Ooh this is interesting. Theoretically these could still be associated with my account right? Since you need to use my session token to generate these privacy tokens. Is there a technical explainer somewhere with instructions for setting this up without a web extension?
> When an internet challenge is solved correctly by a user, Privacy Pass will generate a number of random nonces that will be used as tokens. These tokens will be cryptographically blinded and then sent to the challenge provider. If the solution is valid, the provider will sign the blinded tokens and return them to the client. Privacy Pass will unblind the tokens and store them for future use.
So it seems like as long as the cryptography is done right and Kagi's webextension does what it says, they are actually private.
Awesome. I didn't see much detail about how it works in the page. Something like this would be useful for other sites as well. Is this using an existing technology?
(Firefox extension is not found. It's probably not in the store yet. Can't find with search either.)
We didn't launch this yet. It is in testing which is why we published this doc for testers. Full blog post with complete run down of the tech and implementation coming (very) soon.
Holy crap this is going to let me move some privacy-focused folks over to join me in Kagitopia. Good job guys, you are always working on something cool.
promiseofbeans|1 year ago
Edit: Looking into it, it seems like this uses the same mechanism for tokens as Cloudflare's turnstile system: https://privacypass.github.io/ or for the proper standard https://www.rfc-editor.org/rfc/rfc9578.html
Excerpt that explains how it works:
> When an internet challenge is solved correctly by a user, Privacy Pass will generate a number of random nonces that will be used as tokens. These tokens will be cryptographically blinded and then sent to the challenge provider. If the solution is valid, the provider will sign the blinded tokens and return them to the client. Privacy Pass will unblind the tokens and store them for future use.
So it seems like as long as the cryptography is done right and Kagi's webextension does what it says, they are actually private.
dizhn|1 year ago
dizhn|1 year ago
(Firefox extension is not found. It's probably not in the store yet. Can't find with search either.)
freediver|1 year ago
promiseofbeans|1 year ago
The standard has also been published as RFC9578: https://www.rfc-editor.org/rfc/rfc9578.html
tomcatfish|1 year ago