Google is locking Tor users out of Bitcointalk.org!

[nullius]

Google is locking Tor users out of Bitcointalk.org!  On my current login, I was forced to try seventeen (17) different circuits before Google deigned to grant me a CAPTCHA; see below.  I didn’t precisely time the whole process, because I didn’t expect this from the beginning; but it took me well over ten minutes.  In practical substance, that’s a lockout.  How many people would (or should!) spend over ten minutes trying to log into a web forum?

I’m obstinate.  I also have sufficient knowledge that I would never give up in desperation and log in without Tor, thus committing a privacy cardinal sin.  How many inexpert users are deanonymizing themselves because of this?

Satoshi was a Tor user.  Satoshi would be effectually locked out right now; do you think he would spend over ten minutes trying to log in, with no guarantee of when or if he would succeed?

I post this to bring the issue to administrative attention.  I know that theymos is caught between the proverbial rock and hard place, with damaging abuse on one side and a principled respect for privacy on the other.  I appreciate this forum’s general friendliness toward Tor users; and I may have a constructive suggestion to make, suitable for a different thread.  Meanwhile, I urge admins to keep a close eye on this situation—and realize that Tor users may be disappearing, or worse, shooting themselves in the foot.


An unavoidable question rises:  Is Google doing this specifically to Tor users on Bitcointalk?  That would make a most excellent means of discouraging Bitcoin+Tor use, and also of deaononymizing many people who will give up and log in with their “real” IPs.  That last threat is now worse, since Cloudflare can trivially link IPs to usernames.  An anti-Tor deterrent on Bitcointalk.org is bound to compromise many people.

By comparison, is Google also refusing to serve CAPTCHAs to Tor users on other sites generally?  I wouldn’t know.  I always use Tor, but I usually boycott sites which try to CAPTCHA me.


For the record, this is what happened on my current login.

On circuit { 0 /* initial load */, 1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15 }, Google made the familiar allegation of “automated queries”:

On circuit 2, Google spat at me a bizarre message I had not theretofore seen:

On circuit 14, I probably hit a BadExit:

On circuit 16—the seventeenth circuit, as C programmers will understand—Google finally granted me the high privilege of driving a self-driving car via multiple long “challenges”, one after another.  Is Google psyching Tor users to be grateful to get CAPTCHAed?

N.b. that this could in no way be targeted at me, even if Google could somehow XSS out the login form info.  I habitually complete the CAPTCHA first, before filling in my username and password.

[1714191273]

1714191273

[1714191273]

1714191273

[1714191273]

1714191273

[1714191273]

1714191273

[minifrij]

The problem comes in the lack of a viable alternative. Google's captcha sucks for several reasons, but it's one of the few captchas on the market that offer a good anti-bot solution for free.
I'm sure that theymos would be happy to implement an another provider if one was provided; I can't imagine he too much likes Google monitoring the site.

[nullius]

The problem comes in the lack of a viable alternative. Google's captcha sucks for several reasons, but it's one of the few captchas on the market that offer a good anti-bot solution for free.
I'm sure that theymos would be happy to implement an another provider if one was provided; I can't imagine he too much likes Google monitoring the site.

I know.  Rather like theymos “admitting defeat” when moving behind Cloudflare.  He must keep the site running against the earnest ill-wishes of Internet arsonists; and in case it was not sufficiently clear, I do fully understand the difficulty of his position here.

Yet current lack of a better solution does not change the cold, hard fact that this is locking out legitimate users—and worse, causing some to fire the footgun of mixed Tor/non-Tor use.  That needs to be faced, and somehow handled.  If I were to write a succinct n00b-level warning on the Tor/non-Tor problem, would mods sticky it?  At least, that would be a start.

For suggesting an altogether better solution, it would be helpful to know whether the principal purpose of the login CAPTCHA is 1. preventing bruteforce of luser passwords, or 2. locking out spambots which make automated posts.  I suspect (1), and that’s less difficult to address:  It does not actually require distinguishing bots from squishy wetware.  More secure alternative means of login would suffice—no, I’m not thinking 2FA (which I hate), but rather, public keys.  (2) does require distinguishing bots, which definitionally requires a Turing test.  Ouch.

[Ivor Biggun]

For suggesting an altogether better solution, it would be helpful to know whether the principal purpose of the login CAPTCHA is 1. preventing bruteforce of luser passwords, or 2. locking out spambots which make automated posts.  I suspect (1), and that’s less difficult to address:  It does not actually require distinguishing bots from squishy wetware.

According to cryptome the login CAPTCHA is useful for de-anonymizing of Tor users.

https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm

More secure alternative means of login would suffice—no, I’m not thinking 2FA (which I hate), but rather, public keys.  (2) does require distinguishing bots, which definitionally requires a Turing test.  Ouch.

