I've been using Privacy Pass to help reduce CAPTCHAs, but a recent update has introduced some concerning behavior that potential users should be aware of.

Pros:

- Can help reduce CAPTCHAs on some websites
- Open-source and maintained by Cloudflare

Cons:

- Recently started opening new tabs without user permission
- Asks for "attester" verification in an intrusive manner
- Interrupts browsing experience unexpectedly

The extension now opens a new tab without warning, asking users to verify an "attester." While this might be intended to improve transparency, the implementation is disruptive and feels like a violation of user control. This behavior seems to go against Firefox's add-on policies regarding unexpected actions and user experience. It's particularly concerning for an extension that's supposed to improve browsing, not interrupt it. I've reported this to Mozilla for review. In the meantime, users should be aware of this intrusive behavior before installing. If you value a smooth browsing experience without unexpected interruptions, you might want to consider alternatives or wait for this issue to be addressed. I hope the developers can find a less disruptive way to implement their verification process. Until then, I can't recommend this extension.

One of those cases where I'd happily give a zero-star rating, but there is no such thing. I guess one star can be given for the intention behind. Some issues:

1. Stores passes in localStorage. Due to this they get cleaned up by automatic cleaning, always if the browser is in permanent private mode (Tor Browser). If you don't use permanent private mode, instead automatically cleaning history on exit, you can put moz-extension://ea706443-32b7-4727-b136-408bf93e5004/ in cleaning exceptions, which is very unintuitive.
My passes getting deleted was a big surprise the first time...
It was even reported in the issue tracker (https://github.com/privacypass/challenge-bypass-extension/issues/205), yet dismissed by the dev. Somehow storing that in localStorage is not a bug.
How would you like uBlock rules cleared on every launch?

2. Can't coin passes in Tor Browser.

3. Buggy if you disabled WASM.

4. No functionality for import/export. But you can do it through debugging extension in a web inspector. I guess this is where localStorage comes useful but it still sucks. See https://pastebin.com/EgruhFQc for functions.

5. If you managed to import passes via own js in Tor Browser, or you switched to Tor in a normal one, it won't fully redeem them. In case of hCaptcha, it mistrusts you after you uselessly redeem a pass or two. In case of Cloudflare, most important sites that I use don't get highlighted by the extension. Websites like ChatGPT, some manga websites and forums, enter an endless loop with rotating thing on a page that uses deceptive language like "checking if your connection is secure", despite obviously not checking out the connection, but me. I haven't yet encountered a cloudflared website I use a lot which supports this.

5.1. No visual indicators that it mistrusts you despite eating a pass. No indicators if it works generally beyond using devtools. No status messages.

6. Only 5 hCaptcha passes for one completion.

7. Given that Privacy Pass as a standard will combat pass hoarding by associating passes with metadata (see the latter part of https://blog.cloudflare.com/privacy-pass-v3/), it's not very obvious why not just ditch tokens entirely and use registration with captchas (a la hCaptcha accessibility) to begin with. It's inevitable that you get rid of anonymity and stuff like that in order to not be frustrated with workarounds like this one. By registering with a captcha provider you might not need to redeem anything anymore, you can build trust in each internet-using biological platform on individual basis.