You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
armfazh cb26318d21 Removing non-used dependencies. 1 day ago
.circleci Moving some dependencies to devDependencies. 7 months ago
.github Adding github actions to run tests in CI. 1 day ago
addon Releasing new version v2.0.9 3 months ago
docs Update the doc for urls 4 months ago
jest Removing non-used dependencies. 1 day ago
src Removing non-used dependencies. 1 day ago
test Removing non-used dependencies. 1 day ago
.babelrc Upgrade some yarn dependencies (#108) 2 years ago
.eslintignore Re-design UI to show both configurations (#153) (#155) 1 year ago
.eslintrc.json Removing non-used dependencies. 1 day ago
.gitignore Configuration updates (#150) 2 years ago
LICENSE update range years. 11 months ago
Makefile Adding github actions to run tests in CI. 1 day ago Adding github actions to run tests in CI. 1 day ago
jest.config.js Removing non-used dependencies. 1 day ago
package.json Removing non-used dependencies. 1 day ago
yarn.lock Removing non-used dependencies. 1 day ago

Challenge Bypass Extension

The Privacy Pass protocol is now being standardised by the privacypass IETF working group. All contributions are welcome! See the GitHub page for more details.


The Privacy Pass browser extension implements the Privacy Pass protocol for providing a private authentication mechanism during web browsing. Privacy Pass is currently supported by Cloudflare to allow users to redeem validly signed tokens instead of completing CAPTCHA solutions. The extension is compatible with Chrome and Firefox (v48+). An example server implementation that is compatible with this extension is available here.

The protocol we use is based on a realization of a 'Verifiable, Oblivious Pseudorandom Function' (VOPRF) first established by Jarecki et al.. For a technical description of the protocol see the We also detail the entire protocol and results from this deployment in a research paper that appeared at PETS 2018 (Issue 3).

The protocol has received extensive review, but this extension is a work-in-progress and we regard all components as beta releases. In particular in v1.0 of the extension some features are not fully implemented (e.g. DLEQ proof verification).

We hope to address a significant number of existing issues in a future release of the extension. Users can also install the latest branch of master into their browser to use a newer version.

We welcome contributions from the wider community. Also feel free to notify us of any issues that occur. Pull requests and reviews are welcome and encouraged.

Stable Releases

Download the latest stable release of the extension:

Build Instructions

On a Unix environment, you need to install:

To build and test, run these commands:

$ git clone
$ cd challenge-bypass-extension
$ make install
$ make build
$ make test-all

After that, the addons folder will contain all files required by the extension.

Useful Documentation

Documentation for the protocol, workflow and extension components.


  • Directory:
    • src: The source files that are used for establishing the extension.
      • ext: Source files that are specific to the extension.
      • crypto: External source files that provide cryptographic functionality.
    • addon: Extension directory.
    • test: Test scripts for using the jest integration test framework.
    • docs: Documentation.
  • Commands:
    • make install: Installs all dependencies.
    • make sjcl: Configures and builds the SJCL source code.
    • make build: Builds all source files and compiles them into unminified source file at addon/build.js.
    • make test: Builds all source files (except src/ext/listeners.js) into a single file and then runs the jest testing framework on this file.
    • make test-all: Same as make test and runs the sjcl tests.
    • make lint: Lints the source files.
    • make dist: Package the extension files into a file.


  • Build by following the Build Instructions.
  • Open Firefox and go to about:debugging.
  • Click on 'Load Temporary Add-on' button.
  • Select manifest.json from addon/ folder.
  • Check extension logo appears in the top-right corner and 0 passes are stored (by clicking on it).
  • Go to a web page supporting Privacy Pass where internet challenges are displayed (e.g.
  • Solve CAPTCHA and check that some passes are stored in the extension now.
    • cannot be bypassed (this is only for gaining passes)
  • Go to a new website supporting Privacy Pass that ordinarily displays a challenge.
  • Check that the website is displayed correctly without human interaction (more than one pass may be spent).
    • No interaction with a CAPTCHA page should occur, for instance.


Same as above, except the extension should be loaded at chrome://extensions instead.

Plugin Overview

The following script files are used for the workflow of Privacy Pass and are found in addon/ folder. They are compiled into a single file (build.js) that is then loaded into the browser.

  • src/ext/
    • listeners.js: Initialises the listener functions that are used for the webRequest and webNavigation frameworks.
    • background.js: Determines the bulk of the browser-based workflow for Privacy Pass. Decides whether to initiate the token issuance and redemption phases of the protocols.
    • browserUtils.js: General utility functions that are used by background.js. We separate them so that we separate the specific browser API calls from the actual workflow.
    • config.js: Config file that decides the workflow for Privacy Pass.
    • token.js: Token generation and storage procedures.
    • issuance.js: Specific functions for handling token issuance requests from the extension and corresponding server responses.
    • redemption.js: Specific functions for construction redemption requests.
  • src/crypto/
    • local.js: Wrapper for extension-specific cryptographic operations.
    • sjcl/: Local copy of SJCL library.
    • keccak/: Local implementation of the Keccak hash function (taken from

Files for testing are found in test/ folder. Some functions from the extension files are mocked during test execution. The tests are run on a separate file in addon/test.js that has the same contents as build.js but with the HTTP listeners removed.




Cryptography is implemented using the elliptic-curve library SJCL and compression of points is done in accordance with the standard SEC1. This work uses the NIST standard P256 elliptic curve for performing operations. Third-party implementers should note that the outputs of the hash-to-curve, key derivation, and point encoding functions must match their Go equivalents exactly for interaction with our server implementation. More information about this will be provided when the edge implementation is open-sourced.


The creation of the Privacy Pass protocol was a joint effort by the team made up of George Tankersley, Ian Goldberg, Nick Sullivan, Filippo Valsorda and Alex Davidson.

We would also like to thank Eric Tsai for creating the logo and extension design, Dan Boneh for helping us develop key parts of the protocol, as well as Peter Wu and Blake Loring for their helpful code reviews. We would also like to acknowledge Sharon Goldberg, Christopher Wood, Peter Eckersley, Brian Warner, Zaki Manian, Tony Arcieri, Prateek Mittal, Zhuotao Liu, Isis Lovecruft, Henry de Valence, Mike Perry, Trevor Perrin, Zi Lin, Justin Paine, Marek Majkowski, Eoin Brady, Aaran McGuire, and many others who were involved in one way or another and whose efforts are appreciated.


What do I have to do to acquire new passes?

  • Click "Get More Passes" in the extension pop-up (or navigate to
  • Solve the CAPTCHA that is presented on the webpage
  • Your extension should be populated with new passes.

Are passes stored after a browser restart?

Depending on your browser settings, the local storage of your browser may be cleared when it is restarted. Privacy Pass stores passes in local storage and so these will also be cleared. This behavior may also be observed if you clear out the cache of your browser.