Your public keys idea sounds interesting. Alternatively giving each tor user a unique message to sign from a bitcoin address associated with their account might work.

[nullius]

According to cryptome the login CAPTCHA is useful for de-anonymizing of Tor users.

https://cryptome.org/2016/07/cloudflare-de-anons-tor.htm

N.b. that the login page CAPTCHA is not from Cloudflare.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  But of course, the same Google CAPTCHA is involved; and the point you raise is interesting.  Compare:

This brings to mind another thought:  Google could force Tor users to rapidly rebuild circuits to the same endpoint, then potentially watch for any other network activity which could be correlated by timing, size, etc.  Hmmm.  How many Tor nodes are hosted on Google Compute, or otherwise network-visible to Google?  —  Next question:  Does the NSA like to see Tor users rapidly rebuild circuits to the same endpoint?

Those are the sorts of subtle questions which make for papers on anonbib.  Or for attacks.  For a “cloud” provider who hosts many Tor nodes, I think I smell at least the possibility of a guard-discovery attack here.

[…]

I suggest reading that post at length.

More secure alternative means of login would suffice—no, I’m not thinking 2FA (which I hate), but rather, public keys.  (2) does require distinguishing bots, which definitionally requires a Turing test.  Ouch.

Your public keys idea sounds interesting. Alternatively giving each tor user a unique message to sign from a bitcoin address associated with their account might work.

Good idea.  I suggested exactly that, in a post which seems to have been axed for reasons unknown to me.  (Do I need to snap public archives of all my posts?  I do save the text locally.)

Frankly, my part, I would find it less inconvenient to digitally sign a challenge with a Bitcoin key or PGP key, and paste the result into a textarea.  The CAPTCHA is that much of a deterrent for anyone who is accustomed to crypto, and has limited time.

Any which way, if any popular forum has users who can handle public-key crypto, it should be Bitcointalk.org!

[Vod]

How many people would (or should!) spend over ten minutes trying to log into a web forum?

Only those that need to remain anonymous so they can scam...

[Ivor Biggun]

How many people would (or should!) spend over ten minutes trying to log into a web forum?

Only those that need to remain anonymous so they can scam...

Like satoshi (who always used tor)? 

[Ivor Biggun]

Frankly, my part, I would find it less inconvenient to digitally sign a challenge with a Bitcoin key or PGP key, and paste the result into a textarea.  The CAPTCHA is that much of a deterrent for anyone who is accustomed to crypto, and has limited time.

Any which way, if any popular forum has users who can handle public-key crypto, it should be Bitcointalk.org!

Someone could make a tor/firefox plugin that could handle signing challenges for users unaccustomed to it. If an account started DDoSing the server could ask it to sign more challenges with a time delay before them.

[Vod]

How many people would (or should!) spend over ten minutes trying to log into a web forum?

Only those that need to remain anonymous so they can scam...

Like satoshi (who always used tor)? 

Exactly.  He was worried what he was doing may be illegal, so he hid himself.

[ManaMan]

The problem comes in the lack of a viable alternative. Google's captcha sucks for several reasons, but it's one of the few captchas on the market that offer a good anti-bot solution for free.
I'm sure that theymos would be happy to implement an another provider if one was provided; I can't imagine he too much likes Google monitoring the site.

yes thats the problem "for free" nothing is free they use data from CAPTCHAs for their researches and prob have some other javascript code in there so I need to enable my noscript plugin every time to login here and prob google get some other data from me.

[nullius]

How many people would (or should!) spend over ten minutes trying to log into a web forum?

Only those that need to remain anonymous so they can scam...

Like satoshi (who always used tor)?  

Exactly.  He was worried what he was doing may be illegal, so he hid himself.

Why privacy?  See also my .sig: “...Because I do nothing wrong, I have nothing to show.”  (And why are you even using Bitcoin, if you think that what Satoshi did “may be illegal”?  You are not a mind-reader; your supposition of Satoshi’s motives says nothing about him, and everything about you.  Do you believe that Bitcoin be illegal?)  But your deliberately insulting flamebait is off-topic.

theymos has never been anything but supportive of legitimate Tor users.  The question here is not pro-/anti-Tor.  There is some sort of real problem with abuse, not specific to Tor.  A CAPTCHA was added to the login page for all users, to prevent this abuse.  But this traded one problem for another, because Google hates Tor users.  They pretend not to, but they really do; I speak from long experience of having used the Internet exclusively through Tor, for years.  Google search itself followed a similar pattern:  First, they CAPTCHAed Tor users; and then, they replied with an “automated queries” accusation against even Tor users who could solve CAPTCHA; and that is where it stands.  Google’s flagship product gives an endless CAPTCHA loop, which wholly prevents it from being used through Tor.

