We believe that there are many applications out there that we have not considered yet and we are excited to see where the protocol is used in the future. Here are some other ideas we have for novel applications and security properties that we think might be worth pursuing in future.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"publicly-verifiable-tokens\">Publicly verifiable tokens</h2>\n <a href=\"#publicly-verifiable-tokens\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One of the disadvantages of using a VOPRF is that redemption tokens are only verifiable by the original issuing server. If we used an underlying primitive that allowed public verification of redemption tokens, then anyone could verify that the issuing server had issued the particular token. Such a protocol could be constructed on top of so-called blind signature schemes, such as <a href=\"https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures\">Blind RSA</a>. Unfortunately, there are performance and security concerns arising from the usage of blind signature schemes in a browser environment. Existing schemes (especially RSA-based variants) require cryptographic computations that are much heavier than the construction used in our VOPRF protocol.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"post-quantum-voprf-alternatives\">Post-quantum VOPRF alternatives</h2>\n <a href=\"#post-quantum-voprf-alternatives\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The only constructions of VOPRFs exist in pre-quantum settings, usually based on the hardness of well-known problems in group settings such as the <a href=\"https://en.wikipedia.org/wiki/Decisional_Diffie%E2%80%93Hellman_assumption\">discrete-log assumption</a>. No constructions of VOPRFs are known to provide security against adversaries that can run <a href=\"/the-quantum-menace/\">quantum computational algorithms</a>. This means that the Privacy Pass protocol is only believed to be secure against adversaries running on classical hardware.</p><p>Recent developments suggest that quantum computing may arrive <a href=\"https://www.nature.com/articles/s41586-019-1666-5\">sooner than previously thought</a>. As such, we believe that investigating the possibility of <a href=\"/introducing-circl/\">constructing practical post-quantum alternatives</a> for our current cryptographic toolkit is a task of great importance for ourselves and the wider community. In this case, devising performant post-quantum alternatives for VOPRF constructions would be an important theoretical advancement. Eventually this would lead to a Privacy Pass protocol that still provides privacy-preserving authorization in a post-quantum world.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"voprf-security-and-larger-ciphersuites\">VOPRF security and larger ciphersuites</h2>\n <a href=\"#voprf-security-and-larger-ciphersuites\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We mentioned previously that VOPRFs (or simply OPRFs) are susceptible to small amounts of possible leakage in the key. Here we will give a brief description of the actual attacks themselves, along with further details on our plans for implementing higher security ciphersuites to mitigate the leakage.</p><p>Specifically, malicious clients can interact with a VOPRF for creating something known as a <a href=\"https://eprint.iacr.org/2010/215.pdf\">q-Strong-Diffie-Hellman</a> (q-sDH) sample. Such samples are created in mathematical groups (usually in the elliptic curve setting). For any group there is a public element <code>g</code> that is central to all <a href=\"https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange\">Diffie-Hellman</a> type operations, along with the server key <code>K</code>, which is usually just interpreted as a randomly generated number from this group. A q-sDH sample takes the form:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">( g, g^K, g^(K^2), … , g^(K^q) )</pre></code>\n <p>and asks the malicious adversary to create a pair of elements satisfying <code>(g^(1/(s+K)),s)</code>. It is possible for a client in the VOPRF protocol to create a q-SDH sample by just submitting the result of the previous VOPRF evaluation back to the server.</p><p>While this problem is believed to be hard to break, there are a number of past works that show that the problem is somewhat easier than the size of the group suggests (for example, see <a href=\"https://eprint.iacr.org/2004/306\">here</a> and <a href=\"https://www.iacr.org/archive/eurocrypt2006/40040001/40040001.pdf\">here</a>). Concretely speaking, the bit security implied by the group can be reduced by up to log<sub>2</sub>(q) bits. While this is not immediately fatal, even to groups that should provide 128 bits of security, it can lead to a loss of security that means that the setting is no longer future-proof. As a result, any group providing VOPRF functionality that is instantiated using an elliptic curve such as P-256 or Curve25519 provides weaker than advised security guarantees.</p><p>With this in mind, we have taken the recent decision to upgrade the ciphersuites that we recommend for OPRF usage to only those that provide &gt; 128 bits of security, as standard. For example, Curve448 provides 192 bits of security. To launch an attack that reduced security to an amount lower than 128 bits would require making 2^(68) client OPRF queries. This is a significant barrier to entry for any attacker, and so we regard these ciphersuites as safe for instantiating the OPRF functionality.</p><p>In the near future, it will be necessary to upgrade the ciphersuites that are used in our support of the Privacy Pass browser extension to the recommendations made in the current VOPRF draft. In general, with a more iterative release process, we hope that the Privacy Pass implementation will be able to follow the current draft standard more closely as it evolves during the standardization process.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"get-in-touch\">Get in touch!</h2>\n <a href=\"#get-in-touch\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>You can now install v2.0 of the Privacy Pass extension in <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi?hl=en\">Chrome</a> or <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>.</p><p>If you would like to help contribute to the development of this extension then you can do so on <a href=\"https://github.com/privacypass/challenge-bypass-extension\">GitHub</a>. Are you a service provider that would like to integrate server-side support for the extension? Then we would be very interested in <a href=\"mailto:privacy-pass-support@cloudflare.com\">hearing from you!</a></p><p>We will continue to work with the wider community in developing the standardization of the protocol; taking our motivation from the available applications that have been developed. We are always looking for new applications that can help to expand the Privacy Pass ecosystem beyond its current boundaries.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1eVrPb2t3hl5pVI97EtEu8/86eb63191b0cd299390f24162d51c54a/tales-from-the-crypto-team_2x--1-.png\" alt=\"\" class=\"kg-image\" width=\"1600\" height=\"1188\" loading=\"lazy\"/>\n \n </figure><h1>Appendix</h1><p>Here are some extra details related to the topics that we covered above.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"a-commitment-format-for-key-rotations\">A. Commitment format for key rotations</h2>\n <a href=\"#a-commitment-format-for-key-rotations\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Key commitments are necessary for the server to prove that they’re acting honestly during the Privacy Pass protocol. The commitments that Privacy Pass uses for the v2.0 release have a slightly different format from the previous release.</p>\n <pre class=\"language-json\"><code class=\"language-json\">&quot;2.00&quot;: {\n &quot;H&quot;: &quot;BPivZ+bqrAZzBHZtROY72/E4UGVKAanNoHL1Oteg25oTPRUkrYeVcYGfkOr425NzWOTLRfmB8cgnlUfAeN2Ikmg=&quot;,\n &quot;expiry&quot;: &quot;2020-01-11T10:29:10.658286752Z&quot;,\n &quot;sig&quot;: &quot;MEUCIQDu9xeF1q89bQuIMtGm0g8KS2srOPv+4hHjMWNVzJ92kAIgYrDKNkg3GRs9Jq5bkE/4mM7/QZInAVvwmIyg6lQZGE0=&quot;\n}</pre></code>\n <p>First, the version of the server key is <code>2.00</code>, the server must inform the client which version it intends to use in the response to a client containing issued tokens. This is so that the client can always use the correct commitments when verifying the zero-knowledge proof that the server sends.</p><p>The value of the member <code>H</code> is the public key commitment to the secret key used by the server. This is base64-encoded elliptic curve point of the form <code>H=kG</code> where <code>G</code> is the fixed generator of the curve, and <code>k</code> is the secret key of the server. Since the discrete-log problem is believed to be hard to solve, deriving k from H is believed to be difficult. The value of the member <code>expiry</code> is an expiry date for the commitment that is used. The value of the member <code>sig</code> is an ECDSA signature evaluated using a long-term signing key associated with the server, and over the values of <code>H</code> and <code>expiry</code>.</p><p>When a client retrieves the commitment, it checks that it hasn’t expired and that the signature verifies using the corresponding verification key that is embedded into the configuration of the extension. If these checks pass, it retrieves <code>H</code> and verifies the issuance response sent by the server. Previous versions of these commitments did not include signatures, but these signatures will be validated from v2.0 onwards.</p><p>When a server wants to rotate the key, it simply generates a new key <code>k2</code> and appends a new commitment to <code>k2</code> with a new identifier such as <code>2.01</code>. It can then use <code>k2</code> as the secret for the VOPRF operations that it needs to compute.</p>\n <div class=\"flex anchor relative\">\n <h2 id=\"b-example-redemption-api-request\">B. Example Redemption API request</h2>\n <a href=\"#b-example-redemption-api-request\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The redemption API at is available over HTTPS by sending POST requests to <a href=\"https://privacypass.cloudflare.com/api/redeem\">https://privacypass.cloudflare.com/api/redeem</a>. Requests to this endpoint must specify Privacy Pass data using JSON-RPC 2.0 syntax in the body of the request. Let’s look at an example request:</p>\n <pre class=\"language-json\"><code class=\"language-json\">{\n &quot;jsonrpc&quot;: &quot;2.0&quot;,\n &quot;method&quot;: &quot;redeem&quot;,\n &quot;params&quot;: {\n &quot;data&quot;: [\n &quot;lB2ZEtHOK/2auhOySKoxqiHWXYaFlAIbuoHQnlFz57A=&quot;,\n &quot;EoSetsN0eVt6ztbLcqp4Gt634aV73SDPzezpku6ky5w=&quot;,\n &quot;eyJjdXJ2ZSI6InAyNTYiLCJoYXNoIjoic2hhMjU2IiwibWV0aG9kIjoic3d1In0=&quot;\n ],\n &quot;bindings&quot;: [\n &quot;string1&quot;,\n &quot;string2&quot;\n ],\n &quot;compressed&quot;:&quot;false&quot;\n },\n &quot;id&quot;: 1\n}</pre></code>\n <p>In the above: <code>params.data[0]</code> is the client input data used to generate a token in the issuance phase; <code>params.data[1]</code> is the HMAC tag that the server uses to verify a redemption; and <code>params.data[2]</code> is a stringified, base64-encoded JSON object that specifies the hash-to-curve parameters used by the client. For example, the last element in the array corresponds to the object:</p>\n <pre class=\"language-json\"><code class=\"language-json\">{\n curve: &quot;p256&quot;,\n hash: &quot;sha256&quot;,\n method: &quot;swu&quot;,\n}</pre></code>\n <p>Which specifies that the client has used the curve P-256, with hash function SHA-256, and the SSWU method for hashing to curve. This allows the server to verify the transaction with the correct ciphersuite. The client must bind the redemption request to some fixed information, which it stores as multiple strings in the array <code>params.bindings</code>. For example, it could send the Host header of the HTTP request, and the HTTP path that was used (this is what is used in the Privacy Pass browser extension). Finally, <code>params.compressed</code> is an optional boolean value (defaulting to false) that indicates whether the HMAC tag was computed over compressed or uncompressed point encodings.</p><p>Currently the only supported ciphersuites are the example above, or the same except with <code>method</code> equal to <code>increment</code> for the hash-and-increment method of hashing to a curve. This is the original method used in v1.0 of Privacy Pass, and is supported for backwards-compatibility only. See the <a href=\"https://privacypass.github.io/api-redeem\">provided documentation</a> for more details.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"example-response\">Example response</h3>\n <a href=\"#example-response\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>If a request is sent to the redemption API and it is successfully verified, then the following response will be returned.</p>\n <pre class=\"language-json\"><code class=\"language-json\">{\n &quot;jsonrpc&quot;: &quot;2.0&quot;,\n &quot;result&quot;: &quot;success&quot;,\n &quot;id&quot;: 1\n}</pre></code>\n <p>When an error occurs something similar to the following will be returned.</p>\n <pre class=\"language-json\"><code class=\"language-json\">{\n &quot;jsonrpc&quot;: &quot;2.0&quot;,\n &quot;error&quot;: {\n &quot;message&quot;: &lt;error-message&gt;,\n &quot;code&quot;: &lt;error-code&gt;,\n },\n &quot;id&quot;: 1\n}</pre></code>\n <p>The error codes that we provide are specified as JSON-RPC 2.0 codes, we document the types of errors that we provide in the <a href=\"https://privacypass.github.io/api-redeem\">API documentation</a>.</p>"],"published_at":[0,"2019-10-28T13:00:00.000+00:00"],"updated_at":[0,"2024-10-10T00:31:30.486Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3wIHxkBv0vV2yhzR1vx7tQ/a074f76f500eae1604072cc93e2170e1/supporting-the-latest-version-of-the-privacy-pass-protocol.png"],"tags":[1,[[0,{"id":[0,"5grQBv96AL5Ck0c8I54a0f"],"name":[0,"Crypto Week"],"slug":[0,"crypto-week"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"1QsJUMpv0QBSLiVZLLQJ3V"],"name":[0,"Cryptography"],"slug":[0,"cryptography"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Alex Davidson"],"slug":[0,"alex-davidson"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1m0ky2DnnbIO9nnFOvrHoH/cc78437164b23c2556e933cae0681534/alex-davidson.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Supporting the latest version of the Privacy Pass Protocol Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"Translated for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/supporting-the-latest-version-of-the-privacy-pass-protocol"],"metadata":[0,{"title":[0,"Supporting the latest version of the Privacy Pass Protocol"],"description":[0,null],"imgPreview":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1iBCJU8tdDk34MVoDapbq0/f5437deb59545d617f3dbd3e0fdc07b9/supporting-the-latest-version-of-the-privacy-pass-protocol-nXEe7z.png"]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children><article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"><div class="w-100"><a href="/supporting-the-latest-version-of-the-privacy-pass-protocol/" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Supporting the latest version of the Privacy Pass Protocol</h2></a><p class="f3 fw5 gray5 my" data-testid="post-date">2019-10-28</p><div class=""><a href="/tag/crypto-week/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Crypto Week</a><a href="/tag/privacy-pass/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Privacy Pass</a><a href="/tag/security/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="/tag/research/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Research</a><a href="/tag/cryptography/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cryptography</a></div><p class="f3 fw4 gray1 lh-copy " data-testid="post-content">At Cloudflare, we are committed to supporting and developing new privacy-preserving technologies that benefit all Internet users. In November 2017, we announced server-side support for the Privacy Pass protocol, a piece of work developed in collaboration with the academic community.