Cloudflare reCAPTCHA De-anonymizes Tor Users
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm 18 July 2016 Cloudflare reCAPTCHA De-anonymizes Tor Users A sends: Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are coming from Tor exit nodes to one of the 2 million web sites that Cloudflare 'protects' can be very instrumental for traffic analysis and de-anonymizing of Tor users. This is how: The only non-public prerequisite for the de-anonymizing entity is the ability to monitor traffic between ISPs and Tor entry nodes, and traffic entering Cloudflare servers (no decryption required in either case). There are, of course, no 2 million Cloudflare servers, probably there is no more than few hundred. Each click on one of the images in the puzzle generates a total of about 50 packets between Tor user's computer and the Cloudflare's server (about half are requests and half are real-time responses from the server.) All this happens in less than a second, so eventual jitter introduced in onion mixing is immaterial. The packet group has predictable sizes and patterns, so all the adversary has to do is note the easily detectable signature of the "image click" event, and correlate it with the same on the Cloudflare side. Again, no decryption required. There likely are many simultaneous users (thousands), but they do not solve puzzles at the same time, and they do not click on the puzzle image at the same time. Simple math shows that disambiguating is trivial. If there is some ambiguity left, Cloudflare can conveniently serve few more images to specific users (or even random users, as long as within the same few seconds different users get different amount of 'correct' images.) This obvious opportunity is not the proof, but NSA would have to be utterly incompetent not to be exploiting it. No one is that incompetent.
On 07/19/2016 02:42 AM, grarpamp wrote:
https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
18 July 2016
Cloudflare reCAPTCHA De-anonymizes Tor Users
A sends:
Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are coming from Tor exit nodes to one of the 2 million web sites that Cloudflare 'protects' can be very instrumental for traffic analysis and de-anonymizing of Tor users.
This is how:
The only non-public prerequisite for the de-anonymizing entity is the ability to monitor traffic between ISPs and Tor entry nodes, and traffic entering Cloudflare servers (no decryption required in either case). There are, of course, no 2 million Cloudflare servers, probably there is no more than few hundred.
Each click on one of the images in the puzzle generates a total of about 50 packets between Tor user's computer and the Cloudflare's server (about half are requests and half are real-time responses from the server.) All this happens in less than a second, so eventual jitter introduced in onion mixing is immaterial. The packet group has predictable sizes and patterns, so all the adversary has to do is note the easily detectable signature of the "image click" event, and correlate it with the same on the Cloudflare side. Again, no decryption required.
There likely are many simultaneous users (thousands), but they do not solve puzzles at the same time, and they do not click on the puzzle image at the same time. Simple math shows that disambiguating is trivial. If there is some ambiguity left, Cloudflare can conveniently serve few more images to specific users (or even random users, as long as within the same few seconds different users get different amount of 'correct' images.)
This obvious opportunity is not the proof, but NSA would have to be utterly incompetent not to be exploiting it. No one is that incompetent.
I pointed out this possibility regarding Hushmail in February 2015. http://auntieimperial.tumblr.com/post/111007562804 http://66.media.tumblr.com/acc793091fadb7eabc16dbf9705b2be3/tumblr_njs0wgovE... It's especially treacherous if you do have something to hide, and helps them tune their shit, if you log in on tor, and also barefoot, at different times.
Dnia wtorek, 19 lipca 2016 05:42:17 CEST grarpamp pisze:
Each click on one of the images in the puzzle generates a total of about 50 packets between Tor user's computer and the Cloudflare's server (about half are requests and half are real-time responses from the server.)
Hummm, but what if JS is turned off (is anyone using Tor with JS turned on?). Not defending CloudFlare here (not a fan of centralised services like this), just wondering. In fact, just tested it in the Tor Browser with JS disabled (as it is by default). No traffic was generated upon clicking on images -- only after hitting "submit". Not much better, but a bit better nonetheless, I guess. -- Pozdrawiam, Michał "rysiek" Woźniak Zmieniam klucz GPG :: http://rys.io/pl/147 GPG Key Transition :: http://rys.io/en/147
participants (3)
-
grarpamp
-
Rayzer
-
rysiek