Solving the Cloudflare CAPTCHA (RWC2017)

Transcript

1. Solving the Cloudflare CAPTCHA Alex Davidson RHUL George Tankersley Cloudflare

   Filippo Valsorda Cloudflare

2. Solving the Cloudflare CAPTCHA Don’t click the post!

3. CAPTCHAs are actually hard Many assumptions: • Culture • Language

   • Vision/hearing • Mobility • Social class Define “house” or “storefront” for everyone?

4. What’s a Cloudflare?

5. Tor Browser obscures these signals

6. Why do we serve CAPTCHAs? Mostly, IP reputation of the

   Tor exits Prior attack sightings lead to poor reputation Thus, traffic from exits gets a CAPTCHA

7. Tor users get a lot of CAPTCHAs

8. Feel the love Image credit:

9. It’s getting better!

10. Blocking innocent Tor users is a problem

11. What we’ve tried • Intentionally blacklisted the office IP reputation

    • reCAPTCHA v2 (which backfired - sorry!) • Customer sites can whitelist Tor network as a “country” • Altered the internal treatment of Tor traffic • … some clever crypto thing?

12. Requirements We need to meet security requirements of both Cloudflare

    and Tor Browser • CAPTCHA solutions allow a finite number of subsequent redemptions • Unlinkable tokens • Don’t require persistent client state / disk storage • Resists farming • Resists double-spend with minimal server state • Relatively efficient server computations • Deployable in a browser extension, in Javascript, in an auditable manner

13. Look, a clever crypto thing!

14. Blind signatures for rate-limiting Tor Browser plugin + an edge

    service User solves a CAPTCHA and submits many blinded tokens for signing Later, unblinds and submits a token instead of solving CAPTCHA Users solve only one challenge per N websites visited Tokens are unlinkable, work cross-domain over multiple circuits unlike cookies Maintains Tor Browser’s strong first-party isolation

15. RSA? Really? Boring, reliable old Chaumian RSA plus elements from

    Google’s macaroons - not trying to innovate in algorithms Details here:

16. Future Directions But really- RSA? • Suggestions welcome! But it

    must be practical to deploy in a browser Anonymous credentials: • BLAC/BLACR (pairings? in a browser?) • “Algebraic MACs and Keyed-Verification Anonymous Credentials” Standardization: • This is generalizable to VPNs and carrier-grade NAT

17. Open Questions Deanonymization: does this create new vectors? Stockpiling: how

    do we limit token farming? Exhaustion: how to stop a malicious site from draining tokens?

18. Questions? Alex Davidson [email protected] George Tankersley [email protected] Filippo Valsorda [email protected]

    Comments? [email protected] Attacks? The next PETS deadline is February 28, 2017 Pull Requests?