[tor-access] Specification for bypassing CAPTCHAs using blinded tokens

Georg Koppen gk at torproject.org
Fri Oct 7 10:03:00 UTC 2016


Jeff Burdges:
> On Thu, 2016-10-06 at 12:49 +0000, Georg Koppen wrote:
>>> If properly implemented, then blind signatures from one session can
>>> safely be used with another session.**  
>>
>> Well, I assumed that blind signatures get properly implemented when
>> writing my mail. There is more, though. The idea behind New Identity 
>> is clearing browser state as well as this state risks leaking into the
>> new identity. "state" in this particular case would mean "having been
>> on a clouldflare customer website before and having blinded tokens 
>> ready for spending". 
> 
> Yes, it leaks roughly a bit of information about the bipartite graph
> between users and site visits. And I mentioned a layered approach to
> Alex that leaks more than one.
> 
> These bits cannot compound across multiple page loads or site visits, as
> anyone who visits the site gets them, but certainly there are
> concerns : 
> - These bits obviously compound with any information TBB or the user
> leaks to the site.
> - If multiple CDNs, etc. adopt this token based approach, then users can
> easily be deanonymized by the CDNs they have or have not used.
> - There is no way to safely use per site tokens as the differences
> across sites can be used to tag users.
> - We'd leak more if CloudFlare rotated their key.
> - The layered scheme for token withdrawal that I mentioned to Alex
> sounds more fragile now.
> 
> Very messy..
> 
> Thanks for pointing this out.  :)

You are welcome. :) I am not sure yet how much of the information
leakage you outlined above would still be an issue in case users did a
New Identity and only the signed tokens remained. But as I said that is
easily solvable: the tokens represent browser state and need to get
treated accordingly (i.e. deleted if a user requests a new identity).

> 
>> Having done New Identity might even be detectable by the edge
>> in this case, given that it could send a cookie after performing the
>> CAPTCHA request and signing the blinded tokens which would get cleared
>> by New Identity.
> 
> I donno if I understand this part, but there is an existing problem that
> the edge sees cookies from many sites, allowing them to correlate
> traffic to deanonymize users with purely the cookies.  I donno if these
> new edges cookies make that so much worse than cookies sites use
> anyways.

Sorry for being a bit dense. What I meant is a user having signed tokens
trying to redeem one but is *not* sending cookies back to the edge
(which would have been cleared by New Identiy) is a good indication for
an edge that a user just requested a New Identity. And I'd like to avoid
leaking that fact as well. (The probability that a Tor Browser user is
crawling into some obscure Firefox menu to delete the cookies more or
less manually when New Identity is the better option anyway seems to be
pretty low to me).

Georg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-access/attachments/20161007/5762663d/attachment.sig>


More information about the tor-access mailing list