<!-- -->...</p><ul class="author-lists flex pl0"><li class="list flex items-center pr2 mb3"><a href="/author/alex-davidson/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1m0ky2DnnbIO9nnFOvrHoH/cc78437164b23c2556e933cae0681534/alex-davidson.jpg" alt="Alex Davidson" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/alex-davidson/" class="fw4 f3 no-underline black">Alex Davidson</a></div></li></ul></div></article><!--astro:end--></astro-island><astro-island uid="Zlp8qe" prefix="r3" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"7mmYqDqVbCUWqpT2wyf2OU"],"title":[0,"Introducing the Cloudflare Onion Service"],"slug":[0,"cloudflare-onion-service"],"excerpt":[0,"Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS."],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7zrQosYw53kvfW2Q4aCLqB/c984e375c0d54f92bee94352c1e105fa/unnamed-1.png\" alt=\"\" class=\"kg-image\" width=\"1049\" height=\"1020\" loading=\"lazy\"/>\n \n </figure><ul><li><p><b>When</b>: a cold San Francisco summer afternoon</p></li><li><p><b>Where</b>: Room <a href=\"https://httpstat.us/305\">305</a>, Cloudflare</p></li><li><p><b>Who</b>: 2 from Cloudflare + 9 from the Tor Project</p></li></ul><p>What could go wrong?</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"bit-of-background\">Bit of Background</h3>\n <a href=\"#bit-of-background\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Two years ago this week Cloudflare introduced <a href=\"/opportunistic-encryption-bringing-http-2-to-the-unencrypted-web/\">Opportunistic Encryption</a>, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS. Indeed, back in the old days some websites only used HTTP --- weird, right? “Opportunistic” here meant that the server advertised support for HTTP/2 via an <a href=\"https://tools.ietf.org/html/rfc7838\">HTTP Alternative Service</a> header in the hopes that any browser that recognized the protocol could take advantage of those benefits in subsequent requests to that domain.</p><p>Around the same time, CEO Matthew Prince <a href=\"/the-trouble-with-tor/\">wrote</a> about the importance and challenges of privacy on the Internet and tasked us to find a solution that provides <b>convenience</b>, <b>security</b>, and <b>anonymity</b>.</p><p>From neutralizing fingerprinting vectors and everyday browser trackers that <a href=\"https://www.eff.org/privacybadger\">Privacy Badger</a> feeds on, all the way to mitigating correlation attacks that only big actors are capable of, guaranteeing privacy is a complicated challenge. Fortunately, the <a href=\"https://www.torproject.org/\">Tor Project</a> addresses this extensive <a href=\"https://www.torproject.org/projects/torbrowser/design/#adversary\">adversary model</a> in Tor Browser.</p><p>However, the Internet is full of bad actors, and distinguishing legitimate traffic from malicious traffic, which is one of Cloudflare’s core features, becomes much more difficult when the traffic is anonymous. In particular, many features that make Tor a great tool for privacy also make it a tool for hiding the source of malicious traffic. That is why many resort to using CAPTCHA challenges to make it more expensive to be a bot on the Tor network. There is, however, a collateral damage associated with using CAPTCHA challenges to stop bots: humans eyes also have to deal with them.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/59vmBdRen9zTJnzUEwUOOL/54910c287d16f022e66afc2d8ff68d0e/Captcha-Example.png\" alt=\"\" class=\"kg-image\" width=\"300\" height=\"57\" loading=\"lazy\"/>\n \n </figure><p>One way to minimize this is using privacy-preserving cryptographic signatures, aka blinded tokens, such as those that power <a href=\"/privacy-pass-the-math/\">Privacy Pass</a>.</p><p>The other way is to use onions.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3CENi6YjjPGrHKOsS7hfgE/3f07dbad9c56b377cb5bcfa7d8f40c36/Onion-Cloudflare.png\" alt=\"\" class=\"kg-image\" width=\"1349\" height=\"618\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"here-come-the-onions\">Here Come the Onions</h3>\n <a href=\"#here-come-the-onions\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Today’s edition of the Crypto Week introduces an “opportunistic” solution to this problem, so that under suitable conditions, anyone using <a href=\"https://blog.torproject.org/new-release-tor-browser-80\">Tor Browser 8.0</a> will benefit from improved security and performance when visiting Cloudflare websites without having to face a CAPTCHA. At the same time, this feature enables more fine-grained rate-limiting to prevent malicious traffic, and since the mechanics of the idea described here are not specific to Cloudflare, anyone can <a href=\"https://github.com/mahrud/caddy-altonions\">reuse this method</a> on their own website.</p><p>Before we continue, if you need a refresher on what Tor is or why we are talking about onions, check out the <a href=\"https://www.torproject.org/about/overview.html.en\">Tor Project</a> website or our own blog post on the <a href=\"/welcome-hidden-resolver/\">DNS resolver onion</a> from June.</p><p>As Matthew mentioned in his blog post, one way to sift through Tor traffic is to use the <a href=\"https://www.torproject.org/docs/onion-services.html.en\">onion service</a> protocol. Onion services are Tor nodes that advertise their public key, encoded as an address with .onion <a href=\"https://www.cloudflare.com/learning/dns/top-level-domain/\">TLD</a>, and use “rendezvous points” to establish connections entirely within the Tor network:</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4YwoSQd9m6fwJ4INk44fsz/7aa81a4f71f35f9323ba4173e328d356/Tor-network-example-1.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"575\" loading=\"lazy\"/>\n \n </figure><p>While onion services are designed to provide anonymity for content providers, <a href=\"https://securedrop.org/directory/\">media organizations</a> use them to allow whistleblowers to communicate securely with them and <a href=\"https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237\">Facebook</a> uses one to tell Tor users from bots.</p><p>The technical reason why this works is that from an onion service’s point of view each individual Tor connection, or circuit, has a unique but ephemeral number associated to it, while from a normal server’s point of view all Tor requests made via one exit node share the same IP address. Using this circuit number, onion services can distinguish individual circuits and terminate those that seem to behave maliciously. To clarify, this does not mean that onion services can identify or track Tor users.</p><p>While bad actors can still establish a fresh circuit by repeating the rendezvous protocol, doing so involves a cryptographic key exchange that costs time and computation. Think of this like a cryptographic <a href=\"https://en.wikipedia.org/wiki/File:Dial_up_modem_noises.ogg\">dial-up</a> sequence. Spammers can dial our onion service over and over, but every time they have to repeat the key exchange.</p><p>Alternatively, finishing the rendezvous protocol can be thought of as a small proof of work required in order to use the Cloudflare Onion Service. This increases the cost of using our onion service for performing denial of service attacks.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"problem-solved-right\">Problem solved, right?</h3>\n <a href=\"#problem-solved-right\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Not quite. As discussed when we introduced the <a href=\"/welcome-hidden-resolver/\">hidden resolver</a>, the problem of ensuring that a seemingly random .onion address is correct is a barrier to usable security. In that case, our solution was to purchase an <a href=\"https://www.digicert.com/extended-validation-ssl.htm\">Extended Validation</a> (EV) certificate, which costs considerably more. Needless to say, this limits who can buy an HTTPS certificate for their onion service to a <a href=\"https://crt.sh/?Identity=%25.onion\">privileged few</a>.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1n6CTaL7LjM6pQGorlXIQ6/4ffd43906dcaa7fac54a098379d12171/Address-Bar.png\" alt=\"\" class=\"kg-image\" width=\"697\" height=\"23\" loading=\"lazy\"/>\n \n </figure><p>Some people <a href=\"https://cabforum.org/pipermail/public/2017-November/012451.html\">disagree</a>. In particular, the <a href=\"https://blog.torproject.org/tors-fall-harvest-next-generation-onion-services\">new generation</a> of onion services resolves the weakness that Matthew pointed to as a possible reason why the CA/B Forum <a href=\"https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/\">only permits</a> EV certificates for onion services. This could mean that getting Domain Validation (DV) certificates for onion services could be possible soon. We certainly hope that’s the case.</p><p>Still, DV certificates lack the organization name (e.g. “Cloudflare, Inc.”) that appears in the address bar, and cryptographically relevant numbers are nearly impossible to remember or distinguish for humans. This brings us back to the problem of usable security, so we came up with a different idea.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"looking-at-onion-addresses-differently\">Looking at onion addresses differently</h3>\n <a href=\"#looking-at-onion-addresses-differently\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Forget for a moment that we’re discussing anonymity. When you type “cloudflare.com” in a browser and press enter, your device first resolves that domain name into an IP address, then your browser asks the server for a certificate valid for “cloudflare.com” and attempts to establish an encrypted connection with the host. As long as the certificate is trusted by a certificate authority, there’s no reason to mind the IP address.</p><p>Roughly speaking, the idea here is to simply switch the IP address in the scenario above with an .onion address. As long as the certificate is valid, the .onion address itself need not be manually entered by a user or even be memorable. Indeed, the fact that the certificate was valid indicates that the .onion address was correct.</p><p>In particular, in the same way that a single IP address can serve millions of domains, a single .onion address should be able to serve any number of domains.</p><p>Except, <a href=\"https://www.cloudflare.com/learning/dns/what-is-dns/\">DNS</a> doesn’t work this way.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-does-it-work-then\">How does it work then?</h3>\n <a href=\"#how-does-it-work-then\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Just as with Opportunistic Encryption, we can point users to the Cloudflare Onion Service using <a href=\"https://tools.ietf.org/html/rfc7838\">HTTP Alternative Services</a>, a mechanism that allows servers to tell clients that the service they are accessing is available at another network location or over another protocol. For instance, when Tor Browser makes a request to “cloudflare.com,” Cloudflare adds an Alternative Service header to indicate that the site is available to access over HTTP/2 via our onion services.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2G5bKEOaIJdnsqhNTT2Ozo/e1466f89156e68b539b2cefc8d506d2a/tor-resquest_2x.png\" alt=\"\" class=\"kg-image\" width=\"2000\" height=\"413\" loading=\"lazy\"/>\n \n </figure><p>In the same sense that Cloudflare owns the IP addresses that serve our customers’ websites, we run 10 .onion addresses. Think of them as 10 Cloudflare points of presence (or PoPs) within the Tor network. The exact header looks something like this, except with all 10 .onion addresses included, each starting with the prefix “cflare”:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">alt-svc: h2=&quot;cflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion:443&quot;; ma=86400; persist=1</pre></code>\n <p>This simply indicates that the “cloudflare.com” can be authoritatively accessed using HTTP/2 (“h2”) via the onion service “cflare2n[...].onion”, over virtual port 443. The field “ma” (max-age) indicates how long in seconds the client should remember the existence of the alternative service and “persist” indicates whether alternative service cache should be cleared when the network is interrupted.</p><p>Once the browser receives this header, it attempts to make a new Tor circuit to the onion service advertised in the alt-svc header and confirm that the server listening on virtual port 443 can present a valid certificate for “cloudflare.com” — that is, the original hostname, not the .onion address.</p><p>The onion service then relays the Client Hello packet to a local server which can serve a certificate for “cloudflare.com.” This way the Tor daemon itself can be very minimal. Here is a sample configuration file:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">SocksPort 0\nHiddenServiceNonAnonymousMode 1\nHiddenServiceSingleHopMode 1\nHiddenServiceVersion 3\nHiddenServicePort 443\nSafeLogging 1\nLog notice stdout</pre></code>\n <p>Be careful with using the configuration above, as it enables a non-anonymous setting for onion services that do not require anonymity for themselves. To clarify, this does not sacrifice privacy or anonymity of Tor users, just the server. Plus, it improves latency of the circuits.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5NVzWfvM9FVH73gjp0AG3X/8a3dbf2a8440bb0f32e05626e30bb695/Tor-Onion-Service-Cloudflare.png\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"474\" loading=\"lazy\"/>\n \n </figure><p>If the certificate is signed by a trusted certificate authority, for any subsequent requests to “cloudflare.com” the browser will connect using HTTP/2 via the onion service, sidestepping the need for going through an exit node.</p><p>Here are the steps summarized one more time:</p><ol><li><p>A new Tor circuit is established;</p></li><li><p>The browser sends a Client Hello to the onion service with SNI=cloudflare.com;</p></li><li><p>The onion service relays the packet to a local server;</p></li><li><p>The server replies with Server Hello for SNI=cloudflare.com;</p></li><li><p>The onion service relays the packet to the browser;</p></li><li><p>The browser verifies that the certificate is valid.</p></li></ol><p>To reiterate, the certificate presented by the onion service only needs to be valid for the original hostname, meaning that the onion address need not be mentioned anywhere on the certificate. This is a huge benefit, because it allows you to, for instance, present a free <a href=\"https://letsencrypt.org\">Let’s Encrypt</a> certificate for your .org domain rather than an expensive EV certificate.</p><p>Convenience, ✓</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"distinguishing-the-circuits\">Distinguishing the Circuits</h3>\n <a href=\"#distinguishing-the-circuits\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Remember that while one exit node can serve many many different clients, from Cloudflare’s point of view all of that traffic comes from one IP address. This pooling helps cover the malicious traffic among legitimate traffic, but isn’t essential in the security or privacy of Tor. In fact, it can potentially hurt users by exposing their traffic to <a href=\"https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays\">bad exit nodes</a>.</p><p>Remember that Tor circuits to onion services carry a circuit number which we can use to rate-limit the circuit. Now, the question is how to inform a server such as nginx of this number with minimal effort. As it turns out, with only a <a href=\"https://github.com/torproject/tor/pull/343/\">small tweak</a> in the Tor binary, we can insert a <a href=\"https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt\">Proxy Protocol</a> header in the beginning of each packet that is forwarded to the server. This protocol is designed to help TCP proxies pass on parameters that can be lost in translation, such as source and destination IP addresses, and is already supported by nginx, Apache, Caddy, etc.