I desire to solve the problem constructively—and meanwhile, to provide user reports documenting the severity of the problem.  Let’s please focus on that.

[mikeoneal]

I use a high speed internet service and i never had problem to sign in with Tor. but when i use free vpn i cant login

[nullius]

I use a high speed internet service and i never had problem to sign in with Tor. but when i use free vpn i cant login

Interesting.  I also have what I would consider “high speed Internet”.  Using a new session of Tor Browser through Tor, my connections should be indistinguishable from yours; that is the whole purpose of Tor, as well as Tor Browser’s anti-fingerprinting measures.  If we appear identical, we should get identical treatment.  Why do we seem to observe different results?  An interesting question, indeed.

Have you tried this recently?  In the past week or so, the situation has become progressively worse from where I sit.  First, the “automated queries” message happened occasionally; it was only a minor annoyance.  Then, it happened every time—but could be fixed with a circuit change.  Today, I was forced to try seventeen circuits before I could even get a CAPTCHA.  Google search followed a similar pattern over the years, ending in total lockout of Tor.

What do you observe with your “free VPN”?  Does it give you the “automated queries” message, or lock you out some other way?

[Gleb Gamow]

Aside, with apologies.

My takeaway from the OP --> N.b.

To my pretend rolodex it goes.

[nullius]

Aside, with apologies.

My takeaway from the OP --> N.b.

To my pretend rolodex it goes.

Duly noted.  Your rolodex must be spooky.

Aside, with apologies—not to toot my own horn, but very few people can match my abilities in the trick art of proper Tor use.  Admittedly, Satoshi could well have exceeded me.

I’m not worried.  I’m not doing anything illegal, either.

[LoyceV]

An unavoidable question rises:  Is Google doing this specifically to Tor users on Bitcointalk?

I doubt it. From my experience: the more often you fail at solving a captcha, or the more captchas you've solved in a small time frame, the harder they get. When you use Tor, you're sharing the same exit node (read: IP) with other users, so all their captcha failures are added to your next captcha difficulty.

By comparison, is Google also refusing to serve CAPTCHAs to Tor users on other sites generally?  I wouldn’t know.  I always use Tor, but I usually boycott sites which try to CAPTCHA me.

I've tried Tor, and it's terrible. And on top of the normal captchas, Cloudflare on many sites adds another captcha. The total process is slow and annoying.

On circuit { 0 /* initial load */, 1, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15 }, Google made the familiar allegation of “automated queries”:

Captchas by now are terrible to solve for humans, while computers get better at it. And a computer has much more patience to solve it!

As a partial solution (I say partial because Cloudflare will still serve you captchas): you can setup your Tor browser to remember your sessions. You could easily create a dedicated Tor-installation that you only use for Bitcointalk, or you can use a private browsing window in Tor when you visit any other site.

PS
I've seen your account in the Copper member thread, and this Copper membership turns out to be an easy way to distinquish between shitposters and serious posters. Not many Newbies post stuff worth reading, well done

[Ivor Biggun]

Only those that need to remain anonymous so they can scam...

Let's assume that a big country would ban Bitcoin completely and block traffic to Bitcointalk...

China already blocks all traffic to Bitcointalk. The only way Chinese users can access it is either through tor, or by using a VPN. Tor is a lifeline for those users.

[AdolfinWolf]

Why does Google do this?

Google developed this tool to prevent abuse from automated services, and to distinguish who isn't and who is a computer-programmed tool/ bot.

Note that this is something you can choose to implement on your service/website, it is not necessary ( although you could argue that it is in this case, due to the forum otherwise being filled with bots and spammers)

An easy google search would've gotten you this answer aswell. > https://support.google.com/recaptcha/answer/6080904?hl=en

[nullius]

Well, write off hours wasted trying to coerce fresh Tor Browser to do exactly what I wanted with my precious seventeenth-circuit login cookies (as recovered from the browser console).  I finally gave up, and installed a persistent browser exclusively for Bitcointalk.org.  After checking the appropriate boxes and “only” trying three circuits to get a CAPTCHA, I am now allegedly logged in until the year 2023; oh yes, I backed up those cookies!

I thus hope to not be the canary in the CAPTCHA anymore; but I do care about this issue, and I will continue trying to adduce a workable solution.

Thanks to those who replied.  Now that I don’t face a steep login hassle, I will be catching up on this and other threads.

[Madmim]

How many people would (or should!) spend over ten minutes trying to log into a web forum?

Only those that need to remain anonymous so they can scam...

Like satoshi (who always used tor)? 

Exactly.  He was worried what he was doing may be illegal, so he hid himself.

Satoshi invented a way where thousands of people has the opportunity to get their life a little better. He is more of a revolutionary than a scam.

History says well what happens to those who try to do something good and it goes against the interest of those who are in power.