[tor-talk] Cloudflare's captcha problems: google's fault

m8asyom80 at sigaint.org m8asyom80 at sigaint.org
Tue Jun 9 21:31:11 UTC 2015

> On Tue, 09 Jun 2015 20:49:33 +0000, m8asyom80 at sigaint.org wrote:
> ...
>> 2) Use a new identity until you get an exit node that either lets you
>> proceed with no captcha at all or gets google to display two clear words
>> instead of the fuzzy ones. The clear words are recognized when you enter
>> them correctly. This happens with around 5-10% of exit nodes.
> About the last two weeks I only got the house number captchas;
> before that mostly the easy letter captchas; the hard ones
> I mostly get on hacker news (not via cloudflare).
> ...

The house number captchas only happen when you allow javascript. With
javascript off you mostly get the very difficult to read captchas. No
matter how carefully you solve them, you are just presented with two
captchas again on and on.

>> network and, with the cooperation of cloudflare/google, allowing these
>> exit nodes to work well with the captcha system in order to force Tor
>> users to exit through them.
> Why would at least cloudflare want to do that? They already
> have the user at a place where they can trivially MITM them;
> even for SSL connections that they terminate.
> Andreas
> --

I hope they don't but it's just a worst case scenario that should be taken
into account. Even though they can redirect you from https://1111.com to
https://11l1.com if they wish and MTIM you from there, provided you don't
notice the address substitution, I don't think they could do such attack
if you make sure that you are using the SSL version of the site and no
letter is changed. They probably would not be able to deanonymize you if
they succeeded in such attack either if you don't provide information to
do so. On the other hand, if they make you execute malicious javascript
code or bias your selection of exit nodes, they could succeed.

Anyway, I do not think this is a Cloudflare problem. I think it is
google's captcha system that is responsible for this. There are websites
that present google's captcha independently of Cloudflare and, if you have
javascript off, you get exactly the same problem: you are presented the
fuzzy two word captchas and no matter how carefully you solve them, you
are just presented with another captcha over and over again.

JAVASCRIPT OFF AGAIN. If google is not intentionally doing this, there
must be a bug in their captcha system they have not been made aware of.

> "Totally trivial. Famous last words."
> From: Linus Torvalds <torvalds@*.org>
> Date: Fri, 22 Jan 2010 07:29:21 -0800
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list