</p><p>Luckily for us, the IPv6 space is so vast that we can encode the Tor circuit number as an IP address in an unused range and use the Proxy Protocol to send it to the server. Here is an example of the header that our Tor daemon would insert in the connection:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">PROXY TCP6 2405:8100:8000:6366:1234:ABCD ::1 43981 443\\r\\n</pre></code>\n <p>In this case, 0x1234ABCD encodes the circuit number in the last 32 bits of the source IP address. The local Cloudflare server can then transparently use that IP to assign reputation, show CAPTCHAs, or block requests when needed.</p><p>Note that even though requests relayed by an onion service don’t carry an IP address, you will see an IP address like the one above with country code “T1” in your logs. This IP only specifies the circuit number seen by the onion service, not the actual user IP address. In fact, 2405:8100:8000::/48 is an unused subnet allocated to Cloudflare that we are not routing globally for this purpose.</p><p>This enables customers to continue detecting bots using IP reputation while sparing humans the trouble of clicking on CAPTCHA street signs over and over again.</p><p>Security, ✓</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"why-should-i-trust-cloudflare\">Why should I trust Cloudflare?</h3>\n <a href=\"#why-should-i-trust-cloudflare\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers, so you could audit this service using Certificate Transparency (which includes <a href=\"/introducing-certificate-transparency-and-nimbus/\">Nimbus</a>, our certificate transparency log), to reveal any potential cheating.</p><p>Additionally, since Tor Browser 8.0 makes a new circuit for each hostname when connecting via an .onion alternative service, the circuit number cannot be used to link connections to two different sites together.</p><p>Note that all of this works without running any entry, relay, or exit nodes. Therefore the only requests that we see as a result of this feature are the requests that were headed for us anyway. In particular, since no new traffic is introduced, Cloudflare does not gain any more information about what people do on the internet.</p><p>Anonymity, ✓</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"is-it-faster\">Is it faster?</h3>\n <a href=\"#is-it-faster\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Tor isn’t known for being fast. One reason for that is the physical cost of having packets bounce around in a decentralized network. Connections made through the Cloudflare Onion Service don’t add to this cost because the number of hops is no more than usual.</p><p>Another reason is the bandwidth costs of exit node operators. This is an area that we hope this service can offer relief since it shifts traffic from exit nodes to our own servers, reducing exit node operation costs along with it.</p><p>BONUS: Performance, ✓</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-do-i-enable-it\">How do I enable it?</h3>\n <a href=\"#how-do-i-enable-it\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Onion Routing is now available to all Cloudflare customers, enabled by default for Free and <a href=\"https://www.cloudflare.com/plans/pro/\">Pro plans</a>. The option is available in the Crypto tab of the Cloudflare dashboard.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5hA2RUo2mh5WZDM5xSkwow/d407c5fb030c3df65cf64fdbad2fffcd/Screen-Shot-2018-09-20-at-7.36.11-AM.jpg\" alt=\"\" class=\"kg-image\" width=\"1728\" height=\"370\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"browser-support\">Browser support</h3>\n <a href=\"#browser-support\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>We recommend using <a href=\"https://blog.torproject.org/new-release-tor-browser-80\">Tor Browser 8.0</a>, which is the first stable release based on Firefox 60 ESR, and supports .onion Alt-Svc headers as well as HTTP/2. The new Tor Browser for Android (alpha) also supports this feature. You can check whether your connection is routed through an onion service or not in the Developer Tools window under the Network tab. If you&#39;re using the Tor Browser and you don&#39;t see the Alt-Svc in the response headers, that means you&#39;re already using the .onion route. In future versions of Tor Browser you&#39;ll be able to see this <a href=\"https://trac.torproject.org/projects/tor/ticket/27590\">in the UI</a>.</p><blockquote><p>We&#39;ve got BIG NEWS. We gave Tor Browser a UX overhaul.</p><p>Tor Browser 8.0 has a new user onboarding experience, an updated landing page, additional language support, and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.<a href=\"https://t.co/fpCpSTXT2L\">https://t.co/fpCpSTXT2L</a> <a href=\"https://t.co/xbj9lKTApP\">pic.twitter.com/xbj9lKTApP</a></p><p>— The Tor Project (@torproject) <a href=\"https://twitter.com/torproject/status/1037397236257366017?ref_src=twsrc%5Etfw\">September 5, 2018</a></p></blockquote><p>There is also interest from other privacy-conscious browser vendors. Tom Lowenthal, Product Manager for Privacy &amp; Security at <a href=\"https://brave.com/\">Brave</a> said:</p><blockquote><p>Automatic upgrades to `.onion` sites will provide another layer of safety to Brave’s Private Browsing with Tor. We’re excited to implement this emerging standard.</p></blockquote>\n <div class=\"flex anchor relative\">\n <h3 id=\"any-last-words\">Any last words?</h3>\n <a href=\"#any-last-words\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Similar to Opportunistic Encryption, Opportunistic Onions do not fully protect against attackers who can simply remove the alternative service header. Therefore it is important to use <a href=\"https://www.eff.org/https-everywhere\">HTTPS Everywhere</a> to secure the first request. Once a Tor circuit is established, subsequent requests should stay in the Tor network from source to destination.</p><p>As we maintain and <a href=\"https://trac.torproject.org/projects/tor/ticket/27502\">improve</a> this service we will share what we learn. In the meanwhile, feel free to try out this idea on <a href=\"https://github.com/mahrud/caddy-altonions\">Caddy</a> and reach out to us with any comments or suggestions that you might have.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"acknowledgments\">Acknowledgments</h3>\n <a href=\"#acknowledgments\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Patrick McManus of Mozilla for enabling support for .onion alternative services in Firefox; Arthur Edelstein of the Tor Project for reviewing and enabling HTTP/2 and HTTP Alternative Services in Tor Browser 8.0; Alexander Færøy and George Kadianakis of the Tor Project for adding support for Proxy Protocol in onion services; the entire Tor Project team for their invaluable assistance and discussions; and last, but not least, many folks at Cloudflare who helped with this project.</p><h4>Addresses used by the Cloudflare Onion Service</h4>\n <pre class=\"language-bash\"><code class=\"language-bash\">cflarexljc3rw355ysrkrzwapozws6nre6xsy3n4yrj7taye3uiby3ad.onion\ncflarenuttlfuyn7imozr4atzvfbiw3ezgbdjdldmdx7srterayaozid.onion\ncflares35lvdlczhy3r6qbza5jjxbcplzvdveabhf7bsp7y4nzmn67yd.onion\ncflareusni3s7vwhq2f7gc4opsik7aa4t2ajedhzr42ez6uajaywh3qd.onion\ncflareki4v3lh674hq55k3n7xd4ibkwx3pnw67rr3gkpsonjmxbktxyd.onion\ncflarejlah424meosswvaeqzb54rtdetr4xva6mq2bm2hfcx5isaglid.onion\ncflaresuje2rb7w2u3w43pn4luxdi6o7oatv6r2zrfb5xvsugj35d2qd.onion\ncflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion\ncflareub6dtu7nvs3kqmoigcjdwap2azrkx5zohb2yk7gqjkwoyotwqd.onion\ncflare2nge4h4yqr3574crrd7k66lil3torzbisz6uciyuzqc2h2ykyd.onion</pre></code>\n <p><a href=\"/subscribe/\"><i>Subscribe to the blog</i></a><i> for daily updates on our announcements.</i></p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/15NmOPYhQ1eUrnNvavD3TX/f3878ea7031dee5fa0b8fcfffb5e6563/Crypto-Week.png\" alt=\"\" class=\"kg-image\" width=\"1808\" height=\"925\" loading=\"lazy\"/>\n \n </figure><p></p>"],"published_at":[0,"2018-09-20T13:00:00.000+01:00"],"updated_at":[0,"2024-11-05T21:23:46.261Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5TRVgKXIsxFHQJhUVRTTKs/d419e463c376335efa48a0c6c47cd7ab/cloudflare-onion-service.png"],"tags":[1,[[0,{"id":[0,"5grQBv96AL5Ck0c8I54a0f"],"name":[0,"Crypto Week"],"slug":[0,"crypto-week"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"6Nqy1V9XurncHC2WQb8NW8"],"name":[0,"Tor"],"slug":[0,"tor"]}],[0,{"id":[0,"3BWeMuiOShelE7QM48sW9j"],"name":[0,"Privacy"],"slug":[0,"privacy"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"1QsJUMpv0QBSLiVZLLQJ3V"],"name":[0,"Cryptography"],"slug":[0,"cryptography"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Mahrud Sayrafi"],"slug":[0,"mahrud"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3oJ9WVHHNMlgP7JrGdw98U/05f975dfccb065a94458a13e0cba2e5d/mahrud.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Introducing the Cloudflare Onion Service Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"Translated for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"Translated for Locale"],"deDE":[0,"Translated for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"Translated for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/cloudflare-onion-service"],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children><article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"><div class="w-100"><a href="/cloudflare-onion-service/" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Introducing the Cloudflare Onion Service</h2></a><p class="f3 fw5 gray5 my" data-testid="post-date">2018-09-20</p><div class=""><a href="/tag/crypto-week/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Crypto Week</a><a href="/tag/security/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Security</a><a href="/tag/tor/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Tor</a><a href="/tag/privacy/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Privacy</a><a href="/tag/privacy-pass/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Privacy Pass</a><a href="/tag/cryptography/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Cryptography</a></div><p class="f3 fw4 gray1 lh-copy " data-testid="post-content">Two years ago this week Cloudflare introduced Opportunistic Encryption, a feature that provided additional security and performance benefits to websites that had not yet moved to HTTPS.<!-- -->...</p><ul class="author-lists flex pl0"><li class="list flex items-center pr2 mb3"><a href="/author/mahrud/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3oJ9WVHHNMlgP7JrGdw98U/05f975dfccb065a94458a13e0cba2e5d/mahrud.jpg" alt="Mahrud Sayrafi" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/mahrud/" class="fw4 f3 no-underline black">Mahrud Sayrafi</a></div></li></ul></div></article><!--astro:end--></astro-island><astro-island uid="1tzhCY" prefix="r4" component-url="/_astro/PostCard.CG32ktie.js" component-export="PostCard" renderer-url="/_astro/client.DLO1yDVm.js" props="{"currentPage":[0,1],"isFeaturedImageFirstPost":[0,false],"post":[0,{"id":[0,"1PeYMnOt6XNE3dqjt2m9aq"],"title":[0,"Technical reading from the Cloudflare blog for the holidays"],"slug":[0,"2017-holiday-reading-from-the-cloudflare-blog"],"excerpt":[0,"During 2017 Cloudflare published 172 blog posts (including this one). If you need a distraction from the holiday festivities at this time of year here are some highlights from the year."],"featured":[0,false],"html":[0,"<p>During 2017 Cloudflare published 172 blog posts (including this one). If you need a distraction from the holiday festivities at this time of year here are some highlights from the year.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1FupNPeMEDTcUGuKJCQ2hX/69f106f4d37e6f7ce629f3845d88f8ed/33651510973_9bc38cc550_z.jpg\" alt=\"\" class=\"kg-image\" width=\"640\" height=\"428\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://creativecommons.org/licenses/by/2.0/\">CC BY 2.0</a> <a href=\"https://www.flickr.com/photos/148114704@N05/33651510973/in/photolist-TgEMP4-5W4SKe-5QXuaQ-avwN4J-9kM47Q-5sZfg5-62HmQr-vRsPNX-9gu8zw-8tzfDA-7L9szU-2j3fkx-kdS5xh-dTvJ1k-bd2nWP-5eyMyX-cYKDeY-aha8Je-s9FApd-afsNQp-Rr9uMb-6w5kZp-e8k7Zc-7JV8KQ-Sbxdzt-emJeJJ-fvoSPx-7jDQjL-cNbEy7-Ht7oDe-6w5mqM-cDJ6PS-cDHREJ-2L3KsB-2rjJQY-9kxtQm-b31okB-2rfQ8c-bHhPX-dr6fiP-5sUUEp-DDzAGu-onQfBb-afsNzx-kdS4E5-fVkm7-okB223-7ZrhKH-9eLu3Y-pcsdc4\">image</a> by <a href=\"https://perzonseo.com\">perzon seo</a></p><p><a href=\"/the-wirex-botnet/\">The WireX Botnet: How Industry Collaboration Disrupted a DDoS Attack</a></p><p>We worked closely with companies across the industry to track and take down the Android WireX Botnet. This blog post goes into detail about how that botnet operated, how it was distributed and how it was taken down.</p><p><a href=\"/randomness-101-lavarand-in-production/\">Randomness 101: LavaRand in Production</a></p><p>The wall of Lava Lamps in the San Francisco office is used to feed entropy into random number generators across our network. This blog post explains how.</p><p><a href=\"/arm-takes-wing/\">ARM Takes Wing: Qualcomm vs. Intel CPU comparison</a></p><p>Our <a href=\"https://www.cloudflare.com/network/\">network</a> of data centers around the world all contain Intel-based servers, but we&#39;re interested in ARM-based servers because of the potential cost/power savings. This blog post took a look at the relative performance of Intel processors and Qualcomm&#39;s latest server offering.</p><p><a href=\"/how-to-monkey-patch-the-linux-kernel/\">How to Monkey Patch the Linux Kernel</a></p><p>One engineer wanted to combine the Dvorak and QWERTY keyboard layouts and did so by patching the Linux kernel using <a href=\"https://sourceware.org/systemtap/\">SystemTap</a>. This blog explains how and why. Where there&#39;s a will, there&#39;s a way.</p><p><a href=\"/introducing-cloudflare-workers/\">Introducing Cloudflare Workers: Run JavaScript Service Workers at the Edge</a></p><p>Traditionally, the Cloudflare network has been <i>configurable</i> by our users, but not <i>programmable</i>. In September, we introduced <a href=\"https://www.cloudflare.com/products/cloudflare-workers/\">Cloudflare Workers</a> which allows users to write JavaScript code that runs on our edge worldwide. This blog post explains why we chose JavaScript and how it works.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3rDQWcCe0YDvxU6a8enygs/e436188ab1b54b75b1a875143e9c08c5/5586120601_a7b1776371_b.jpg\" alt=\"\" class=\"kg-image\" width=\"1024\" height=\"682\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://creativecommons.org/licenses/by/2.0/\">CC BY 2.0</a> <a href=\"https://www.flickr.com/photos/werkman/5586120601/in/photolist-9vCk3a-21Bd6Xh-8nCHw7-ptePkD-RJQgiN-nWZ5u6-3xLVWE-rDFYG8-LH8sS-2peYb-mX5MQc-6JxAT-aAArZQ-rJfmkx-9HavML-TX5hUW-niuhtp-jHGzT5-5eRuc3-Gv67PP-fs2mGn-8mhB7f-8pDZbD-ZPoZDF-3xLxd3-6k15Ni-j1zK3-8mhB8b-7RjyKs-57C9rW-j1zBX-bTs5tP-8wuUBf-7r7fAq-8jPBD4-5bnWiq-e88EiF-ddTbY7-PVC9U-e88E6P-S4eP6f-8jPkh2-5bj6xn-NzVdo-7rQyZa-4Dm4gX-ZCuaMm-pQr1Hw-yf9rdC-21HJvkv\">image</a> by <a href=\"https://www.flickr.com/photos/werkman/\">Peter Werkman</a></p><p><a href=\"/geo-key-manager-how-it-works/\">Geo Key Manager: How It Works</a></p><p>Our <a href=\"/introducing-cloudflare-geo-key-manager/\">Geo Key Manager</a> gives customers granular control of the location of their private keys on the Cloudflare network. This blog post explains the mathematics that makes the possible.</p><p><a href=\"/sidh-go/\">SIDH in Go for quantum-resistant TLS 1.3</a></p><p>Quantum-resistant cryptography isn&#39;t an academic fantasy. We implemented the SIDH scheme as part of our Go implementation of TLS 1.3 and open sourced it.</p><p><a href=\"/the-languages-which-almost-became-css/\">The Languages Which Almost Became CSS</a></p><p>This blog post recounts the history of CSS and the languages that might have been CSS.</p><p><a href=\"/perfect-locality-and-three-epic-systemtap-scripts/\">Perfect locality and three epic SystemTap scripts</a></p><p>In an ongoing effort to understand the performance of NGINX under heavy load on our machines (and wring out the greatest number of requests/core), we used SystemTap to experiment with different queuing models.</p><p><a href=\"/counting-things-a-lot-of-different-things/\">How we built rate limiting capable of scaling to millions of domains</a></p><p>We rolled out a <a href=\"cloudflare\">rate limiting</a> feature that allows our customers to control the maximum number of HTTP requests per second/minute/hour that their servers receive. This blog post explains how we made that operate efficiently at our scale.