zlacker

[return to "Apple Could Kill CAPTCHAs with Private Access Tokens"]
1. kgwxd+a1[view] [source] 2022-06-15 10:59:57
>>matthe+(OP)
Terrible idea. No matter how much time it would save me, I do not want “my” computer doing any work designed to snitch on me.
◧◩
2. simonh+E1[view] [source] 2022-06-15 11:04:27
>>kgwxd+a1
>The server doesn't know anything about the device or the person accessing it.

What sort of snitching?

◧◩◪
3. Zak+N4[view] [source] 2022-06-15 11:32:52
>>simonh+E1
It snitches regarding what kind of device and operating system you're using. It currently seems to be limited to Apple devices, but this is the sort of thing I could see Microsoft and Google going for. Put another way, if everyone running unmodified corporate operating systems proves it as a matter of course, it effectively snitches on anyone who isn't.

Running Linux? Rooted Android? Anything else weird? If this gets popular, you might not be able to access most of the web with it, at least not without constantly filling in CAPTCHAs.

◧◩◪◨
4. nojito+o7[view] [source] 2022-06-15 11:56:35
>>Zak+N4
None of this is true.

Cloudflare does not know what device you're using.

◧◩◪◨⬒
5. Zak+09[view] [source] 2022-06-15 12:08:41
>>nojito+o7
Cloudflare knows you're using a device that supports this feature. If a majority of internet users are eventually using devices that support it, some sites will probably deny service to those that do not just as some Android apps refuse to run on devices not using a factory OS.
◧◩◪◨⬒⬓
6. nojito+Up[view] [source] 2022-06-15 13:47:02
>>Zak+09
Which is a good thing.

Besides it's an open standard. https://www.ietf.org/archive/id/draft-private-access-tokens-...

◧◩◪◨⬒⬓⬔
7. danShu+Fs[view] [source] 2022-06-15 14:00:16
>>nojito+Up
Remember back to EME, an Open standard doesn't necessarily mean Open implementation.

The actual workflow here is an open standard, but I'm having a hard time understanding why sites won't just require that you use Mediators/Issuers that were written by one of the big tech companies and then block everything else.

Not saying that will absolutely be the case, I'm just saying that I don't understand why I shouldn't be concerned -- I've seen these exact arguments get used in the past for systems that absolutely shut out independent browser/hardware/OS/ROM development.

I mean... CAPTCHA is effectively an Open Standard, even if it doesn't have a draft that I'm aware of. But that doesn't mean much when so much of how it works is rolled up in an unstandardized implementation and when website operators are ultimately in charge of choosing CAPTCHA providers, not users. Is the same thing going to happen with PATs?

[go to top]