Keeping the Web Open and Private in the Bot Era
Keeping the Web Open and Private in the Bot Era
在机器人时代保持网络的开放与隐私
June 23, 2026 | Dennis Jackson 2026年6月23日 | Dennis Jackson
If you’ve been running into endless CAPTCHAS or website login requests lately, you’re not imagining things. Websites, facing a rising tide of abusive traffic from bots, are adopting increasingly aggressive countermeasures, damaging user’s experience of the web, their privacy and open access to the web. In this post, we’ll talk about a new initiative we’re launching with Cloudflare, other web browsers, and web stakeholders to address this challenge while keeping the web anonymous by default.
如果你最近频繁遇到无休止的验证码(CAPTCHA)或网站登录请求,这并非你的错觉。面对日益增长的机器人恶意流量,网站正采取越来越激进的应对措施,这损害了用户的网络体验、隐私以及对网络的开放访问。在这篇文章中,我们将讨论一项我们正与 Cloudflare、其他网络浏览器及网络利益相关者共同发起的新倡议,旨在解决这一挑战,同时确保网络在默认情况下保持匿名。
Privacy and access in tension
隐私与访问之间的矛盾
The fight for privacy on the web has made real progress. Browsers that put privacy first are eliminating third-party cookies, restricting fingerprinting, and hiding IP addresses, pushing back against the trackers. But every step forward has come with a cost. Users are seeing more CAPTCHAs, more demands to log in, and more outright block pages than ever before.
网络隐私之战已经取得了实质性进展。优先考虑隐私的浏览器正在消除第三方 Cookie、限制指纹识别并隐藏 IP 地址,以抵制追踪者。但每前进一步都付出了代价。用户现在看到的验证码、登录要求以及直接被拦截的页面比以往任何时候都多。
Building privacy into the browser means dismantling the passive signals, like IP addresses and browser fingerprints that are used to profile users, but are also relied on by anti-abuse systems. At the same time, sites are facing large increases in bot traffic. The response from websites is understandable; volumetric abuse like credential stuffing and spam can do real damage. But the result is a lose-lose: users face mounting friction and reduced privacy, while sites drive away the legitimate visitors they wanted to serve.
将隐私功能内置于浏览器意味着要拆除那些被用于用户画像的被动信号(如 IP 地址和浏览器指纹),而这些信号恰恰也是反滥用系统所依赖的。与此同时,网站正面临机器人流量的大幅增长。网站的反应是可以理解的;诸如撞库(credential stuffing)和垃圾信息等大规模滥用行为确实会造成严重损害。但结果是双输:用户面临越来越多的阻碍和隐私缩减,而网站则赶走了他们本想服务的合法访客。
If nothing changes, users will increasingly be forced to choose between their privacy and their access to the web. Proposals have been made to tackle this dilemma, by asking users to prove to sites that their devices and software are ‘trusted’. These proposals, such as Web Environment Integrity (WEI), transfer control of devices away from users and to a small handful of operating system and hardware vendors. This deprives users of choice and control and gives those gatekeepers control over which devices and software can access the web, the opposite of the open web, which Mozilla is working to protect.
如果现状不改变,用户将越来越被迫在隐私和网络访问权之间做出选择。目前已有针对这一困境的提案,要求用户向网站证明其设备和软件是“受信任的”。这些提案(如 Web 环境完整性,即 WEI)将设备的控制权从用户手中转移到了少数操作系统和硬件供应商手中。这剥夺了用户的选择权和控制权,并让这些“守门人”控制哪些设备和软件可以访问网络,这与 Mozilla 致力于保护的开放网络背道而驰。
Finding a better way forward
寻找更好的前进方向
We think there’s a better way forward. It starts from a simple observation: bots cause harm because they operate at scale. To stop that kind of abuse, a site doesn’t need to know who you are, or that your device is restricted to running approved software. It only needs to know whether you’re staying within a reasonable rate limit.
我们认为有更好的前进方向。它始于一个简单的观察:机器人之所以造成危害,是因为它们大规模运作。要阻止这种滥用,网站不需要知道你是谁,也不需要知道你的设备是否仅限于运行经批准的软件。它只需要知道你是否保持在合理的速率限制内。
To make a rate limit work, it must be hard for attackers to create new identities and reset their allowance. That’s one reason why sites demand an email address, a federated login or a device fingerprint: obtaining a new one is just costly enough to make the rate limit stick. The challenge is whether we can make rate limits work, without giving sites access to hard-to-change identifiers that also enable tracking.
为了使速率限制有效,攻击者必须难以创建新身份并重置其配额。这就是为什么网站要求提供电子邮件地址、联合登录或设备指纹的原因之一:获取一个新的身份成本足够高,才能使速率限制生效。挑战在于,我们能否在不让网站获取那些同时也用于追踪的、难以更改的标识符的情况下,实现有效的速率限制。
Some sites naturally have a relationship with their users, like a subscription or a long-standing account. What if one of those existing relationships could quietly vouch for you elsewhere, so a site you’ve never visited could trust that you’re a real person within its limits, without learning who you are or even where the vouch came from?