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4cQPAfJHM6gES4uXsyRwd4/f871a9d7627a4ea4f405ea76524e9545/26797557806_18daa76ec2_z.jpg\" alt=\"\" class=\"kg-image\" width=\"640\" height=\"427\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://creativecommons.org/licenses/by/2.0/\">CC BY 2.0</a> <a href=\"https://www.flickr.com/photos/waters2712/26797557806/in/photolist-GQ1ujJ-ovpzb8-5hGjhb-pkkHPH-7Ed3eQ-5TiuCW-6tknkf-7JGpz4-81Rc1J-qM8AwX-dQVifV-nWZ5u6-puAvLe-acEK6v-F5KyvG-4Ykyf1-bvH81M-FF6XnD-KLqgJ-4rLnJE-d8b1tS-dQVisV-7cTp1r-pkkHic-6oKTtx-9mKe1u-5vsfch-coUNp9-o9Txa7-9p7thZ-aWYjuc-SV2qEb-7LXSYz-9Fcnam-fkr4Fc-b6Dtmt-6r1QQ2-5ndv1D-fuUiKV-qDAQxe-cjZhVY-6Hn6G1-qPMScz-mJAvhc-8LVJNj-7Ed3cf-9wFgvw-9z5jt9-bGsg4R-72BBkc\">image</a> by <a href=\"https://www.flickr.com/photos/waters2712/\">Han Cheng Yeh</a></p><p><a href=\"/reflections-on-reflections/\">Reflections on reflection (attacks)</a></p><p>We deal with a new DDoS attack every few minutes and in this blog post we took a close look at reflection attacks and revealed statistics on the types of reflection-based DDoS attacks we see.</p><p><a href=\"/on-the-dangers-of-intels-frequency-scaling/\">On the dangers of Intel&#39;s frequency scaling</a></p><p>Intel processors contain special AVX-512 that provide 512-bit wide SIMD instructions to speed up certain calculations. However, these instructions have a downside: when used the CPU base frequency is scaled down slowing down other instructions. This blog post explores that problem.</p><p><a href=\"/how-cloudflare-analyzes-1m-dns-queries-per-second/\">How Cloudflare analyzes 1M DNS queries per second</a></p><p>This blog post details how we handle logging information for 1M DNS queries per second using a custom pipeline, <a href=\"https://clickhouse.yandex/\">ClickHouse</a> and Grafana (via a connector we <a href=\"https://github.com/vavrusa/grafana-sqldb-datasource\">open sourced</a>) to build real time dashboards.</p><p><a href=\"/aes-cbc-going-the-way-of-the-dodo/\">AES-CBC is going the way of the dodo</a></p><p>CBC-mode cipher suites have been declining for some time because of padding oracle-based attacks. In this blog we demonstrate that AES-CBC has now largely been replaced by <a href=\"/it-takes-two-to-chacha-poly/\">ChaCha20-Poly1305</a> .</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/6CVkU8gCFVwghZzoP3x0Sd/c90d63d983ab453d7115daac2d16e632/3414054443_2bd47e12f7_b.jpg\" alt=\"\" class=\"kg-image\" width=\"1024\" height=\"576\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://creativecommons.org/licenses/by-sa/2.0/\">CC BY-SA 2.0</a> <a href=\"https://www.flickr.com/photos/spanginator/3414054443/in/photolist-6cFVrD-6cvz6R-6cKZLw-rn74T-7RoM6f-ATb57-aQHtja-7i1omC-xGoWE-8FsWpL-6DbHyD-9aFjZn-BxbDmF-23fTGw-4v5aS-81KR9D-ahC42F-7ibXNR-Hod7ZY-7hS2JP-fnyx1X-4Pjy9v-kNu6rR-FFmpx9-Gyx1By-GsEegj-7hVPHw-Gv6zDR-F5KyvG-FF6XnD-FZk6kU-9re3Rz-dRTft-btLnvB-o3PQ5p-nU34U-VCRL7q-YhCTjj-L44FTc-Ke5mko-L1vxdJ-KehBhx-7BjC9n-7xSGtH-pEfb5f-2pqSst-7Xhhmq-o8u7ja-pWNcy2-KSCBjW\">image</a> by <a href=\"https://www.flickr.com/photos/spanginator/\">Christine</a></p><p><a href=\"/how-we-made-our-dns-stack-3x-faster/\">How we made our DNS stack 3x faster</a></p><p>We answer around 1 million authoritative DNS queries per second using a custom software stack. Responding to those queries as quickly as possible is why Cloudflare is <a href=\"http://www.dnsperf.com/\">fastest</a> authoritative DNS provider on the Internet. This blog post details how we made our stack even faster.</p><p><a href=\"/quantifying-the-impact-of-cloudbleed/\">Quantifying the Impact of &quot;Cloudbleed&quot;</a></p><p>On February 18 a serious security bug was reported to Cloudflare. Five days <a href=\"/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/\">later</a> we released details of the problem and six days after that we posted this analysis of the impact.</p><p><a href=\"/luajit-hacking-getting-next-out-of-the-nyi-list/\">LuaJIT Hacking: Getting next() out of the NYI list</a></p><p>We make extensive use of <a href=\"http://luajit.org/\">LuaJIT</a> when processing our customers&#39; traffic and making it faster is a key goal. In the past, we&#39;ve sponsored the project and everyone benefits from those contributions. This blog post examines getting one specific function JITted correctly for additional speed.</p><p><a href=\"/privacy-pass-the-math/\">Privacy Pass: The Math</a></p><p>The <a href=\"https://privacypass.github.io/\">Privacy Pass</a> project provides a zero knowledge way of proving your identity to a service like Cloudflare. This detailed blog post explains the mathematics behind authenticating a user without knowing their identity.</p><p><a href=\"/how-and-why-the-leap-second-affected-cloudflare-dns/\">How and why the leap second affected Cloudflare DNS</a></p><p>The year started with a bang for some engineers at Cloudflare when we ran into a bug in our custom DNS server, <a href=\"/tag/rrdns/\">RRDNS</a>, caused by the introduction of a <a href=\"https://en.wikipedia.org/wiki/Leap_second\">leap second</a> at midnight UTC on January 1, 2017. This blog explains the error and why it happened.</p><p>There&#39;s <a href=\"https://datacenter.iers.org/web/guest/eop/-/somos/5Rgv/latest/16\">no leap second</a> this year.</p>"],"published_at":[0,"2017-12-22T14:17:57.000+00:00"],"updated_at":[0,"2024-10-09T23:08:39.430Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5FmsOPxixvvI0cjAz5nHNG/8ee010e2e2e1ba861d799896e4d71340/2017-holiday-reading-from-the-cloudflare-blog.jpg"],"tags":[1,[[0,{"id":[0,"231XTGyX1Pw7Huv9D0rhMS"],"name":[0,"Year in Review"],"slug":[0,"year-in-review"]}],[0,{"id":[0,"6QktrXeEFcl4e2dZUTZVGl"],"name":[0,"Product News"],"slug":[0,"product-news"]}],[0,{"id":[0,"6HY8KI1rCqRo1Pj3Vc0XE3"],"name":[0,"LavaRand"],"slug":[0,"lavarand"]}],[0,{"id":[0,"64g1G2mvZyb6PjJsisO09T"],"name":[0,"DDoS"],"slug":[0,"ddos"]}],[0,{"id":[0,"3GvEkdqz5nPparmzF0mpl6"],"name":[0,"Geo Key Manager"],"slug":[0,"geo-key-manager"]}],[0,{"id":[0,"5fZHv2k9HnJ7phOPmYexHw"],"name":[0,"DNS"],"slug":[0,"dns"]}],[0,{"id":[0,"7oLqpn3vNWao1PXv53X42G"],"name":[0,"LUA"],"slug":[0,"lua"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"2pFyOCtANFB5qS6nbtQbVp"],"name":[0,"Vulnerabilities"],"slug":[0,"vulnerabilities"]}],[0,{"id":[0,"4l3WDYLk6bXCyaRc9pRzXa"],"name":[0,"Bots"],"slug":[0,"bots"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"John Graham-Cumming"],"slug":[0,"john-graham-cumming"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5vGNsXzZrtSLn2X30pnpUY/6f350e7dd36058a6422f9199b452bb02/john-graham-cumming.jpg"],"location":[0,"Lisbon, Portugal"],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,"During 2017 Cloudflare published 172 blog posts. If you need a distraction from the holiday festivities here are some highlights from the year."],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Technical reading from the Cloudflare blog for the holidays Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/2017-holiday-reading-from-the-cloudflare-blog"],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"PostCard","value":true}" await-children><article class="w-50-l mt4 mt2-l mb4 ph3 bb b--gray8 bn-l"><div class="w-100"><a href="/2017-holiday-reading-from-the-cloudflare-blog/" class="fw5 no-underline gray1" data-testid="post-title"><h2 class="fw5 mt2">Technical reading from the Cloudflare blog for the holidays</h2></a><p class="f3 fw5 gray5 my" data-testid="post-date">2017-12-22</p><div class=""><a href="/tag/year-in-review/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Year in Review</a><a href="/tag/product-news/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Product News</a><a href="/tag/lavarand/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">LavaRand</a><a href="/tag/ddos/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">DDoS</a><a href="/tag/geo-key-manager/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Geo Key Manager</a><a href="/tag/dns/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">DNS</a><a href="/tag/lua/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">LUA</a><a href="/tag/privacy-pass/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Privacy Pass</a><a href="/tag/vulnerabilities/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Vulnerabilities</a><a href="/tag/bots/" class="dib pl2 pr2 pt1 pb1 mb2 bg-gray8 no-underline blue3 f2 mr1" data-testid="post-tag">Bots</a></div><p class="f3 fw4 gray1 lh-copy " data-testid="post-content">During 2017 Cloudflare published 172 blog posts (including this one). If you need a distraction from the holiday festivities at this time of year here are some highlights from the year.<!-- -->...</p><ul class="author-lists flex pl0"><li class="list flex items-center pr2 mb3"><a href="/author/john-graham-cumming/" class="static-avatar pr1"><img class="author-profile-image br-100 mr2" src="https://blog.cloudflare.com/cdn-cgi/image/format=auto,dpr=3,width=64,height=64,gravity=face,fit=crop,zoom=0.5/https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5vGNsXzZrtSLn2X30pnpUY/6f350e7dd36058a6422f9199b452bb02/john-graham-cumming.jpg" alt="John Graham-Cumming" width="62" height="62"/></a><div class="author-name-tooltip"><a href="/author/john-graham-cumming/" class="fw4 f3 no-underline black">John Graham-Cumming</a></div></li></ul></div></article><!--astro:end--></astro-island> <astro-island uid="ZYWKbo" prefix="r5" component-url="/_astro/MorePosts.DyRVOquy.js" component-export="default" renderer-url="/_astro/client.DLO1yDVm.js" props="{"locale":[0,"en-us"],"posts":[1,[[0,{"id":[0,"41Lr8xZtaEnIidX8Q0fvEX"],"title":[0,"Privacy Pass - “The Math”"],"slug":[0,"privacy-pass-the-math"],"excerpt":[0,"During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network. "],"featured":[0,false],"html":[0,"<p><i>This is a guest post by Alex Davidson, a PhD student in Cryptography at Royal Holloway, University of London, who is part of the team that developed </i><a href=\"https://privacypass.github.io\"><i>Privacy Pass</i></a><i>. Alex worked at Cloudflare for the summer on deploying Privacy Pass on the Cloudflare network</i>.</p><p>During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network. Specifically, I helped develop an open-source browser extension named ‘Privacy Pass’ and added support for the Privacy Pass protocol within Cloudflare infrastructure. Currently, Privacy Pass works with the Cloudflare edge to help honest users to reduce the number of Cloudflare CAPTCHA pages that they see when browsing the web. However, the operation of Privacy Pass is not limited to the Cloudflare use-case and we envisage that it has applications over a wider and more diverse range of applications as support grows.</p><p>In summary, this browser extension allows a user to generate cryptographically ‘blinded’ tokens that can then be signed by supporting servers following some receipt of authenticity (e.g. a CAPTCHA solution). The browser extension can then use these tokens to ‘prove’ honesty in future communications with the server, without having to solve more authenticity challenges.</p><p>The ‘blind’ aspect of the protocol means that it is infeasible for a server to link tokens token that it signs to tokens that are redeemed in the future. This means that a client using the browser extension should not compromise their own privacy with respect to the server they are communicating with.</p><p>In this blog post we hope to give more of an insight into how we have developed the protocol and the security considerations that we have taken into account. We have made use of some interesting and modern cryptographic techniques that we believe could have a future impact on a wide array of problems.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"previously\">Previously…</h3>\n <a href=\"#previously\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The research team released a specification last year for a “blind signing” protocol (very similar to the original proposal of <a href=\"#Cha82\">Chaum</a> using a variant of RSA known as ‘blind RSA’. Blind RSA simply uses the homomorphic properties of the textbook RSA signature scheme to allow the user to have messages signed <i>obliviously</i>. Since then, George Tankersley and Filippo Valsorda gave a talk at <a href=\"https://youtu.be/GqY7YUv8b5Y\">Real World Crypto 2017</a> explaining the idea in more detail and how the protocol could be implemented. The intuition behind a blind signing protocol is also given in <a href=\"/cloudflare-supports-privacy-pass\">Nick’s blog post</a>.</p><p>A blind signing protocol between a server A and a client B roughly takes the following form:</p><ul><li><p>B generates some value <code>t</code> that they require a signature from A for.</p></li><li><p>B calculates a ‘blinded’ version of <code>t</code> that we will call <code>bt</code></p></li><li><p>B sends <code>bt</code> to A</p></li><li><p>A signs <code>bt</code> with their secret signing key and returns a signature <code>bz</code> to B</p></li><li><p>B receives <code>bz</code> and ‘unblinds’ to receive a signature <code>z</code> for value <code>t</code>.</p></li></ul><p>Due to limitations arising from the usage of RSA (e.g. large signature sizes, slower operations), there were efficiency concerns surrounding the extra bandwidth and computation time on the client browser. Fortunately, we received a lot of feedback from many notable individuals (full acknowledgments below). In short, this helped us to come up with a protocol with much lower overheads in storage, bandwidth and computation time using elliptic curve cryptography as the foundation instead.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"elliptic-curves-a-very-short-introduction\">Elliptic curves (a very short introduction)</h3>\n <a href=\"#elliptic-curves-a-very-short-introduction\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>An elliptic curve is defined over a finite field modulo some prime <code>p</code>. Briefly, an <code>(x,y)</code> coordinate is said to lie on the curve if it satisfies the following equation:</p><p><code>y^2 = x^3 + a*x + b (modulo p)</code></p><p>Nick Sullivan wrote an introductory <a href=\"/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/\">blog post</a> on the use of elliptic curves in cryptography a while back, so this may be a good place to start if you’re new to the area.</p><p>Elliptic curves have been studied for use in cryptography since the independent works of Koblitz and Miller (1984-85). However, EC-based ciphers and signature algorithms have rapidly started replacing older primitives in the Internet-space due to large improvements in the choice of security parameters available. What this translates to is that encryption/signing keys can be much smaller in EC cryptography when compared to more traditional methods such as RSA. This comes with huge efficiency benefits when computing encryption and signing operations, thus making EC cipher suites perfect for use on an Internet-wide scale.</p><p>Importantly, there are many different elliptic curve configurations that are defined by the choice of <code>p</code>, <code>a</code> and <code>b</code> for the equation above. These prevent different security and efficiency benefits; some have been standardized by NIST. In this work, we will be using the NIST specified <a href=\"https://csrc.nist.gov/publications/detail/fips/186/4/final\">P256 curve</a>, however, this choice is largely agnostic to the protocol that we have designed.</p><h4>Blind signing via elliptic curves</h4><p>Translating our blind signing protocol from RSA to elliptic curves required deriving a whole new protocol. Some of the suggestions pointed out cryptographic constructions known as “oblivious pseudorandom functions”. A pseudorandom function or PRF is a mainstay of the traditional cryptographic arsenal and essentially takes a key and some string as input and outputs some cryptographically random value.