[tor-bugs] #24607 [Circumvention/BridgeDB]: CAPTCHAs on BridgeDB seem to be getting more difficult

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 16 18:39:07 UTC 2019 

#24607: CAPTCHAs on BridgeDB seem to be getting more difficult
-------------------------------------------------+-------------------------
 Reporter:  alison                               |          Owner:  (none)
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Circumvention/BridgeDB               |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  anti-censorship-roadmap-november,    |  Actual Points:
  s30-o22a2                                      |
Parent ID:  #31279                               |         Points:  5
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor30-must
-------------------------------------------------+-------------------------

Comment (by phw):

 Let's use this ticket to coordinate the future of BridgeDB's CAPTCHA.
 BridgeDB currently uses [https://github.com/isislovecruft/gimp-captcha
 gimp-captcha] to generate CAPTCHAs.

 * We believe that the GFW maintains a bot (which, ironically, uses Tor)
 that is successfully crawling BridgeDB while maintaining a CAPTCHA success
 rate that easily outperforms people. Not only does our CAPTCHA harm
 usability (see also #10831), it also fails in the face of a real-world
 adversary.

 * Google provides a [https://developers.google.com/recaptcha/docs/v3
 reCAPTCHA v3 API], which returns an anomaly score in the interval [0, 1]
 for each request, without any kind of friction. Ignoring for now that this
 is a Google service, it may be an option for BridgeDB's HTTPS distributor
 but not for moat or email.

 * There is plenty of research on new CAPTCHA schemes, sometimes leveraging
 more complex domains like video or adversarial examples, which are meant
 to confuse classifiers. None of these systems seems likely to make a
 difference in the long term.

 We are in a particularly difficult situation because our CAPTCHA needs to
 work for a highly diverse set of people.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24607#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list