Cloudflare reCAPTCHA De-anonymizes Tor Users

grarpamp grarpamp at
Tue Jul 19 02:42:17 PDT 2016

 18 July 2016

Cloudflare reCAPTCHA De-anonymizes Tor Users

A sends:

Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are
coming from Tor exit nodes to one of the 2 million web sites that
Cloudflare 'protects' can be very instrumental for traffic analysis
and de-anonymizing of Tor users.

This is how:

The only non-public prerequisite for the de-anonymizing entity is the
ability to monitor traffic between ISPs and Tor entry nodes, and
traffic entering Cloudflare servers (no decryption required in either
case). There are, of course, no 2 million Cloudflare servers, probably
there is no more than few hundred.

Each click on one of the images in the puzzle generates a total of
about 50 packets between Tor user's computer and the Cloudflare's
server (about half are requests and half are real-time responses from
the server.) All this happens in less than a second, so eventual
jitter introduced in onion mixing is immaterial. The packet group has
predictable sizes and patterns, so all the adversary has to do is note
the easily detectable signature of the "image click" event, and
correlate it with the same on the Cloudflare side. Again, no
decryption required.

There likely are many simultaneous users (thousands), but they do not
solve puzzles at the same time, and they do not click on the puzzle
image at the same time. Simple math shows that disambiguating is
trivial. If there is some ambiguity left, Cloudflare can conveniently
serve few more images to specific users (or even random users, as long
as within the same few seconds different users get different amount of
'correct' images.)

This obvious opportunity is not the proof, but NSA would have to be
utterly incompetent not to be exploiting it. No one is that

More information about the cypherpunks mailing list