Up until recently cloudflare was annoying but all you had to do was entering the correct captcha every now and then and you were free otherwise. Even if you had to read the two fuzzy difficult words, if you wrote them correctly you were allowed to proceed. In contrast, the problem we have now is quite different: if you write the two fuzzy words CORRECTLY, they are NOT RECOGNIZED and you are presented two words again and on and on, in an infinite loop. Therefore, there are only two things you can do in order to proceed:
1) Allow javascript. This should be adviced against if you do not want to run the risk of executing deliberate malicious code. 2) Use a new identity until you get an exit node that either lets you proceed with no captcha at all or gets google to display two clear words instead of the fuzzy ones. The clear words are recognized when you enter them correctly. This happens with around 5-10% of exit nodes. There are two things that could be done in order to fix this problem. Either get cloudflare to use another third party captcha other than google's so that you are allowed to continue when you write the correct words. Or get google to fix their captcha system, so that it goes back to the same way it used to be months ago and lets you continue with javascript off if you write the two fuzzy words you are asked. Is this a bug in google's captcha system or is it intentional? Let's speculate a little here. If it is intentional in order to try to deanonymize Tor users, the attack could work this way: 1) If the user decides to allow javascript, this could lead to some malicious code being executed in his computer. 2) If the user refuses to allow javascript, he will have no choice other than keep trying different exit nodes until he gets one that allows him to proceed with javascript off. This induces a bias where the user is somehow locked in those 5-10% exit nodes that work. Those behind this theoretical attack might very well be introducing several cancer exit nodes in the Tor network and, with the cooperation of cloudflare/google, allowing these exit nodes to work well with the captcha system in order to force Tor users to exit through them. This could work similar to what Alex Biryukov and Ivan Pustogarov discuss in the paper "Bitcoin over Tor isn't a good idea", basically that it is possible for an attacker to cause Tor exit nodes to be banned from the Bitcoin network, forcing Bitcoin nodes running over Tor to connect using the attacker's exit node. Translated in cloudflare's captcha problem: it would be possible for an attacker (working in concert with Cloudflare/google) to cause Tor exit nodes to be banned from important parts of the Tor network by presenting impossible to solve Cloudflare/google captchas, forcing the user to exit through the attacker's exit nodes. The only way to prevent this attack would be allowing javascript, but that would in itself open the doors for a direct attack through javascript code execution. I hope the worst case scenario outlined above is not true. In that case, could you get in touch with Cloudflare/google so that the allow access again with javascript off? Would they listen? -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
