> On Tue, 09 Jun 2015 20:49:33 +0000, [email protected] wrote: > ... >> 2) Use a new identity until you get an exit node that either lets you >> proceed with no captcha at all or gets google to display two clear words >> instead of the fuzzy ones. The clear words are recognized when you enter >> them correctly. This happens with around 5-10% of exit nodes. > > About the last two weeks I only got the house number captchas; > before that mostly the easy letter captchas; the hard ones > I mostly get on hacker news (not via cloudflare). > > ...
The house number captchas only happen when you allow javascript. With javascript off you mostly get the very difficult to read captchas. No matter how carefully you solve them, you are just presented with two captchas again on and on. >> network and, with the cooperation of cloudflare/google, allowing these >> exit nodes to work well with the captcha system in order to force Tor >> users to exit through them. > > Why would at least cloudflare want to do that? They already > have the user at a place where they can trivially MITM them; > even for SSL connections that they terminate. > > Andreas > > -- I hope they don't but it's just a worst case scenario that should be taken into account. Even though they can redirect you from https://1111.com to https://11l1.com if they wish and MTIM you from there, provided you don't notice the address substitution, I don't think they could do such attack if you make sure that you are using the SSL version of the site and no letter is changed. They probably would not be able to deanonymize you if they succeeded in such attack either if you don't provide information to do so. On the other hand, if they make you execute malicious javascript code or bias your selection of exit nodes, they could succeed. Anyway, I do not think this is a Cloudflare problem. I think it is google's captcha system that is responsible for this. There are websites that present google's captcha independently of Cloudflare and, if you have javascript off, you get exactly the same problem: you are presented the fuzzy two word captchas and no matter how carefully you solve them, you are just presented with another captcha over and over again. Someone should ask google: PLEASE, ALLOW YOUR CAPTCHAS TO BE SOLVED WITH JAVASCRIPT OFF AGAIN. If google is not intentionally doing this, there must be a bug in their captcha system they have not been made aware of. > "Totally trivial. Famous last words." > From: Linus Torvalds <torvalds@*.org> > Date: Fri, 22 Jan 2010 07:29:21 -0800 > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
