[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Google and Tor.

Thus spake Aplin, Justin M (jmaplin@xxxxxxx):

> On 8/25/2010 8:52 PM, Mike Perry wrote:
> >Thus spake Matthew (pumpkin@xxxxxxxxx):
> >
> >   
> >>  On numerous occasions when using Google with Tor (yes, I know there are
> >>other options like Scroogle) it claims I might be sending automated 
> >>queries
> >>and gives me a CAPTCHA.  Sometimes this allows me to search; other times I
> >>am caught in a loop and am constantly send back to the CAPTCHA screen.
> >>     
> >This has been a known problem with Google for ages.
> >   
> (snip)
> Really? I've never had this problem until recently. For about 2 years 
> now every Google CAPTCHA I've run into has been uneventful and let me 
> through after the first try, only in the past month or so have I been 
> getting caught in the "CAPTCHA loop".

Various horrible behaviors have come and go with this captcha system
over the past 3 years or so. Sometimes you just get a 403 with no
captcha, sometimes you have to solve a captcha, sometimes 2 captchas,
sometimes infinite captchas, and sometimes it forgets your query and
you have to start the whole process over again from a Google landing

My point is that the whole system is problematic on a number of
levels. I also personally believe that there are better ways of rate
limiting and screening queries from high-user count IPs that do not
involve cookies or captchas.

I also question Google's threat model on this feature. Sure, they want
to stop people from programmatically re-selling Google results without
an API key in general, but there is A) no way people will be reselling
Tor-level latency results, B) no way they can really expect determined
competitors not to do competitive analysis of results using private IP
ranges large enough to avoid DoS detection, C) no way that the total
computational cost of the queries coming from Tor can justify denying
so many users easy access to their site.

This is why I'd love a chance to meet with the DoS team to discuss
some of these points. However, I get the strong impression it is a
very secretive group that is especially wary of discussing their
methods, reasoning, or analysis and with anyone else, and is generally
given a blank check to enact policy without proper in-depth
cost/benefit analsysis because its actions are "for security".

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpQeJIXYYNrK.pgp
Description: PGP signature