It uses a blind signature protocol allowing the client to generate bypass tokens without future correlation. That's good.
Unfortunately, because it requires that the user use a plugin, this creates two groups of Tor users: those that are using this protocol and those that aren't. This is more information that can be used---with other information---to aid in de-anonymizing users. (To be clear: using ephemeral JavaScript, as they mentioned, is not a credible option, so they have chosen the better route here.)
CloudFlare stores cookies today, yes, but they can be ephemeral with good client cookie policies. A browser plugin usually persists sessions---even if the tokens don't, the fact that it is _installed_ does.
I understand that this is the case for other plugins as well.
In any case, CloudFlare criticism aside: I'm glad that CloudFlare is listening to the Tor community, and has come up with a protocol that does its best to respect users' privacy.
The Tor Browser Bundle is pretty persistent about updates. If you're a version behind, it lets you know frequently, with flashy annoying notices. Being a version behind often has security implications, and users hiding behind Tor are often very dependent on being secure, so it makes sense.
That also means that if TBB were to be extended with a new plugin, it would get to every user very quickly. Especially if they did some sort of time delay (probably overkill), where the browser updated 2 weeks before the update actually kicked in. Then everyone who has upgraded in the past 2 weeks instantly gets group-anonymity, and everyone who hasn't upgraded has only themselves to blame because the browser gives you a nice flashy warning immediately when you open it up.
I hope that the code is audited for back doors by multiple independent parties, but other than that I think this is fantastic.
Unfortunately, because it requires that the user use a plugin, this creates two groups of Tor users: those that are using this protocol and those that aren't. This is more information that can be used---with other information---to aid in de-anonymizing users. (To be clear: using ephemeral JavaScript, as they mentioned, is not a credible option, so they have chosen the better route here.)
CloudFlare stores cookies today, yes, but they can be ephemeral with good client cookie policies. A browser plugin usually persists sessions---even if the tokens don't, the fact that it is _installed_ does.
I understand that this is the case for other plugins as well.
In any case, CloudFlare criticism aside: I'm glad that CloudFlare is listening to the Tor community, and has come up with a protocol that does its best to respect users' privacy.