Implement PrivacyPass

[riastradh-brave]

https://github.com/privacypass/challenge-bypass-extension

One of several avenues to pursue to reduce captcha fatigue on users, particularly Tor users.

Old issue: brave/browser-laptop#13395

[riastradh-brave]

Cloudflare confirms this is on their roadmap to continue supporting, so this should continue to help with the Cloudflare captcha.

[riastradh-brave]

This is more or less blocked on #2307 (along with the other issues labelled feature/tor/guest-semantics), because as private windows with Tor are implemented, extensions are blocked from being used altogether in them -- which is largely the right choice for security and anonymity, but in this case the upstream PrivacyPass is implemented as an extension.

[durch]

@riastradh-brave we're at a crossroads here with regard to implementation, initial idea was to implement privacypass extension as a native extension, so wrap it and expose relevant APIs. There are however concerns around maintainability of such a solution, as it might become a hassle keeping up with upstream updates. So we're back to evaluating pros and cons of both solutions. It seems that a bigger win would be to just do #2307. Then proceed with deciding if some special handling of extensions is required. Might be best to have them off by default and let users flip those switches and acknowledge the risks.

[tildelowengrimm]

Just to clarify the requirements/approach here.

1. We're integrating Privacy Pass because it's really quite very useful in Tor.
2. We're probably just incorporating the existing extension, kinda the way we do for Webtorrent et al.
3. The functionality has to be available in Tor windows, and having it available in other windows would be great too.
4. We're going to need an off switch for it in settings: probably in the same place as other extensions.
5. We might want to change the UI a little to be Brave-er. TBD.

[rulatir]

Can someone explain why Tor Browser SimplyHas™ this feature and why we can't have the same easily?

[alexander-chan]

Hi - just wanted to see if there is any updates for this. It's been over a year! :-)

[rulatir]

This isn't happening ever, right?

[tildelowengrimm]

If there were updates, they'd be in this issue.

[ameyagokhale]

The issue was raised on Oct 18, 2018
Please increase the priority

[diracdeltas]

I'm happy to look at this. would it be sufficient to just integrate the Privacy Pass Chrome extension into brave tor profiles by default? https://github.com/privacypass/challenge-bypass-extension

[diracdeltas]

looks like the chrome privacy pass extension was taken down: https://chrome.google.com/webstore/detail/privacy-pass/ajhmfdgkijocedmfjonnpjfojldioehi

does anyone currently use it? does it still work?

[posix4e]

Taken down? Seems up to me.

[posix4e]

I still can't get it in the tor tab? Is there a ticket tracking for tor?

[diracdeltas]

it's back up now for me

[diracdeltas]

this is blocked on #2761; once that's done, you should be able to use privacy pass from the chrome web store in tor windows.

[bsclifton]

@diracdeltas should we close this issue as wontfix? Extensions in Tor tab is now implemented

[NumDeP]

I have to ask before you slap a wontfix on this.

Expecting users to download it manually rather than having a forked version of it implemented doesn't sound good and I wish you'll reconsider and at least understand why my suggestion is more ideal of having it better integrated.

It would be such an annoyance if we do come to use PP as a sort of requisite and it's taken down for whatever reason and I don't think it's a good idea to rely on Google's Webstore when it's inside of Brave-Tor for this particular extension.

I highly doubt users won't ever want to use it this feature; CAPTCHA is and probably will continue to be a big problem for users, especially on Tor, so I figure it should be implemented naively i.e next to and like Shields and BAT or perhaps even inside of Shields under Tracker & Ads blocked and HTTPS Upgrades, that way we wouldn't need to go through the hassle of going into Extensions ever time just to turn it on and and off as brave://settings/extensions and brave://extensions/ is a little messy to say the least. This way we can simply and directly just toggle it inside of Shields like Scripts block. I think you should do it, I mean don't you think? It's so much better from a UX perspective.

Just a side note in case you guys didn't catch it - 'Oct 2020: The Privacy Pass protocol is now in the process of being standardised by the IETF in the privacypass working group.'

[diracdeltas]

we're aware of the privacy pass working group and hope this will be implemented natively in chromium once it's standardized.

in the meantime, we could fork the cloudflare extension and enable by default in tor. there is some maintenance burden associated with this, since the extension doesn't seem to work for me (and many others, judging by the reviews) and we would need to know when cloudflare changes something on their end.

a better option that Roger from torproject brought up is for Brave to emulate the features that Cloudflare uses to detect Tor Browser, since apparently they exempt Tor Browser users from going through as many captchas. #1121 would help with this, as would changing the user agent to match TBB.