</p><p>Let F be our PRF, then the security requirement on such a function is that evaluating:</p><p><code>y = F(K,x)</code></p><p>is indistinguishable from evaluating:</p><p><code>y’ = f(x)</code></p><p>where f is a randomly chosen function with outputs defined in the same domain as <code>F(K,-)</code>. Choosing a function f at random undoubtedly leads to random outputs, however for <code>F</code>, randomness is derived from the choice of key <code>K</code>. In practice, we would instantiate a PRF using something like HMAC-SHA256.</p><h4>Oblivious PRFs</h4><p>An oblivious PRF (OPRF) is actually a protocol between a server S and a client C. In the protocol, S holds a key <code>K</code> for some PRF <code>F</code> and C holds an input <code>x</code>. The security goal is that C receives the output <code>y = F(K,x)</code> without learning the key <code>K</code> and S does not learn the value <code>x</code>.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5LG1M3dg4OwiUYd1TFWIWJ/8e26d23ae4dd905c599cece4cf9c1cbd/image3-1.png\" alt=\"\" class=\"kg-image\" width=\"600\" height=\"400\" loading=\"lazy\"/>\n \n </figure><p>It may seem difficult to construct such a functionality without revealing the input x or the key K. However, there are numerous (and very efficient) constructions of OPRFs with applications to many different cryptographic problems such as <a href=\"https://eprint.iacr.org/2016/799\">private set intersection</a>, <a href=\"https://eprint.iacr.org/2016/144\">password-protected secret-sharing</a> and <a href=\"http://webee.technion.ac.il/~hugo/sphinx.pdf\">cryptographic password storage</a> to name a few.</p><h4>OPRFs from elliptic curves</h4><p>A simple instantiation of an OPRF from elliptic curves was given by Jarecki et al. <a href=\"#jkk14\">JKK14</a>, we use this as the foundation for our blind signing protocol.</p><ul><li><p>Let <code><b>G</b></code> be a cyclic group of prime-order</p></li><li><p>Let <code>H</code> be a collision-resistant hash function hashing into <code>G</code></p></li><li><p>Let <code>k</code> be a private key held by S</p></li><li><p>Let <code>x</code> be a private input held by C</p></li></ul><p>The protocol now proceeds as:</p><ul><li><p>C sends <code>H(x)</code> to S</p></li><li><p>S returns <code>kH(x)</code> to C</p></li></ul><p>Clearly, this is an exceptionally simple protocol, security is established since:</p><ul><li><p>The collision-resistant hash function prevents S from reversing <code>H(x)</code> to learn <code>x</code></p></li><li><p>The hardness of the discrete log problem (DLP) prevents C from learning <code>k</code> from <code>kH(x)</code></p></li><li><p>The output <code>kH(x)</code> is pseudorandom since <code><b>G</b></code> is a prime-order group and <code>k</code> is chosen at random.</p></li></ul><h4>Blind signing via an OPRF</h4><p>Using the OPRF design above as the foundation, the research team wrote a variation that we can use for a blind signing protocol; we detail this construction below. In our ‘blind signing’ protocol we require that:</p><ul><li><p>The client/user can have random values signed obliviously by the edge server</p></li><li><p>The client can ‘unblind’ these values and present them in the future for verification</p></li><li><p>The edge can commit to the secret key publicly and prove that it is used for signing all tokens globally</p></li></ul><p>The blind signing protocol is split into two phases.</p><p>Firstly, there is a <b>blind signing phase</b> that is carried out between the user and the edge after the user has successfully solved a challenge. The result is that the user receives a number of <code>signed</code> tokens (default 30) that are unblinded and stored for future use. Intuitively, this mirrors the execution of the OPRF protocol above.</p><p>Secondly, there is a <b>redemption phase</b> where an unblinded token is used for bypassing a future iteration of the challenge.</p><p>Let <code><b>G</b></code> be a cyclic group of prime-order <code>q</code>. Let <code>H_1</code>,<code>H_2</code> be a pair of collision-resistant hash functions; <code>H_1</code> hashes into the group <code><b>G</b></code> as before, <code>H_2</code> hashes into a binary string of length <code>n</code>.</p><p>In the following, we will slightly different notation to make it consistent with existing literature. Let <code>x</code> be a private key held by the server S. Let <code>t</code> be the input held by the user/client C. Let <code>ZZ_q</code> be the ring of integers modulo <code>q</code>. We write all operations in their scalar multiplication form to be consistent with EC notation. Let <code>MAC_K()</code> be a <a href=\"https://en.wikipedia.org/wiki/Message_authentication_code\">message-authentication code</a> algorithm keyed by a key <code>K</code>.</p><h4>Signing phase</h4><ul><li><p>C samples a random ‘blind’ <code>r ← ZZ_q</code></p></li><li><p>C computes <code>T = H_1(t)</code> and then blinds it by computing <code>rT</code></p></li><li><p>C sends <code>M = rT</code> to S</p></li><li><p>S computes <code>Z = xM</code> and returns <code>Z</code> to C</p></li><li><p>C computes <code>(1/r)*Z = xT = N</code> and stores the pair <code>(t,N)</code> for some point in the future</p></li></ul><p>We think of <code>T = H_1(t)</code> as a token, these objects form the backbone of the protocol that we use to bypass challenges.Notice, that the only difference between this protocol and the OPRF above is the blinding factor <code>r</code> that we use.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3LJYvqKAwDw1Rh6oPlGeZy/ef4c5d38cf87ce48480c6e7680d17444/image2.png\" alt=\"\" class=\"kg-image\" width=\"600\" height=\"400\" loading=\"lazy\"/>\n \n </figure><h4>Redemption phase</h4><ul><li><p>C calculates request binding data <code>req</code> and chooses an unspent token <code>(t,N)</code></p></li><li><p>C calculates a shared key <code>sk = H_2(t,N)</code> and sends <code>(t, MAC_sk(req))</code> to S</p></li><li><p>S recalculates <code>req&#39;</code> based on the request data that it witnesses</p></li><li><p>S checks that <code>t</code> has not been spent already and calculates <code>T = H_1(t)</code>, <code>N = xT</code>, and <code>sk = H_2(t,N)</code></p></li><li><p>Finally S checks that <code>MAC_sk(req&#39;) =?= MAC_sk(req)</code>, and stores <code>t</code> to check against future redemptions</p></li></ul><p>If all the steps above pass, then the server validates that the user has a validly signed token. When we refer to ‘passes’ we mean the pair <code>(t, MAC_sk(req))</code> and if verification is successful the edge server grants the user access to the requested resource.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5UrTr7lpAY9Fin8rctVoLa/61fbb098340ac56a5012b6f03a13acc0/image1-1.png\" alt=\"\" class=\"kg-image\" width=\"600\" height=\"400\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"cryptographic-security-of-protocol\">Cryptographic security of protocol</h3>\n <a href=\"#cryptographic-security-of-protocol\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>There are many different ways in which we need to ensure that the protocol remains “secure”. Clearly one of the main features is that the user remains anonymous in the transaction. Furthermore, we need to show that the client is unable to leverage the protocol in order to learn the private key of the edge, or arbitrarily gain infinite tokens. We give two security arguments for our protocol that we can easily reduce to cryptographic assumptions on the hardness of widely-used problems. There are a number of other security goals for the protocol but we consider the two arguments below as fundamental security requirements.</p><h4>Unlinkability in the presence of an adversarial edge</h4><p>Similarly to the RSA blind signing protocol, the blind r is used to prevent the edge from learning the value of <code>T</code>, above. Since <code>r</code> is not used in the redemption phase of the protocol, there is no way that the server can link a blinded token <code>rT</code> in the signing phase to any token in a given redemption phase. Since S recalculates <code>T</code> during redemption, it may be tempting to think that S could recover <code>r</code> from <code>rT</code>. However, the hardness of the discrete log problem prevents S from launching this attack. Therefore, the server has no knowledge of <code>r</code>.</p><p>As mentioned and similarly to the <a href=\"#jkk14\">JKK14</a> OPRF protocol above, we rely on the hardness of standard cryptographic assumptions such as the discrete log problem (DLP), and collision-resistant hash functions. Using these hardness assumptions it is possible to write a proof of security in the presence of a dishonest server. The proof of security shows that assuming that these assumptions are hard, then a dishonest server is unable to link an execution of the signing phase with any execution of the redemption phase with probability higher than just randomly guessing.</p><p>Intuitively, in the signing phase, C sends randomly distributed data due to the blinding mechanism and so S cannot learn anything from this data alone. In the redemption phase, C unveils their token, but the transcript of the signing phase witnessed by S is essentially random and so it cannot be used to learn anything from the redemption phase.</p><p>This is not a full proof of security but gives an idea as to how we can derive cryptographic hardness for the underlying protocol. We hope to publish a more detailed cryptographic proof in the near future to accompany our protocol design.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"key-privacy-for-the-edge\">Key privacy for the edge</h3>\n <a href=\"#key-privacy-for-the-edge\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>It is also crucial to prove that the exchange does not reveal the secret key <code>x</code> to the user. If this were to happen, then the user would be able to arbitrarily sign their own tokens, giving them an effectively infinite supply.</p><p>Notice that the only time when the client is exposed to the key is when they receive <code>Z = xM</code>. In elliptic-curve terminology, the client receives their blinded token scalar multiplied with <code>x</code>. Notice, that this is also identical to the interaction that an adversary witnesses in the discrete log problem. In fact, if the client was able to compute <code>x</code> from <code>Z</code>, then the client would also be able to solve the DLP — which is thought to be very hard for established key sizes. In this way, we have a sufficient guarantee that an adversarial client would not be able to learn the key from the signing interaction.</p><h4>Preventing further deanonymization attacks using “Verifiable” OPRFs</h4><p>While the proof of security above gives some assurances about the cryptographic design of the protocol, it does not cover the possibility of possible out-of-band deanonymization. For instance, the edge server can sign tokens with a new secret key each time. Ignoring the cost that this would incur, the server would be able to link token signing and redemption phases by simply checking the validation for each private key in use.</p><p>There is a solution known as a ‘discrete log equivalence proof’ (DLEQ proof). Using this, a server commits to a secret key <code>x</code> by publicly posting a pair <code>(G, xG)</code> for a generator <code>G</code> of the prime-order group <code><b>G</b></code>. A DLEQ proof intuitively allows the server to prove to the user that the signed tokens <code>Z = xrT</code> and commitment <code>xG</code> both have the same discrete log relation <code>x</code>. Since the commitment is posted publicly (similarly to a <a href=\"https://www.certificate-transparency.org/\">Certificate Transparency Log</a>) this would be verifiable by all users and so the deanonymization attack above would not be possible.</p><h4>DLEQ proofs</h4><p>The DLEQ proof objects take the form of a Chaum-Pedersen <a href=\"#cp93\">CP93</a> non-interactive zero-knowledge (NIZK) proof. Similar proofs were used in <a href=\"#jkk14\">JKK14</a> to show that their OPRF protocol produced “verifiable” randomness, they defined their construction as a VOPRF. In the following, we will describe how these proofs can be augmented into the signing phase above.</p><p><i>The DLEQ proof verification in the extension is still in development and is not completely consistent with the protocol below. We hope to complete the verification functionality in the near future.</i></p><p>Let <code>M = rT</code> be the blinded token that C sends to S, let <code>(G,Y) = (G,xG)</code> be the commitment from above, and let H_3 be a new hash function (modelled as a random oracle for security purposes). In the protocol below, we can think of S playing the role of the &#39;prover&#39; and C the &#39;verifier&#39; in a traditional NIZK proof system.</p><ul><li><p>S computes <code>Z = xM</code>, as before.</p></li><li><p>S also samples a random nonce <code>k ← ZZ_q</code> and commits to the nonce by calculating <code>A = kG</code> and <code>B = kM</code></p></li><li><p>S constructs a challenge <code>c ← H_3(G,Y,M,Z,A,B)</code> and computes <code>s = k-cx (mod q)</code></p></li><li><p>S sends <code>(c,s)</code> to the user C</p></li><li><p>C recalculates <code>A&#39; = sG + cY</code> and <code>B&#39; = s*M + c*Z</code> and hashes <code>c&#39; = H_3(G,Y,M,Z,A’,B’)</code>.</p></li><li><p>C verifies that <code>c&#39; =?= c</code>.</p></li></ul><p>Note that correctness follows since</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">A&#039; = sG + cY = (k-cx)G + cxG = kG and B&#039; = sM + cZ = r(k-cx)T + crxT = krT = kM </pre></code>\n <p>We write DLEQ(Z/M == Y/G) to denote the proof that is created by S and validated by C.In summary, if both parties have a consistent view of <code>(G,Y)</code> for the same epoch then the proof should verify correctly. As long as the discrete log problem remains hard to solve, then this proof remains zero-knowledge (in the random oracle model). For our use-case the proof verifies that the same key <code>x</code> is used for each invocation of the protocol, as long as <code>(G,Y)</code> does not change.</p><h4>Batching the proofs</h4><p>Unfortunately, a drawback of the proof above is that it has to be instantiated for each individual token sent in the protocol. Since we send 30 tokens by default, this would require the server to also send 30 DLEQ proofs (with two EC elements each) and the client to verify each proof individually.</p><p>Interestingly, Henry showed that it was possible to batch the above NIZK proofs into one object with only one verification required <a href=\"#hen14\">Hen14</a>. Using this batching technique substantially reduces the communication and computation cost of including the proof.</p><p>Let <code>n</code> be the number of tokens to be signed in the interaction, so we have <code>M_i = r_i*T_i</code> for the set of blinded tokens corresponding to inputs <code>t_i</code>.</p><ul><li><p>S generates corresponding <code>Z_i = x*M_i</code></p></li><li><p>S also computes a seed <code>z = H_3(G,Y,M_1,...,M_n,Z_1,...,Z_n)</code></p></li><li><p>S then initializes a pseudorandom number generator PRNG with the seed <code>z</code> and outputs <code>c_1, ... , c_n ← PRNG(z)</code> where the output domain of PRNG is <code>ZZ_q</code></p></li><li><p>S generates composite group elements:</p></li></ul>\n <pre class=\"language-bash\"><code class=\"language-bash\">M = (c_1*M_1) + ... + (c_n*M_n), Z = (c_1*Z_1) + ... + (c_n*Z_n)</pre></code>\n <ul><li><p>S calculates <code>(c,s) ← DLEQ(M:Z == G:Y)</code> and sends <code>(c,s)</code> to C, where <code>DLEQ(Z/M == Y/G)</code> refers to the proof protocol used in the non-batching case.</p></li><li><p>C computes <code>c’_1, … , c’_n ← PRNG(z)</code> and re-computes <code>M’</code>, <code>Z’</code> and checks that <code>c’ =?= c</code></p></li></ul><p>To see why this works, consider the reduced case where m = 2:</p>\n <pre class=\"language-bash\"><code class=\"language-bash\">Z_1 = x(M_1),\nZ_2 = x(M_2),\n(c_1*Z_1) = c_1(x*M_1) = x(c_1*M_1),\n(c_2*Z_2) = c_2(x*M_2) = x(c_2*M_2),\n(c_1*Z_1) + (c_2*Z_2) = x[(c_1*M_1) + (c_2*M_2)]\n</pre></code>\n <p>Therefore, all the elliptic curve points will have the same discrete log relation as each other, and hence equal to the secret key that is committed to by the edge.