Cloudflare reCAPTCHA De-anonymizes Tor Users

[Rayzer]

On 07/19/2016 02:42 AM, grarpamp wrote:
> https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm
>
>  18 July 2016
>
> Cloudflare reCAPTCHA De-anonymizes Tor Users
>
> A sends:
>
> Cloudflare's insistence on solving reCAPTCHA puzzles when visitors are
> coming from Tor exit nodes to one of the 2 million web sites that
> Cloudflare 'protects' can be very instrumental for traffic analysis
> and de-anonymizing of Tor users.
>
> This is how:
>
> The only non-public prerequisite for the de-anonymizing entity is the
> ability to monitor traffic between ISPs and Tor entry nodes, and
> traffic entering Cloudflare servers (no decryption required in either
> case). There are, of course, no 2 million Cloudflare servers, probably
> there is no more than few hundred.
>
> Each click on one of the images in the puzzle generates a total of
> about 50 packets between Tor user's computer and the Cloudflare's
> server (about half are requests and half are real-time responses from
> the server.) All this happens in less than a second, so eventual
> jitter introduced in onion mixing is immaterial. The packet group has
> predictable sizes and patterns, so all the adversary has to do is note
> the easily detectable signature of the "image click" event, and
> correlate it with the same on the Cloudflare side. Again, no
> decryption required.
>
> There likely are many simultaneous users (thousands), but they do not
> solve puzzles at the same time, and they do not click on the puzzle
> image at the same time. Simple math shows that disambiguating is
> trivial. If there is some ambiguity left, Cloudflare can conveniently
> serve few more images to specific users (or even random users, as long
> as within the same few seconds different users get different amount of
> 'correct' images.)
>
> This obvious opportunity is not the proof, but NSA would have to be
> utterly incompetent not to be exploiting it. No one is that
> incompetent.
>

I pointed out this possibility regarding Hushmail in February 2015.

http://auntieimperial.tumblr.com/post/111007562804

http://66.media.tumblr.com/acc793091fadb7eabc16dbf9705b2be3/tumblr_njs0wgovEO1r9ju7do2_1280.png

It's especially treacherous if you do have something to hide, and helps
them tune their shit, if you log in on tor, and also barefoot, at
different times.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3177 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20160719/b58a1281/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20160719/b58a1281/attachment-0003.sig>