Do Captchas Make it Easy to ID Anonymous Web Users?

CloudFlare has updated how its services challenge Tor users

An anonymous bug report posted to Cryptome with dark undertones.

An anonymous bug report posted to Cryptome with dark undertones.

Sometimes, read the comments.

There’s been a lot of upvoting over the last couple days on sites like HackerNews and Reddit for a post on Cryptome. The post suggests that sites contracting with CloudFlare inadvertently make it easier to identify visitors using the Tor browser; however, readers that get past the headline will find multiple comments asking whether there really anything new in the post.

Cryptome cofounder John Young confirmed via email that the message came from an anonymous correspondent, who wrote, “Cloudflare’s insistence on solving reCAPTCHA puzzles when visitors are coming from Tor exit nodes to one of the 2 million web sites that Cloudflare ‘protects’ can be very instrumental for traffic analysis and de-anonymizing of Tor users.”

Beneath the Hacker News post, @tedunangst wrote, “I didn’t see anything that makes it unique to ReCaptcha. Any fingerprint-able traffic pattern that can be observed coming and going will work.”

“The captchas get generated on our side. It’s over a secure connection,” Matthew Prince, CEO of CloudFlare said in a phone call. “I can’t think of any way this would provide additional info that would allow you to triangulate the Tor user.”

CloudFlare provides website performance enhancement and security to customers worldwide. It’s known, in particular, for thwarting denial-of-service (DOS) attacks. To protect its customers, it keeps a record of IP addresses known to be used for spam, botnets and other malicious behavior. If a visitor arrives at a site using a less secure browser, CloudFlare can identify that visitor as a human and won’t serve him or her a captcha.

However, Tor is a browser that anonymizes users by directing their traffic through multiple servers, under layers of encryption, so CloudFlare can’t identify them as human. That’s why it often requires these users to complete a ReCaptcha (those tests where you get asked to identify all the photos with soup or all the street signs, made by Google), to prove they are human. This downgrades the user experience, creating tension between Tor users and CloudFlare, as Motherboard has reported.

This new report raises an additional question: do ReCaptchas make Tor users somewhat easier to identify in a traffic analysis attack? In those attacks, someone with a large degree of visibility on the network (that is, someone with a lot of resources, such as a large ISP, a telecom or a nation-state) can match activity and entry points and exit points, in order to match users with websites visited.

In 2014, a group of researchers conducted an experimental, controlled study of devices on a lab-based Tor network, testing whether or not artificial perturbations in traffic flow at the entry point could be detected at the exit point.

The Cryptome post argues that ReCaptchas create a similar, artificial perturbation. “The idea is somewhat similar to what we explored,” Sambuddho Chakravarty, lead author of the 2014 study wrote the Observer in an email. “There are a lot of factors involved—sample frequency, position of the adversary, the entry and exit nodes being used and the bandwidth achieved by the client, the duration of the experiment etc.”

Subsequent to the study, a blog post on the Tor project wrote, “The Tor network design, however, does not protect against a targeted attack by a global passive adversary (such as the NSA).”

“This is not anything new,” Roger Dingledine, Tor co-founder, wrote the Observer in an email, via a spokesperson.

Prince acknowledged the Tor communities frustration with his company’s defenses in a March blog post. Since then, he said that CloudFlare has been collaborating with Tor and ReCaptcha’s owner, Google, to improve the user experience for web users that want to browse anonymously. For example, “we’ve ensured that a Tor user would never receive more than one captcha,” he said.

Prince does not believe that captchas make it any easier for an adversary with a wide view of the network to de-anonymize Tor users, but he volunteered that his company would take action to plug such a leak if evidence were found.