</p><h4>Benefits of V-OPRF vs blind RSA</h4><p>While the blind RSA specification that we released fulfilled our needs, we make the following concrete gains</p><ul><li><p>Simpler, faster primitives</p></li><li><p>10x savings in pass size (~256 bits using P-256 instead of ~2048)</p></li><li><p>The only thing edge to manage is a private scalar. No certificates.</p></li><li><p>No need for public-key encryption at all, since the derived shared key used to calculate each MAC is never transmitted and cannot be found from passive observation without knowledge of the edge key or the user&#39;s blinding factor.</p></li><li><p>Exponentiations are more efficient due to use of elliptic curves.</p></li><li><p>Easier key rotation. Instead of managing certificates pinned in TBB and submitted to CT, we can use the DLEQ proofs to allow users to positively verify they&#39;re in the same anonymity set with regard to the edge secret key as everyone else.</p></li></ul><h4>Download</h4><p>Privacy Pass v1.0 is available as a browser extension for <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a> and <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>. If you find any issues while using then <a href=\"https://privacypass.github.io\">let us know</a>.</p><h4>Source code</h4><p>The code for the browser extension and server has been open-sourced and can be found at <a href=\"https://github.com/privacypass/challenge-bypass-extension\">https://github.com/privacypass/challenge-bypass-extension</a> and <a href=\"https://github.com/privacypass/challenge-bypass-server\">https://github.com/privacypass/challenge-bypass-server</a> respectively. We are welcoming contributions if you happen to notice any improvements that can be made to either component. If you would like to get in contact with the Privacy Pass team then find us at our <a href=\"https://privacypass.github.io\">website</a>.</p><h4>Protocol details</h4><p>More information about the protocol can be found <a href=\"https://privacypass.github.io/protocol\">here</a>.</p><h4>Acknowledgements</h4><p>The creation of Privacy Pass has been a joint effort by the team made up of George Tankersley, Ian Goldberg, Nick Sullivan, Filippo Valsorda and myself.</p><p>I&#39;d also like to thank Eric Tsai for creating the logo and extension design, Dan Boneh for helping us develop key parts of the protocol, as well as Peter Wu and Blake Loring for their helpful code reviews. We would also like to acknowledge Sharon Goldberg, Christopher Wood, Peter Eckersley, Brian Warner, Zaki Manian, Tony Arcieri, Prateek Mittal, Zhuotao Liu, Isis Lovecruft, Henry de Valence, Mike Perry, Trevor Perrin, Zi Lin, Justin Paine, Marek Majkowski, Eoin Brady, Aaran McGuire, and many others who were involved in one way or another and whose efforts are appreciated.</p><h4>References</h4><p>Cha82: Chaum. <a href=\"https://dl.acm.org/citation.cfm?doid=4372.4373\">Blind signatures for untraceable payments. CRYPTO’82</a>CP93: Chaum, Pedersen. <a href=\"http://chaum.com/publications/Wallet_Databases.pdf\">Wallet Databases with Observers. CRYPTO&#39;92.</a>Hen14: Ryan Henry. <a href=\"https://uwspace.uwaterloo.ca/bitstream/handle/10012/8621/Henry_Ryan.pdf\">Efficient Zero-Knowledge Proofs and Applications, August 2014.</a>JKK14: Jarecki, Kiayias, Krawczyk. <a href=\"https://eprint.iacr.org/2014/650.pdf\">Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only model.</a>JKKX16: Jarecki, Kiayias, Krawczyk, Xu. <a href=\"https://eprint.iacr.org/2016/144.pdf\">Highly-Efficient and Composable Password-Protected Secret Sharing.</a></p>"],"published_at":[0,"2017-11-09T16:05:00.000+00:00"],"updated_at":[0,"2024-10-10T00:42:12.304Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1yXzyZDnhtRQkiULdIAWCK/221255b93aab8c3fe5dce7eb2d871a80/privacy-pass-the-math.png"],"tags":[1,[[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"6Mp7ouACN2rT3YjL1xaXJx"],"name":[0,"Security"],"slug":[0,"security"]}],[0,{"id":[0,"11uq7RpwEtvy8Ic53C6cMR"],"name":[0,"CAPTCHA"],"slug":[0,"captcha"]}],[0,{"id":[0,"3skwJ34K0c3CEY1cNogR4n"],"name":[0,"Chrome"],"slug":[0,"chrome"]}],[0,{"id":[0,"kn8Lmy4luvCeAabblVvHH"],"name":[0,"Firefox"],"slug":[0,"firefox"]}],[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"1QsJUMpv0QBSLiVZLLQJ3V"],"name":[0,"Cryptography"],"slug":[0,"cryptography"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Alex Davidson"],"slug":[0,"alex-davidson"],"bio":[0,null],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1m0ky2DnnbIO9nnFOvrHoH/cc78437164b23c2556e933cae0681534/alex-davidson.jpg"],"location":[0,null],"website":[0,null],"twitter":[0,null],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Privacy Pass - “The Math” Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/privacy-pass-the-math"],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}],[0,{"id":[0,"7vBxBfvbpwQEokzxhTdIy6"],"title":[0,"Cloudflare supports Privacy Pass"],"slug":[0,"cloudflare-supports-privacy-pass"],"excerpt":[0,"Cloudflare supports Privacy Pass, a recently-announced privacy-preserving protocol developed in collaboration with researchers from Royal Holloway and the University of Waterloo. "],"featured":[0,false],"html":[0,"\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7vA4PjhsAUXab0yreDk1Mu/c21cba4090509585301555d18a44f02f/DONF9cRWsAE3OZf-1-2.jpg\" alt=\"\" class=\"kg-image\" width=\"440\" height=\"131\" loading=\"lazy\"/>\n \n </figure>\n <div class=\"flex anchor relative\">\n <h3 id=\"enabling-anonymous-access-to-the-web-with-privacy-preserving-cryptography\">Enabling anonymous access to the web with privacy-preserving cryptography</h3>\n <a href=\"#enabling-anonymous-access-to-the-web-with-privacy-preserving-cryptography\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare supports Privacy Pass, a <a href=\"https://medium.com/@alxdavids/privacy-pass-6f0acf075288\">recently-announced</a> privacy-preserving protocol developed in collaboration <a href=\"https://privacypass.github.io\">with researchers from Royal Holloway and the University of Waterloo</a>. Privacy Pass leverages an idea from cryptography — zero-knowledge proofs — to let users prove their identity across multiple sites anonymously without enabling tracking. Users can now use the Privacy Pass browser extension to reduce the number of challenge pages presented by Cloudflare. We are happy to support this protocol and believe that it will help improve the browsing experience for some of the Internet’s least privileged users.</p><p>The Privacy Pass extension is available for both <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">Chrome</a> and <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">Firefox</a>. When people use anonymity services or shared IPs, it makes it more difficult for <a href=\"https://www.cloudflare.com/learning/security/how-to-secure-a-website/\">website protection services</a> like Cloudflare to identify their requests as coming from legitimate users and not bots. Privacy Pass helps reduce the friction for these users—which include some of the most vulnerable users online—by providing them a way to prove that they are a human across multiple sites on the Cloudflare network. This is done without revealing their identity, and without exposing Cloudflare customers to additional threats from malicious bots. As the first service to support Privacy Pass, we hope to help demonstrate its usefulness and encourage more Internet services to adopt it.</p><p>Adding support for Privacy Pass is part of a broader initiative to help make the Internet accessible to as many people as possible. Because Privacy Pass will only be used by a small subset of users, we are also working on other improvements to our network in service of this goal. For example, we are making improvements in our request categorization logic to better identify bots and to improve the web experience for legitimate users who are negatively affected by Cloudflare’s current bot protection algorithms. As this system improves, users should see fewer challenges and site operators should see fewer requests from unwanted bots. We consider Privacy Pass a piece of this puzzle.</p><p>Privacy Pass is fully open source under a BSD license and the code is available <a href=\"https://github.com/privacypass/challenge-bypass-extension\">on GitHub</a>. We encourage anyone who is interested to download the source code, play around with the implementations and contribute to the project. The Pass Team have also open sourced a <a href=\"https://github.com/privacypass/challenge-bypass-server\">reference implementation of the server</a> in Go if you want to test both sides of the system. Privacy Pass support at Cloudflare is currently in beta. If you find a bug, please let the team know by creating an issue on GitHub.</p><p>In this blog post I&#39;ll be going into depth about the problems that motivated our support for this project and how you can use it to reduce the annoyance factor of CAPTCHAs and other user challenges online.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"enabling-universal-access-to-content\">Enabling universal access to content</h3>\n <a href=\"#enabling-universal-access-to-content\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>Cloudflare believes that the <a href=\"/ensuring-that-the-web-is-for-everyone/\">web is for everyone</a>. This includes people who are accessing the web anonymously or through shared infrastructure. Tools like VPNs are useful for protecting your identity online, and people using these tools should have the same access as everyone else. We believe the vast collection of information and services that make up the Internet should be available to every person.</p><p>In a <a href=\"/the-trouble-with-tor/\">blog post last year</a>, our CEO, Matthew Prince, spoke about the tension between security, anonymity, and convenience on the Internet. He posited that in order to secure a website or service while still allowing anonymous visitors, you have to sacrifice a bit of convenience for these users. This tradeoff is something that every website or web service has to make.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1rTJ4tISNkUI4x5SxAZIWU/3a9ad7898fa4811504aeb44db6b168d2/image5.jpg\" alt=\"\" class=\"kg-image\" width=\"1718\" height=\"1226\" loading=\"lazy\"/>\n \n </figure><p>The Internet is full of bad actors. The frequency and severity of online attacks is <a href=\"http://techspective.net/2017/08/12/latest-ddos-trends-learning-experts/\">rising every year</a>. This turbulent environment not only threatens websites and web services with attacks, it threatens their ability to stay online. As smaller and more diverse sites become targets of anonymous threats, a greater percentage of the Internet will choose to sacrifice user convenience in order to stay secure and universally accessible.</p><p>The average Internet user visits dozens of sites and services every day. Jumping through a hoop or two when trying to access a single website is not that big of a problem for people. Having to do that for every site you visit every day can be exhausting. This is the problem that Privacy Pass is perfectly designed to solve.</p><p>Privacy Pass doesn’t completely eliminate this inconvenience. Matthew’s trilemma still applies: anonymous users are still inconvenienced for sites that want security. What Privacy Pass does is to notably reduce that inconvenience for users with access to a browser. Instead of having to be inconvenienced thirty times to visit thirty different domains, you only have to be inconvenienced once to gain access to thirty domains on the Cloudflare network. Crucially, unlike unauthorized services like <a href=\"https://addons.mozilla.org/firefox/addon/cloudhole/\">CloudHole</a>, Privacy Pass is designed to respect user privacy and anonymity. This is done using privacy-preserving cryptography, which prevents Cloudflare or anyone else from tracking a user’s browsing across sites. Before we go into how this works, let’s take a step back and take a look at why this is necessary.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"am-i-a-bot-or-not\">Am I a bot or not?</h3>\n <a href=\"#am-i-a-bot-or-not\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n \n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/43zt4JxSv0HW37HA0mfbpj/35736e017d0903dc6c0a89e135635e67/image2.jpg\" alt=\"\" class=\"kg-image\" width=\"1999\" height=\"1500\" loading=\"lazy\"/>\n \n </figure><p><a href=\"https://commons.wikimedia.org/wiki/File:Metal_House_Battery_Operated_New_2010_Robots_You_are_Three_Times_a_Robot~~.jpg\">D J Shin</a> Creative Commons Attribution-Share Alike 3.0 Unported</p><p>Without explicit information about the identity of a user, a web server has to rely on fuzzy signals to guess which request is from a bot and which is from a human. For example, bots often use automated scripts instead of web browsers to do their crawling. The way in which scripts make web requests is often different than how web browsers would make the same request in subtle ways.</p><p>A simple way for a user to prove they are not a bot to a website is by logging in. By providing valid authentication credentials tied to a long-term identity, a user is exchanging their anonymity for convenience. Having valid authentication credentials is a strong signal that a request is not from a bot. Typically, if you authenticate yourself to a website (say by entering your username and password) the website sets what’s called a “cookie”. A cookie is just a piece of data with an expiration date that’s stored by the browser. As long as the cookie hasn’t expired, the browser includes it as part of the subsequent requests to the server that set it. Authentication cookies are what websites use to know whether you’re logged in or not. Cookies are only sent on the domain that set them. A cookie set by site1.com is not sent for requests to site2.com. This prevents identity leakage from one site to another.</p><p>A request with an authentication cookie is usually not from a bot, so bot detection is much easier for sites that require authentication. Authentication is by definition de-anonymizing, so putting this in terms of Matthew’s trilemma, these sites can have security and convenience because they provide no anonymous access. The web would be a very different place if every website required authentication to display content, so this signal can only be used for a small set of sites. The question for the rest of the Internet becomes: without authentication cookies, what else can be used as a signal that a user is a person and not a bot?</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-turing-test\">The Turing Test</h3>\n <a href=\"#the-turing-test\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>One thing that can be used is a user challenge: a task that the server asks the user to do before showing content. User challenges can come in many forms, from a <a href=\"https://en.wikipedia.org/wiki/Proof-of-work_system\">proof-of-work</a> to a <a href=\"https://en.wikipedia.org/w/index.php?title=Guided_tour_puzzle_protocol\">guided tour puzzle</a> to the classic CAPTCHA. A CAPTCHA (an acronym for &quot;Completely Automated Public Turing test to tell Computers and Humans Apart&quot;) is a test to see if the user is a human or not. It often involves reading some scrambled letters or identifying certain slightly obscured objects — tasks that humans are generally better at than automated programs. The goal of a user challenge is not only to deter bots, but to gain confidence that a visitor is a person. Cloudflare uses a combination of different techniques as user challenges.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/2VcN8gtQWsULtIcGMggqDJ/c51be6c6bb97edf8836d04b2542a4f63/image7.jpg\" alt=\"\" class=\"kg-image\" width=\"300\" height=\"57\" loading=\"lazy\"/>\n \n </figure><p>CAPTCHAs can be annoying and time-consuming to solve, so they are usually reserved for visitors with a high probability of being malicious.</p><p>The challenge system Cloudflare uses is cookie-based. If you solve a challenge correctly, Cloudflare will set a cookie called <code>CF_CLEARANCE</code> for the domain that presented the challenge. Clearance cookies are like authentication cookies, but instead of being tied to an identity, they are tied to the fact that you solved a challenge sometime in the past.