[tor-talk] Cloudflare's captcha problems: google's fault

[m8asyom80@xxxxxxxxxxx]

Up until recently cloudflare was annoying but all you had to do was
entering the correct captcha every now and then and you were free
otherwise. Even if you had to read the two fuzzy difficult words, if you
wrote them correctly you were allowed to proceed. In contrast, the problem
we have now is quite different: if you write the two fuzzy words
CORRECTLY, they are NOT RECOGNIZED and you are presented two words again
and on and on, in an infinite loop. Therefore, there are only two things
you can do in order to proceed:

1) Allow javascript. This should be adviced against if you do not want to
run the risk of executing deliberate malicious code.

2) Use a new identity until you get an exit node that either lets you
proceed with no captcha at all or gets google to display two clear words
instead of the fuzzy ones. The clear words are recognized when you enter
them correctly. This happens with around 5-10% of exit nodes.

There are two things that could be done in order to fix this problem.
Either get cloudflare to use another third party captcha other than
google's so that you are allowed to continue when you write the correct
words. Or get google to fix their captcha system, so that it goes back to
the same way it used to be months ago and lets you continue with
javascript off if you write the two fuzzy words you are asked.

Is this a bug in google's captcha system or is it intentional? Let's
speculate a little here. If it is intentional in order to try to
deanonymize Tor users, the attack could work this way:

1) If the user decides to allow javascript, this could lead to some
malicious code being executed in his computer.

2) If the user refuses to allow javascript, he will have no choice other
than keep trying different exit nodes until he gets one that allows him to
proceed with javascript off. This induces a bias where the user is somehow
locked in those 5-10% exit nodes that work. Those behind this theoretical
attack might very well be introducing several cancer exit nodes in the Tor
network and, with the cooperation of cloudflare/google, allowing these
exit nodes to work well with the captcha system in order to force Tor
users to exit through them. This could work similar to what Alex Biryukov
and Ivan Pustogarov discuss in the paper "Bitcoin over Tor isn't a good
idea", basically that it is possible for an attacker to cause Tor exit
nodes to be banned from the Bitcoin network, forcing Bitcoin nodes running
over Tor to connect using the attacker's exit node. Translated in
cloudflare's captcha problem: it would be possible for an attacker
(working in concert with Cloudflare/google) to cause Tor exit nodes to be
banned from important parts of the Tor network by presenting impossible to
solve Cloudflare/google captchas, forcing the user to exit through the
attacker's exit nodes. The only way to prevent this attack would be
allowing javascript, but that would in itself open the doors for a direct
attack through javascript code execution.

I hope the worst case scenario outlined above is not true. In that case,
could you get in touch with Cloudflare/google so that the allow access
again with javascript off? Would they listen?

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk