search

underrobyn / AbsoluteDoubleTrace

A web extension to block browser fingerprinting (Manifest V2)
https://absolutedouble.co.uk/trace/
Other
343 stars 48 forks source link

Cloudflare Captcha Breaking #82

Open LukeAbby opened 1 year ago

LukeAbby commented 1 year ago

First of all, I understand that this plugin is not currently being actively developed so I really am posting this for if it ever gets picked up again. Second of all, thank you! This is definitely the most key plugin to reliably fool fingerpringing I've found. Unfortunately I can't daily drive with absolutely everything I need enabled (as it breaks too many things) and so services like fingerprint.js still seem to fingerprint me... I'm sure you're aware though and that's a tangent to this issue anyways.

When I go to many sites, for example to login through Gitlab, I end up needing to use Cloudflare's Captcha: image When I have Trace enabled the Captcha simply does not appear and thusly cannot be completed, the page simply never loaded. It's probably some setting I have enabled and I'd be willing to bisect it if you want me to.

I'm sure the reason why this captcha is disabled is either because Cloudflare purposefully notices trace-like services and blocks the captcha or trace blocks it for seeming/being very intrusive or both. However, from a practical point of view not being able to use sites behind Cloudflare captcha becomes very prohibitive. Plus Cloudflare has been a privacy friendly company in the past and articles seem to suggest that their Captcha retains much less data:

UX isn’t the only big problem with CAPTCHA — so is privacy

While having to solve a CAPTCHA is a frustrating user experience, there is also a potential hidden tradeoff a website must make when using CAPTCHA. If you are a small site using CAPTCHA today, you essentially have one option: an 800 pound gorilla with 98% of the CAPTCHA market share. This tool is free to use, but in fact it has a privacy cost: you have to give your data to an ad sales company.

According to security researchers, one of the signals that Google uses to decide if you are malicious is whether you have a Google cookie in your browser, and if you have this cookie, Google will give you a higher score. Google says they don’t use this information for ad targeting, but at the end of the day, Google is an ad sales company. Meanwhile, at Cloudflare, we make money when customers choose us to protect their websites and make their services run better. It's a simple, direct relationship that perfectly aligns our incentives.

ilike2burnthing commented 1 year ago

You need to disable JS Plugin Hide under Advanced Protections.

Creating a whitelist entry for a domain with JS Plugin Hide disabled doesn't work.

Update: you may also need to disable Canvas Fingerprint Protection or create a whitelist entry with this disabled.