</p><ol><li><p>Person sends Request</p></li><li><p>Server responds with a challenge</p></li><li><p>Person sends solution</p></li><li><p>Server responds with <code>set-cookie</code> and bypass cookie</p></li><li><p>Person sends new request with cookie</p></li><li><p>Server responds with content from origin</p></li></ol><p>Site visitors who are able to solve a challenge are much more likely to be people than bots, the harder the challenge, the more likely the visitor is a person. The presence of a valid <code>CF_CLEARANCE</code> cookie is a strong positive signal that a request is from a legitimate person.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"how-privacy-pass-protects-your-privacy-a-voting-analogy\">How Privacy Pass protects your privacy: a voting analogy</h3>\n <a href=\"#how-privacy-pass-protects-your-privacy-a-voting-analogy\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>You can use cryptography to prove that you have solved a challenge of a certain difficulty without revealing which challenge you solved. The technique that enables this is something called a <a href=\"https://en.wikipedia.org/wiki/Zero-knowledge_proof\">Zero-knowledge proof</a>. This may sound scary, so let’s use a real-world scenario, vote certification, to explain the idea.</p><p>In some voting systems the operators of the voting center certify every ballot before sending them to be counted. This is to prevent people from adding fraudulent ballots while the ballots are being transferred from where the vote takes place to where the vote is counted.</p><p>An obvious mechanism would be to have the certifier sign every ballot that a voter submits. However, this would mean that the certifier, having just seen the person that handed them a ballot, would know how each person voted. Instead, we can use a better mechanism that preserves voters’ privacy using an envelope and some carbon paper.</p><ol><li><p>The voter fills out their ballot</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3jJCdqzHAp2kJrLYM3sYCT/5cfc32ff560877037977e7530faf1929/image6.png\" alt=\"\" class=\"kg-image\" width=\"1042\" height=\"730\" loading=\"lazy\"/>\n \n </figure></li><li><p>The voter puts their ballot into an envelope along with a piece of carbon paper, and seals the envelope</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/7z8pR9zhr9HYM4OE9y2r4f/26fc8bcb4a1e4c92637cfc5b0f6ea0fb/image1.png\" alt=\"\" class=\"kg-image\" width=\"1042\" height=\"730\" loading=\"lazy\"/>\n \n </figure></li><li><p>The sealed envelope is given to the certifier</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/3OhNebQdBXnoTBrBOTcDN9/54ad9db17b0956adc0a973f9a4d56b6b/image3.png\" alt=\"\" class=\"kg-image\" width=\"1043\" height=\"730\" loading=\"lazy\"/>\n \n </figure></li><li><p>The certifier signs the outside of the envelope. The pressure of the signature transfers the signature from the carbon paper to the ballot itself, effectively signing the ballot.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/fOvx6CrNvdsaPofVLPgPG/c33497b10a9212634b63c0bb349809dc/image8.png\" alt=\"\" class=\"kg-image\" width=\"1043\" height=\"730\" loading=\"lazy\"/>\n \n </figure></li><li><p>Later, when the ballot counter unseals the envelope, they see the certifier’s signature on the ballot.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/4FSldNuKdhhv537vDigZtp/c35bd412ad8c468d9b2068149afef072/image4.png\" alt=\"\" class=\"kg-image\" width=\"1042\" height=\"730\" loading=\"lazy\"/>\n \n </figure></li></ol><p>With this system, a voting administrator can authenticate a ballot without knowing its content, and then the ballot can be verified by an independent assessor.</p><p>Privacy Pass is like vote certification for the Internet. In this analogy, Cloudflare’s challenge checking service is the vote certifier, Cloudflare’s bot detection service is the vote counter and the anonymous visitor is the voter. When a user encounters a challenge on site A, they put a ballot into a sealed envelope and send it to the server along with the challenge solution. The server then signs the envelope and returns it to the client. Since the server is effectively signing the ballot without knowing its contents, this is called a <i>blind signature</i>.</p><p>When the user sees a challenge on site B, the user takes the ballot out of the envelope and sends it to the server. The server then checks the signature on the ballot, which proves that the user has solved a challenge. Because the server has never seen the contents of the ballot, it doesn’t know which site the challenge was solved for, just that a challenge was solved.</p><p>It turns out that with the right cryptographic construction, you can approximate this scenario digitally. This is the idea behind Privacy Pass.</p><p>The Privacy Pass team implemented this using a privacy-preserving cryptographic construction called an Elliptic Curve Verifiable Oblivious Pseudo-Random Function (EC-VOPRF). Yes, it’s a mouthful. From the Privacy Pass Team:</p><blockquote><p>Every time the Privacy Pass plugin needs a new set of privacy passes, it creates a set of thirty random numbers <code>t1</code> to <code>t30</code>, hashes them into a curve (P-256 in our case), blinds them with a value <code>b</code> and sends them along with a challenge solution. The server returns the set of points multiplied by its private key and a batch discrete logarithm equivalence proof. Each pair <code>tn, HMAC(n,M)</code> constitutes a Privacy Pass and can be redeemed to solve a subsequent challenge. Voila!</p></blockquote><p>If none of these words make sense to you and you want to know more, check out the Privacy Pass team’s [protocol design document](<a href=\"https://privacypass.github.io/protocol/\">https://privacypass.github.io/protocol/</a>).</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"making-it-work-in-the-browser\">Making it work in the browser</h3>\n <a href=\"#making-it-work-in-the-browser\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>It takes more than a nice security protocol based on solid cryptography to make something useful in the real world. To bring the advantages of this protocol to users, the Privacy Pass team built a client in JavaScript and packaged it using <a href=\"https://developer.mozilla.org/en-US/Add-ons/WebExtensions/What_are_WebExtensions\">WebExtensions</a>, a cross-browser framework for developing applications that run in the browser and modify website behavior. This standard is compatible with both Chrome and Firefox. A reference implementation of the server side of the protocol was <a href=\"https://github.com/privacypass/challenge-bypass-server\">also implemented in Go</a>.</p><p>If you’re a web user and are annoyed by CAPTCHAs, you can download the Privacy Pass extension for Chrome <a href=\"https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi\">here</a> and for Firefox <a href=\"https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/\">here</a>. It will significantly improve your web browsing experience. Once it is installed, you’ll see a small icon on your browser with a number under it. The number is how many unused privacy passes you have. If you are running low on passes, simply click on the icon and select “Get More Passes,” which will load a CAPTCHA you can solve in exchange for thirty passes. Every time you visit a domain that requires a user challenge page to view, Privacy Pass will “spend” a pass and the content will load transparently. Note that you may see more than one pass spent up when you load a site for the first time if the site has subresources from multiple domains.</p>\n <figure class=\"kg-card kg-image-card \">\n \n <Image src=\"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/23gnEcti3z4owPHwH37m6o/09b9335b07c60d4e20b2510159f83440/Firefox-3--2-.png\" alt=\"\" class=\"kg-image\" width=\"1280\" height=\"800\" loading=\"lazy\"/>\n \n </figure><p>The Privacy Pass extension works by hooking into the browser and looking for HTTP responses that have a specific header that indicates support for the Privacy Pass protocol. When a challenge page is returned, the extension will either try to issue new privacy passes or redeem existing privacy passes. The cryptographic operations in the plugin were built on top of <a href=\"https://github.com/bitwiseshiftleft/sjcl\">SJCL</a>.</p><p>If you’re a Cloudflare customer and want to opt out from supporting Privacy Pass, please <a href=\"https://support.cloudflare.com\">contact our support team</a> and they will disable it for you. We are soon adding a toggle for Privacy Pass in the Firewall app in the Cloudflare dashboard.</p>\n <div class=\"flex anchor relative\">\n <h3 id=\"the-web-is-for-everyone\">The web is for everyone</h3>\n <a href=\"#the-web-is-for-everyone\" aria-hidden=\"true\" class=\"relative sm:absolute sm:-left-5\">\n <svg width=\"16\" height=\"16\" viewBox=\"0 0 24 24\"><path fill=\"currentcolor\" d=\"m12.11 15.39-3.88 3.88a2.52 2.52 0 0 1-3.5 0 2.47 2.47 0 0 1 0-3.5l3.88-3.88a1 1 0 0 0-1.42-1.42l-3.88 3.89a4.48 4.48 0 0 0 6.33 6.33l3.89-3.88a1 1 0 1 0-1.42-1.42Zm8.58-12.08a4.49 4.49 0 0 0-6.33 0l-3.89 3.88a1 1 0 0 0 1.42 1.42l3.88-3.88a2.52 2.52 0 0 1 3.5 0 2.47 2.47 0 0 1 0 3.5l-3.88 3.88a1 1 0 1 0 1.42 1.42l3.88-3.89a4.49 4.49 0 0 0 0-6.33ZM8.83 15.17a1 1 0 0 0 1.1.22 1 1 0 0 0 .32-.22l4.92-4.92a1 1 0 0 0-1.42-1.42l-4.92 4.92a1 1 0 0 0 0 1.42Z\"></path></svg>\n </a>\n </div>\n <p>The technology behind Privacy Pass is free for anyone to use. We see a bright future for this technology and think it will benefit from community involvement. The protocol is currently only deployed at Cloudflare, but it could easily be used across different organizations. It’s easy to imagine obtaining a Privacy Pass that proves that you have a Twitter or Facebook identity and using it to access other services on the Internet without revealing your identity, for example. There are a wide variety of applications of this technology that extend well beyond our current use cases.</p><p>If this technology is intriguing to you and you want to collaborate, please reach out to the Privacy Pass team on <a href=\"https://github.com/privacypass\">GitHub</a>.</p>"],"published_at":[0,"2017-11-09T16:00:00.000+00:00"],"updated_at":[0,"2024-10-10T00:42:11.701Z"],"feature_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/5Q9x8oXuoqqS5PV6rsYOBm/cf4adf16d3d2c75555d5bb6eef5405ce/cloudflare-supports-privacy-pass.png"],"tags":[1,[[0,{"id":[0,"3BWeMuiOShelE7QM48sW9j"],"name":[0,"Privacy"],"slug":[0,"privacy"]}],[0,{"id":[0,"11uq7RpwEtvy8Ic53C6cMR"],"name":[0,"CAPTCHA"],"slug":[0,"captcha"]}],[0,{"id":[0,"3ZtL0yV0R4ScAreV1dTfIY"],"name":[0,"Privacy Pass"],"slug":[0,"privacy-pass"]}],[0,{"id":[0,"kn8Lmy4luvCeAabblVvHH"],"name":[0,"Firefox"],"slug":[0,"firefox"]}],[0,{"id":[0,"3skwJ34K0c3CEY1cNogR4n"],"name":[0,"Chrome"],"slug":[0,"chrome"]}],[0,{"id":[0,"1x7tpPmKIUCt19EDgM1Tsl"],"name":[0,"Research"],"slug":[0,"research"]}],[0,{"id":[0,"1QsJUMpv0QBSLiVZLLQJ3V"],"name":[0,"Cryptography"],"slug":[0,"cryptography"]}]]],"relatedTags":[0],"authors":[1,[[0,{"name":[0,"Nick Sullivan"],"slug":[0,"nick-sullivan"],"bio":[0,"Nick Sullivan was Head of Research (& Cryptography) at Cloudflare until 2023. He is passionate about improving security and privacy through cutting-edge research and the development of open standards."],"profile_image":[0,"https://cf-assets.www.cloudflare.com/zkvhlag99gkb/1awsFzXodRY6h5BEcWKcCE/790c21d068aea9d2fd26497f095abdc5/nick-sullivan.jpg"],"location":[0,"San Francisco"],"website":[0,"https://crypto.dance"],"twitter":[0,"@grittygrease"],"facebook":[0,null]}]]],"meta_description":[0,null],"primary_author":[0,{}],"localeList":[0,{"name":[0,"Cloudflare supports Privacy Pass Config"],"enUS":[0,"English for Locale"],"zhCN":[0,"No Page for Locale"],"zhHansCN":[0,"No Page for Locale"],"zhTW":[0,"No Page for Locale"],"frFR":[0,"No Page for Locale"],"deDE":[0,"No Page for Locale"],"itIT":[0,"No Page for Locale"],"jaJP":[0,"No Page for Locale"],"koKR":[0,"No Page for Locale"],"ptBR":[0,"No Page for Locale"],"esLA":[0,"No Page for Locale"],"esES":[0,"No Page for Locale"],"enAU":[0,"No Page for Locale"],"enCA":[0,"No Page for Locale"],"enIN":[0,"No Page for Locale"],"enGB":[0,"No Page for Locale"],"idID":[0,"No Page for Locale"],"ruRU":[0,"No Page for Locale"],"svSE":[0,"No Page for Locale"],"viVN":[0,"No Page for Locale"],"plPL":[0,"No Page for Locale"],"arAR":[0,"No Page for Locale"],"nlNL":[0,"No Page for Locale"],"thTH":[0,"No Page for Locale"],"trTR":[0,"No Page for Locale"],"heIL":[0,"No Page for Locale"],"lvLV":[0,"No Page for Locale"],"etEE":[0,"No Page for Locale"],"ltLT":[0,"No Page for Locale"]}],"url":[0,"https://blog.cloudflare.com/cloudflare-supports-privacy-pass"],"metadata":[0,{"title":[0],"description":[0],"imgPreview":[0,""]}]}]]],"translations":[0,{"posts.by":[0,"By"],"footer.gdpr":[0,"GDPR"],"lang_blurb1":[0,"This post is also available in {lang1}."],"lang_blurb2":[0,"This post is also available in {lang1} and {lang2}."],"lang_blurb3":[0,"This post is also available in {lang1}, {lang2} and {lang3}."],"footer.press":[0,"Press"],"header.title":[0,"The Cloudflare Blog"],"search.clear":[0,"Clear"],"search.filter":[0,"Filter"],"search.source":[0,"Source"],"footer.careers":[0,"Careers"],"footer.company":[0,"Company"],"footer.support":[0,"Support"],"footer.the_net":[0,"theNet"],"search.filters":[0,"Filters"],"footer.our_team":[0,"Our team"],"footer.webinars":[0,"Webinars"],"page.more_posts":[0,"More posts"],"posts.time_read":[0,"{time} min read"],"search.language":[0,"Language"],"footer.community":[0,"Community"],"footer.resources":[0,"Resources"],"footer.solutions":[0,"Solutions"],"footer.trademark":[0,"Trademark"],"header.subscribe":[0,"Subscribe"],"footer.compliance":[0,"Compliance"],"footer.free_plans":[0,"Free plans"],"footer.impact_ESG":[0,"Impact/ESG"],"posts.follow_on_X":[0,"Follow on X"],"footer.help_center":[0,"Help center"],"footer.network_map":[0,"Network Map"],"header.please_wait":[0,"Please Wait"],"page.related_posts":[0,"Related posts"],"search.result_stat":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong> for <strong>{search_keyword}</strong>"],"footer.case_studies":[0,"Case Studies"],"footer.connect_2024":[0,"Connect 2024"],"footer.terms_of_use":[0,"Terms of Use"],"footer.white_papers":[0,"White Papers"],"footer.cloudflare_tv":[0,"Cloudflare TV"],"footer.community_hub":[0,"Community Hub"],"footer.compare_plans":[0,"Compare plans"],"footer.contact_sales":[0,"Contact Sales"],"header.contact_sales":[0,"Contact Sales"],"header.email_address":[0,"Email Address"],"page.error.not_found":[0,"Page not found"],"footer.developer_docs":[0,"Developer docs"],"footer.privacy_policy":[0,"Privacy Policy"],"footer.request_a_demo":[0,"Request a demo"],"page.continue_reading":[0,"Continue reading"],"footer.analysts_report":[0,"Analyst reports"],"footer.for_enterprises":[0,"For enterprises"],"footer.getting_started":[0,"Getting Started"],"footer.learning_center":[0,"Learning Center"],"footer.project_galileo":[0,"Project Galileo"],"pagination.newer_posts":[0,"Newer Posts"],"pagination.older_posts":[0,"Older Posts"],"posts.social_buttons.x":[0,"Discuss on X"],"search.icon_aria_label":[0,"Search"],"search.source_location":[0,"Source/Location"],"footer.about_cloudflare":[0,"About Cloudflare"],"footer.athenian_project":[0,"Athenian Project"],"footer.become_a_partner":[0,"Become a partner"],"footer.cloudflare_radar":[0,"Cloudflare Radar"],"footer.network_services":[0,"Network services"],"footer.trust_and_safety":[0,"Trust & Safety"],"header.get_started_free":[0,"Get Started Free"],"page.search.placeholder":[0,"Search Cloudflare"],"footer.cloudflare_status":[0,"Cloudflare Status"],"footer.cookie_preference":[0,"Cookie Preferences"],"header.valid_email_error":[0,"Must be valid email."],"search.result_stat_empty":[0,"Results <strong>{search_range}</strong> of <strong>{search_total}</strong>"],"footer.connectivity_cloud":[0,"Connectivity cloud"],"footer.developer_services":[0,"Developer services"],"footer.investor_relations":[0,"Investor relations"],"page.not_found.error_code":[0,"Error Code: 404"],"search.autocomplete_title":[0,"Insert a query. Press enter to send"],"footer.logos_and_press_kit":[0,"Logos & press kit"],"footer.application_services":[0,"Application services"],"footer.get_a_recommendation":[0,"Get a recommendation"],"posts.social_buttons.reddit":[0,"Discuss on Reddit"],"footer.sse_and_sase_services":[0,"SSE and SASE services"],"page.not_found.outdated_link":[0,"You may have used an outdated link, or you may have typed the address incorrectly."],"footer.report_security_issues":[0,"Report Security Issues"],"page.error.error_message_page":[0,"Sorry, we can't find the page you are looking for."],"header.subscribe_notifications":[0,"Subscribe to receive notifications of new posts:"],"footer.cloudflare_for_campaigns":[0,"Cloudflare for Campaigns"],"header.subscription_confimation":[0,"Subscription confirmed. Thank you for subscribing!"],"posts.social_buttons.hackernews":[0,"Discuss on Hacker News"],"footer.diversity_equity_inclusion":[0,"Diversity, equity & inclusion"],"footer.critical_infrastructure_defense_project":[0,"Critical Infrastructure Defense Project"]}]}" ssr client="load" opts="{"name":"MorePosts","value":true}" await-children><div class="w-100 bt-l b--gray8"><h3 data-testid="more-posts-title" class="orange fw5 f4 ph3 mt4">MORE POSTS</h3></div><article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"><p class="f3 fw5 gray1" data-iso-date="2017-11-09T16:05:00.000+00:00">November 09, 2017 4:05 PM</p><a href="/privacy-pass-the-math/" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Privacy Pass - “The Math”</h6></a><p class="gray1 lh-copy">During a recent internship at Cloudflare, I had the chance to help integrate support for improving the accessibility of websites that are protected by the Cloudflare edge network. <!