# 🍪 Cookie

Third-party cookies are starting to be banned in various browsers. This is a good thing because ads and the loss of privacy on the internet suck, but it also introduces new issues for cybersecurity. Primarily, being able to verify the authenticity of various users across websites.

# Please complete the captcha

Thanks DALL-E
Thanks DALL-E
Whenever Cloudflare makes you adopt a puppy to prove you're human it tags you with a cookie so everyone knows you're one of the good ones and they don't have to spam check you again for awhile. With the loss of these cookies that mechanism is becoming harder and harder to use. To solve this, various internet giants came up with the Privacy Pass protocol for secure, anonymous token passing. With this protocol people like Cloudflare can now verify you're a human and issue you a set of tokens, that other websites can request. These tokens are fully(sorta) anonymous and websites can request them to verify you're not a robot, without disclosing who you are. I say sorta because Mozilla has some issues with Privacy Pass and outlines them explicitly in their research paper.

Issues aside, it's an emerging technology that has been adopted by huge providers, but has limited tooling available for it outside of those providers. You'll see various implementations of the protocol like Apple's Private Access Tokens or Google's Private State Tokens. These implementations typically provide both major parts of the protocol by themselves: the Attester and the Issuer. The attester validates that you are human and the issuer issues you a set of tokens that can be exchanged with other websites to prove you've been attested. Interestingly enough, you can submit to Apple to become an Issuer as long as you fit some criteria.

And Google simply requires you to open an issue on their Github repo.

# Show me the money

This is all pretty fancy, but what sort of business models does this expose for us? Can you monetize being an issuer, or sell some sort of product that helps companies implement these tokens? Becoming an attester seems lucrative, as there's a limited market for mature human verification these days. Commonly just hcaptcha, turnstile, or recaptcha. But there's a reason that's a hard market, it requires a lot of training data and AI is bypassing the shit out of most of these providers. Cloudflare stopped providing captchas awhile ago, in favor of a more non-interactive mechanism. But you'll find many providers bypassing captchas as a service.

That's kind of where my research left it, I wasn't really sure there was a reasonable market of tooling to build around this ecosystem. Smarter people than I will figure something out, but for now I'm going to put this one on the shelf.