It's a bit more than that. Normally, once you pass a CAPTCHA we leave you alone across the network for a while. With Tor, however, you change circuit every 10 minutes and every origin change. Tracking you across circuits would be obviously an invasion of your privacy.
This allows us to extend the lifetime of an "approval" across time and domains.
So it's not just changing the trade-off. It's enabling a human behavior that should make the user experience much better, while preserving privacy and not really changing the equation for bots.
(Disclaimer: I work for Cloudflare and wrote the original incomplete draft.)
This does not preserve anonymity. I suspect you may be confused as to why TOR is changing circuits it's not to prevent users from logging into websites.
Hi I am 54.123.22.16 let's open a secure connection my public key is 5468..
connection -> This is FarkUser57, token:fark123
connection -> FarkUser57 -> "Actual message 1"
Connection times out.
Hi I am 55.55.55.123 let's open a secure connection my public key is 5592..
connection -> This is FarkUser57, token:fark123
connection -> FarkUser57 -> "Actual message 2"
Connection times out.
As long as FarkUser57 does not map back to your real you, then you preserve anonymity.
Blind signatures do not work like user names. You would use a new signed token for every authentication and because the server itself does not know which tokens it signed, it can only verify that a token is valid, but not find out which tokens belong to the same user.
I wonder about that. Could it use a different let for every user and verify which let it used to track them? Or would that be infeasible due to the cost of verifying the signature?
The point is blind signatures are not needed. If the first TOR connection is anonymous then it can hand you a token that is anonymous the second time. Using multiple IP over time is a way to maintain anonymity vs traffic analysis so you don't want third party's to see the token.
You do need to trust the endpoint as. The end point can already easily deanonymize you in under a minute based on the traffic it's sending, if that can be compared with the traffic you get from TOR.
This allows us to extend the lifetime of an "approval" across time and domains.
So it's not just changing the trade-off. It's enabling a human behavior that should make the user experience much better, while preserving privacy and not really changing the equation for bots.
(Disclaimer: I work for Cloudflare and wrote the original incomplete draft.)