[tor-bugs] #15967 [Obfuscation/BridgeDB]: Separate BridgeDB's CAPTCHA into another service

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 14:27:11 UTC 2017


#15967: Separate BridgeDB's CAPTCHA into another service
-------------------------------------------------+-------------------------
 Reporter:  isis                                 |          Owner:  isis
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:
Component:  Obfuscation/BridgeDB                 |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  bridgedb-https captcha tor-launcher  |  Actual Points:  2
  ooni-probe                                     |
Parent ID:                                       |         Points:  2
 Reviewer:                                       |        Sponsor:
                                                 |  SponsorM
-------------------------------------------------+-------------------------

Comment (by mcs):

 Replying to [comment:4 isis]:
 > Couple things I realised I should do:
 >
 >  * There should be a 'version' field in every JSON thing so that we can
 add things later if we need to.

 That seems like a good idea even if we never end up changing it (with JSON
 you have a lot of flexibility to add fields as needed without necessarily
 bumping the version).

 >  * There should probably be a 'type' field in every JSON thing so that
 we know which part of the protocol it is.

 Seems like a good idea and having it may also aid in debugging the
 protocol.

 >  * The JSON in the `data` URL parameter should be en-/de- coded as URL-
 safe base64. (And it should probably just be in the body of the POST
 request?)

 I like the idea of putting the response in the POST request, but maybe it
 is small so it doesn't matter much? That raises another issue: Kathy and I
 don't know exactly what the response will look like. Will all of the
 CAPTCHAs be similar to the ones that are currently used by bridgedb?
 E.g.:
  https://bridges.torproject.org/bridges?transport=obfs4
 In any case, Tor Launcher will need to know how to present the image and
 what kind of response to ask the user for (e.g., text).

 Also, maybe the server should return the "Enter the characters from the
 image above" prompt text so the server has more flexibility about that
 form of the CAPTCHA (or is the in the challenge field?) One challenge is
 localization of the prompt. The server could respect the Accept-Language
 header, but that is not necessarily correct for Tor Browser due to our
 English language spoofing feature. Hmmm.

 > Also, in order to conform to [http://jsonapi.org/format/ the JSON API
 standard], I need to change the following things:
 > ...

 That looks like a lot of complexity, but it might be worthwhile if we are
 going to have more JSON messages. I assume we will, e.g., Tor Launcher
 will request bridges from moat via a JSON request.

 > Also, it just occurred to me that Tor Launcher should probably just talk
 to the moat server, which will talk to farfetchd. For the CAPTCHA stuff
 moat will just be passing things between Tor Launcher and farfetchd so the
 concerns about the API here are still relevant.

 I was going to ask about that... requesting a CAPTCHA and solving it is
 not useful unless the server that cares about the CAPTCHA is involved,
 right? Is there a document available that shows how the pieces will fit
 together? If not, we should create one.

 One more comment on your proposed API: Kathy and I would prefer error
 codes (numbers) rather than error strings, or at least a code plus a
 string. We will want to localize the errors that are displayed by Tor
 Launcher. It looks like the JSON API format includes this concept because
 error responses have a code as well as title and detail strings.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15967#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list