Delivery-Date: Tue, 09 Jun 2015 17:31:43 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id EAF6F1E0FF3;
	Tue,  9 Jun 2015 17:31:37 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5FF22350E6;
	Tue,  9 Jun 2015 21:31:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id E4879350E1
 for <tor-talk@lists.torproject.org>; Tue,  9 Jun 2015 21:31:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id zioyhLn9Jmlj for <tor-talk@lists.torproject.org>;
 Tue,  9 Jun 2015 21:31:28 +0000 (UTC)
Received: from mx1.sigaint.org (mx1.sigaint.org [185.10.58.250])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.sigaint.org", Issuer "mx1.sigaint.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id F398C350DF
 for <tor-talk@lists.torproject.org>; Tue,  9 Jun 2015 21:31:21 +0000 (UTC)
Received: from sigaintevyh2rzvw.onion (localhost [127.0.0.1]);
 by localhost (OpenSMTPD) with ESMTP id d7c15760;
 for <tor-talk@lists.torproject.org>;
 Tue, 9 Jun 2015 21:31:11 +0000 (UTC)
Received: from 127.0.0.1 (HTTP authenticated user m8asyom80)
 by localhost with HTTP; Tue, 9 Jun 2015 21:31:11 -0000
Message-ID: <62fcf8bbf4616d8d97b8316b25dee331.webmail@localhost>
In-Reply-To: <20150609210458.GA3541@inner.h.apk.li>
References: <cc105048a5f578a05101688c96cbaeea.webmail@localhost>
 <20150609210458.GA3541@inner.h.apk.li>
Date: Tue, 9 Jun 2015 21:31:11 -0000
From: m8asyom80@sigaint.org
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [tor-talk] Cloudflare's captcha problems: google's fault
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

> On Tue, 09 Jun 2015 20:49:33 +0000, m8asyom80@sigaint.org wrote:
> ...
>> 2) Use a new identity until you get an exit node that either lets you
>> proceed with no captcha at all or gets google to display two clear words
>> instead of the fuzzy ones. The clear words are recognized when you enter
>> them correctly. This happens with around 5-10% of exit nodes.
>
> About the last two weeks I only got the house number captchas;
> before that mostly the easy letter captchas; the hard ones
> I mostly get on hacker news (not via cloudflare).
>
> ...

The house number captchas only happen when you allow javascript. With
javascript off you mostly get the very difficult to read captchas. No
matter how carefully you solve them, you are just presented with two
captchas again on and on.



>> network and, with the cooperation of cloudflare/google, allowing these
>> exit nodes to work well with the captcha system in order to force Tor
>> users to exit through them.
>
> Why would at least cloudflare want to do that? They already
> have the user at a place where they can trivially MITM them;
> even for SSL connections that they terminate.
>
> Andreas
>
> --

I hope they don't but it's just a worst case scenario that should be taken
into account. Even though they can redirect you from https://1111.com to
https://11l1.com if they wish and MTIM you from there, provided you don't
notice the address substitution, I don't think they could do such attack
if you make sure that you are using the SSL version of the site and no
letter is changed. They probably would not be able to deanonymize you if
they succeeded in such attack either if you don't provide information to
do so. On the other hand, if they make you execute malicious javascript
code or bias your selection of exit nodes, they could succeed.

Anyway, I do not think this is a Cloudflare problem. I think it is
google's captcha system that is responsible for this. There are websites
that present google's captcha independently of Cloudflare and, if you have
javascript off, you get exactly the same problem: you are presented the
fuzzy two word captchas and no matter how carefully you solve them, you
are just presented with another captcha over and over again.

Someone should ask google: PLEASE, ALLOW YOUR CAPTCHAS TO BE SOLVED WITH
JAVASCRIPT OFF AGAIN. If google is not intentionally doing this, there
must be a bug in their captcha system they have not been made aware of.


> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
> Date: Fri, 22 Jan 2010 07:29:21 -0800
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