-- -->...</p><ul class="flex pl0 fw6 f2"><span>By<!-- --> </span><li class="list flex items-center"><div class="author-name-tooltip"><a href="/author/alex-davidson/" class="fw5 f2 black no-underline">Alex Davidson</a></div></li></ul><div class="flex flex-row flex-wrap"><div><a href="/tag/privacy-pass/" class="no-underline f1 fw2 blue3 underline-hover">Privacy Pass</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/security/" class="no-underline f1 fw2 blue3 underline-hover">Security</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/captcha/" class="no-underline f1 fw2 blue3 underline-hover">CAPTCHA</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/chrome/" class="no-underline f1 fw2 blue3 underline-hover">Chrome</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/firefox/" class="no-underline f1 fw2 blue3 underline-hover">Firefox</a></div></div></article><article data-testid="more-posts-article" class="w-100 w-100-m ph3 mb4"><p class="f3 fw5 gray1" data-iso-date="2017-11-09T16:00:00.000+00:00">November 09, 2017 4:00 PM</p><a href="/cloudflare-supports-privacy-pass/" class="no-underline gray1 f4 fw5"><h6 class="gray1 f4 fw5 mt2">Cloudflare supports Privacy Pass</h6></a><p class="gray1 lh-copy">Cloudflare supports Privacy Pass, a recently-announced privacy-preserving protocol developed in collaboration with researchers from Royal Holloway and the University of Waterloo. <!-- -->...</p><ul class="flex pl0 fw6 f2"><span>By<!-- --> </span><li class="list flex items-center"><div class="author-name-tooltip"><a href="/author/nick-sullivan/" class="fw5 f2 black no-underline">Nick Sullivan</a></div></li></ul><div class="flex flex-row flex-wrap"><div><a href="/tag/privacy/" class="no-underline f1 fw2 blue3 underline-hover">Privacy</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/captcha/" class="no-underline f1 fw2 blue3 underline-hover">CAPTCHA</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/privacy-pass/" class="no-underline f1 fw2 blue3 underline-hover">Privacy Pass</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/firefox/" class="no-underline f1 fw2 blue3 underline-hover">Firefox</a></div><div><span class="f1 fw2 blue3 no-underline underline-hover">, </span><a href="/tag/chrome/" class="no-underline f1 fw2 blue3 underline-hover">Chrome</a></div></div></article><!--astro:end--></astro-island> <div class="pagination mw-100 center mv5 ph3 w-100 tc"><div class="center w-50-l w-100"><div class="flex items-center justify-center justify-around-m "><ul class="flex list ml3" style="padding-inline-start:inherit"><li class="gray"><a class="no-underline underline-hover dib-m dib-l mr1 gray3 " href="/tag/privacy-pass/">1</a></li></ul></div></div></div> </main> <footer class="pt4 pb4 pl1 pr1 main-footer"><div class="mw8 center dn db-l ph3"><div class="flex flex-row justify-between"><div class="main-footer__menu-group"><ul id="getting-started-menu" class="list pl0"><li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="getting-started-menu">Getting Started<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/plans/free/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="free-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Free plans</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/enterprise/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="enterprise" class="f1 blue3 no-underline underline-hover" rel="noreferrer">For enterprises</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/plans/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compare-plans" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compare plans</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/about-your-website/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="get-a-recommendation" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Get a recommendation</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/plans/enterprise/demo/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="request-a-demo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Request a demo</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/plans/enterprise/contact/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="contact-sales" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Contact Sales</a></li></ul></div><div class="main-footer__menu-group"><ul id="company-menu" class="list pl0"><li class="pt1 pb1 f1" data-submenu="company-menu">Resources<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/learning/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="learning-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Learning Center</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/analysts/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="analysts-report" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Analyst reports</a></li><li class="pt1 pb1"><a href="https://radar.cloudflare.com/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Radar</a></li><li class="pt1 pb1"><a href="https://cloudflare.tv/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="tv" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare TV</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/case-studies/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="case-studies" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Case Studies</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/resource-hub/?resourcetype=Webinar" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="webinars" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Webinars</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/resource-hub/?resourcetype=Whitepaper" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="white-papers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">White Papers</a></li><li class="pt1 pb1"><a href="https://developers.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-docs" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer docs</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/the-net/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="theNet" class="f1 blue3 no-underline underline-hover" rel="noreferrer">theNet</a></li></ul></div><div class="main-footer__menu-group"><ul id="sales-menu" class="list pl0"><li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="sales-menu">Solutions<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/connectivity-cloud/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connectivity-cloud" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connectivity cloud</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/zero-trust/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="zero-trust" class="f1 blue3 no-underline underline-hover" rel="noreferrer">SSE and SASE services</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/application-services/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="application-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Application services</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/network-services/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network services</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/developer-platform/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="developer-services" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Developer services</a></li></ul></div><div class="main-footer__menu-group"><ul id="community-menu" class="list pl0"><li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="community-menu">Community<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://community.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="community_hub" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Community Hub</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/galileo/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="galileo" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Project Galileo</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/athenian/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="athenian" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Athenian Project</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/campaigns/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="cloudflare-for-campaigns" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare for Campaigns</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/partners/technology-partners/cidp/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="critical-infrastructure-defense-project" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Critical Infrastructure Defense Project</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/connect2024/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="connect-2024" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Connect 2024</a></li></ul></div><div class="main-footer__menu-group"><ul id="support-menu" class="list pl0"><li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="support-menu">Support<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://support.cloudflare.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="help-center" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Help center</a></li><li class="pt1 pb1"><a href="https://www.cloudflarestatus.com" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="status" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Cloudflare Status</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/compliance/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="compliance" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Compliance</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/gdpr/introduction/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="gdpr" class="f1 blue3 no-underline underline-hover" rel="noreferrer">GDPR</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/trust-hub/abuse-approach/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="trust-and-safety" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Trust & Safety</a></li></ul></div><div class="main-footer__menu-group"><ul id="company-menu" class="list pl0"><li class="pt1 pb1 f1 main-footer__menu-group__header js-toggle-footer-group" data-submenu="company-menu">Company<i class="icon-caret-down"></i></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/about-overview/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="overview" class="f1 blue3 no-underline underline-hover" rel="noreferrer">About Cloudflare</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/people/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="our_team" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Our team</a></li><li class="pt1 pb1"><a href="https://cloudflare.net/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="investor-relations" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Investor relations</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/press/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Press</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/careers/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="careers" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Careers</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/diversity-equity-and-inclusion/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="diversity-equity-inclusion" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Diversity, equity & inclusion</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/impact/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="impact-ESG" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Impact/ESG</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/network/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="network_map" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Network Map</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/press-kit/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="press-kit" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Logos & press kit</a></li><li class="pt1 pb1"><a href="https://www.cloudflare.com/partners/" target="_blank" data-tracking-category="footer" data-tracking-action="click" data-tracking-label="partners" class="f1 blue3 no-underline underline-hover" rel="noreferrer">Become a partner</a></li></ul></div></div></div><div class="mw8 center ph3"><div class="flex flex-row flex-wrap justify-center md:justify-between items-center pt4"><div class="flex flex-row space-x-4 items-start w-25-l pb4 pb0-l"><a target="_blank" rel="noreferrer" href="https://www.facebook.com/Cloudflare/" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/facebook.svg" alt="facebook"/></a><a target=" _blank" rel="noreferrer" href="https://x.com/Cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/twitter.svg" alt="X"/></a><a target="_blank" rel="noreferrer" href="https://www.linkedin.com/company/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/linkedin.svg" alt="linkedin"/></a><a target="_blank" rel="noreferrer" href="https://www.youtube.com/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/youtube.svg" alt="youtube"/></a><a target="_blank" rel="noreferrer" href="https://www.instagram.com/cloudflare" class="w-8"><img class="w-8" src="https://www.cloudflare.com/img/footer/instagram.svg" alt="instagram"/></a></div><div class="w-70-l tr-l tl-ns"><div><span class="main-footer__copyright f1">© <!-- -->2025<!-- --> Cloudflare, Inc.<!-- --> </span><span class="main-footer__copyright f1">|</span><a href="https://www.cloudflare.com/privacypolicy/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Privacy Policy<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="https://www.cloudflare.com/website-terms/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Terms of Use<!-- --> </a><span class="main-footer__copyright f1">|</span><a href="https://www.cloudflare.com/disclosure/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Report Security Issues<!-- --> </a><span class="main-footer__copyright f1">|</span><img class="mw2 ph1" src="/images/privacy-options.svg" alt="Privacy Options"/><a href="#cookie-settings" id="ot-sdk-btn" class="ot-sdk-show-settings main-footer__copyright f1 no-underline underline-hover"><span class="brandGray5">Cookie Preferences</span> </a><span class="main-footer__copyright f1">|</span><a href="https://www.cloudflare.com/trademark/" target="_blank" class="main-footer__copyright f1 no-underline underline-hover" rel="noreferrer"> <!-- -->Trademark<!-- --> </a></div></div></div></div></footer></html>