Opened 2 years ago

Last modified 8 weeks ago

#24607 assigned defect

CAPTCHAs on BridgeDB seem to be getting more difficult

Reported by: alison Owned by:
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version:
Severity: Normal Keywords: anti-censorship-roadmap-november, s30-o22a2
Cc: brade, mcs Actual Points:
Parent ID: #31279 Points: 5
Reviewer: Sponsor: Sponsor30-must


I just tried to solve 12 CAPTCHAs unsuccessfully before I got to one that worked. In each, at least one or two characters was impossible to discern.

Child Tickets

Attachments (2)

Screenshot from 2017-12-12 17-41-53.png (82.8 KB) - added by alison 2 years ago.
Screenshot from 2017-12-12 17-41-23.png (87.2 KB) - added by alison 2 years ago.

Download all attachments as: .zip

Change History (12)

Changed 2 years ago by alison


Changed 2 years ago by alison


comment:1 Changed 11 months ago by gaba

Owner: isis deleted
Points: 5
Sponsor: Sponsor19
Status: newassigned

comment:2 Changed 7 months ago by gaba

Keywords: anti-censorship-roadmap-2019 added

comment:3 Changed 6 months ago by phw

Sponsor: Sponsor19Sponsor30-must

Moving from Sponsor 19 to Sponsor 30.

comment:4 Changed 6 months ago by gaba

Keywords: anti-censorship-roadmap added; anti-censorship-roadmap-2019 removed

comment:5 Changed 5 months ago by gaba

Keywords: anti-censorship-roadmap-november added; anti-censorship-roadmap removed

comment:6 Changed 4 months ago by phw

Parent ID: #31268

comment:7 Changed 4 months ago by phw

Parent ID: #31268#31279

comment:8 Changed 3 months ago by gaba

Keywords: s30-o22a2 added

comment:9 Changed 8 weeks ago by phw

Let's use this ticket to coordinate the future of BridgeDB's CAPTCHA. BridgeDB currently uses gimp-captcha to generate CAPTCHAs.

  • We believe that the GFW maintains a bot (which, ironically, uses Tor) that is successfully crawling BridgeDB while maintaining a CAPTCHA success rate that easily outperforms people. Not only does our CAPTCHA harm usability (see also #10831), it also fails in the face of a real-world adversary.
  • Google provides a reCAPTCHA v3 API, which returns an anomaly score in the interval [0, 1] for each request, without any kind of friction. Ignoring for now that this is a Google service, it may be an option for BridgeDB's HTTPS distributor but not for moat or email.
  • There is plenty of research on new CAPTCHA schemes, sometimes leveraging more complex domains like video or adversarial examples, which are meant to confuse classifiers. None of these systems seems likely to make a difference in the long term.

We are in a particularly difficult situation because our CAPTCHA needs to work for a highly diverse set of people.

comment:10 Changed 8 weeks ago by mcs

Cc: brade mcs added
Note: See TracTickets for help on using tickets.