有些网站与用户之间自然存在某种关系,例如订阅或长期账户。如果这些现有的关系之一可以在其他地方为你悄悄地“担保”,那么你从未访问过的网站就可以相信你在其限制范围内是一个真实的人,而无需知道你是谁,甚至无需知道担保来自何处,这会怎样呢?
For example, consider a VPN service. Many websites block VPN traffic entirely due to the high rates of abusive traffic blended with legitimate traffic. What if a VPN service could vouch for each of its subscribers? This would let sites manage a per-subscriber rate limit, meaning users get fewer roadblocks and sites get more of the legitimate traffic they want. Of course, this requires that the vouching system doesn’t enable sites to track VPN users, which would otherwise defeat the very purpose of using the VPN.
例如,考虑 VPN 服务。许多网站因为 VPN 流量中混杂了大量恶意流量,而完全封锁了 VPN 流量。如果 VPN 服务能为其每位订阅者提供担保呢?这将使网站能够按订阅者进行速率限制,这意味着用户遇到的阻碍更少,而网站也能获得更多他们想要的合法流量。当然,这要求担保系统不能让网站追踪到 VPN 用户,否则就违背了使用 VPN 的初衷。
Enabling this kind of privacy-preserving vouching is already possible in a limited sense. Apple’s Private Access Tokens, built on a cryptographic protocol called Privacy Pass, let Apple devices receive single use tokens they can later present to websites without those visits being linked together. However, Private Access Tokens have some critical shortcomings. First, like WEI, they rely on device attestation, the very hardware gatekeeping we are determined to avoid. Second, there’s no easy way to open up the system to let more parties vouch for users without compromising on user privacy, which means concentrating control in the hands of a few.
在有限的范围内,实现这种保护隐私的担保机制已经成为可能。苹果公司的“私密访问令牌”(Private Access Tokens)基于一种名为 Privacy Pass 的加密协议,允许苹果设备接收一次性令牌,随后可以将其出示给网站,而不会将这些访问行为关联起来。然而,私密访问令牌存在一些关键缺陷。首先,像 WEI 一样,它们依赖于设备认证,这正是我们决心避免的硬件“守门”行为。其次,没有简单的方法可以在不损害用户隐私的情况下开放系统,让更多方为用户担保,这意味着控制权仍集中在少数人手中。
To keep the web open, we need a system where any site can vouch for users, and where other sites can decide who they trust to vouch for users responsibly. This is a much harder problem, but we think the cryptographic foundations exist to deliver it. Anonymous credentials let one party issue you a credential that you can later present to a site a limited number of times, whilst preventing sites and issuers from tracking its use. It’s even possible to hide which party issued it, proving only that it came from a set of trusted issuers.
为了保持网络的开放,我们需要一个系统,让任何网站都能为用户担保,并让其他网站能够决定信任谁来负责任地为用户担保。这是一个更难的问题,但我们认为实现它的加密基础已经存在。匿名凭证允许一方为你签发凭证,你可以随后将其出示给网站有限次数,同时防止网站和签发方追踪其使用情况。甚至可以隐藏是哪一方签发的,仅证明它来自一组受信任的签发方即可。
A fix is both essential and possible
解决方案既必要又可行
Building this into a system for the open web, where any site could vouch and any site could set its own limits is challenging, but we believe it’s both possible and essential in order to defuse the tension between privacy and access, while avoiding centralising control in a small number of gatekeepers. Working with other web stakeholders, including Cloudflare and other browsers, we’ve started designing such a system.
将此构建为一个开放的网络系统,让任何网站都能担保并设置自己的限制,这充满挑战,但我们相信这是可能的,也是化解隐私与访问之间矛盾的必要手段,同时能避免将控制权集中在少数守门人手中。我们正与包括 Cloudflare 和其他浏览器在内的网络利益相关者合作,开始设计这样一个系统。
For a deeper dive, read our post on Hacks, which goes into more detail about the problem space and the approach we’re working on. Our goal is simple: fewer CAPTCHAs, fewer unnecessary blocks and fewer demands to identify yourself, without compromising on privacy. This is the kind of web that Mozilla built Firefox to offer: easy to use, private and open to all.
如需深入了解,请阅读我们在 Hacks 上发布的文章,其中详细介绍了问题领域以及我们正在研究的方法。我们的目标很简单:在不损害隐私的前提下,减少验证码、减少不必要的拦截以及减少身份识别要求。这就是 Mozilla 开发 Firefox 所旨在提供的网络:易于使用、保护隐私且对所有人开放。