forked from mCaptcha/website
172 lines
6.8 KiB
Markdown
172 lines
6.8 KiB
Markdown
---
|
|
title: "May, 2022: Monthly Report"
|
|
description: "Python bindings to mCaptcha PoW, DDoS effectiveness measurement, major refactoring to prepare for support for other databases, We also tried to test its DoS defence effectiveness, and some exciting news regarding managed hosting!"
|
|
lead: "We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?"
|
|
date: 2022-06-10
|
|
lastmod: 2022-06-10
|
|
draft: false
|
|
weight: 50
|
|
images: ["icon.png"]
|
|
contributors: ["Aravinth Manivannan"]
|
|
---
|
|
|
|
Hello and welcome to the May 2022 edition of the monthly report!
|
|
|
|
mCaptcha, for a while was showing all the signs of a dead project:
|
|
no commits on the repositories and no monthly updates. But the project
|
|
is far from dead!
|
|
|
|
## Python bindings to [mCaptcha PoW](https://github.com/mCaptcha/pow_sha256/)
|
|
|
|
[pow_py](https://github.com/mCaptcha/pow_py) contains bindings to
|
|
[pow_sha256](https://github.com/mCaptcha/pow_sha256), the
|
|
[proof-of-work](https://en.wikipedia.org/wiki/Proof_of_work) library
|
|
that mCaptcha uses. For the uninitiated, the bindings allow for python
|
|
programs to automatically solve mCaptcha.
|
|
|
|
So if you are writing a script to do some chore on your favourite
|
|
website that is protected by mCaptcha, you can now solve the mCaptcha
|
|
automatically from within the program.
|
|
|
|
Here's an example:
|
|
|
|
```python
|
|
import os
|
|
|
|
import mcaptcha_pow_py
|
|
import requests
|
|
|
|
# get the sitekey that is used in the mCaptcha protected form
|
|
SITEKEY = os.getenv("MCAPTCHA_CAPTCHA_SITEKEY")
|
|
# the hostname of the mCaptcha instance that the form is using
|
|
MCAPTCHA_HOST = os.getenv("MCAPTCHA_CAPTCHA_HOST")
|
|
|
|
|
|
GET_CONFIG_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/config"
|
|
VERIFY_POW_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/verify"
|
|
|
|
def solve_captcha():
|
|
|
|
# get challenge configuration
|
|
key = {"key": sitekey}
|
|
challenge_config = requests.post(GET_CONFIG_ROUTE, json=key)
|
|
challenge_config = challenge_config.json()
|
|
|
|
# extract configuration data
|
|
config = mcaptcha_pow_py.PoWConfig(challenge_config["salt"])
|
|
pow_string = challenge_config["string"]
|
|
pow_difficulty_factor = challenge_config["difficulty_factor"]
|
|
|
|
# generate work
|
|
work = config.work(pow_string, pow_difficulty_factor)
|
|
|
|
# verify PoW
|
|
proof = {
|
|
"key": SITEKEY,
|
|
"nonce": work.nonce,
|
|
"result": work.result,
|
|
"string": challenge_config["string"],
|
|
}
|
|
resp = requests.post(VERIFY_POW_ROUTE, json=proof)
|
|
resp = resp.json()
|
|
|
|
# extract verification token
|
|
token = resp["token"]
|
|
|
|
return token
|
|
|
|
|
|
token = solve_captcha()
|
|
data = {
|
|
"username": "me",
|
|
"password": "superlongpassword",
|
|
"confirm_password": "superlongpassword",
|
|
"mcaptcha__token": token,
|
|
}
|
|
response = requests.post("/mCaptcha-protected-form", data=data)
|
|
```
|
|
|
|
This could be missed for building DDoS bots(more on that
|
|
[here](#measuring-ddos-protection-effectiveness)) but this could also be
|
|
used to make CAPTCHA solving automated within screen readers and other
|
|
accessibility devices!
|
|
|
|
## Measuring DDoS protection effectiveness
|
|
|
|
Proof-of-work has historically been a good method to achieve rate
|
|
limiting but how much attack can it, specifically mCaptcha's
|
|
implementation, withstand when compared to an unprotected endpoint? To
|
|
find out, we used the recently created Python bindings to the mCaptcha
|
|
PoW library, the excellent load testing tool,
|
|
[locust](https://locust.io) and wrote
|
|
[mCaptcha/dos](https://github.com/mCaptcha/dos)!
|
|
|
|
[VIT AP](https://vitap.ac.in) kindly permitted me, @realaravinth, to use their network
|
|
security lab for setting up a isolated, contained testing environment to
|
|
mount a DDoS attack on a [test
|
|
server](https://github.com/mCaptcha/dos/tree/master/rust-server/demo-server)
|
|
instance.
|
|
|
|
The initial topology consisted of one mCaptcha instance, one DDoS demo
|
|
server, one locust node running in leader configuration and six locust
|
|
nodes running in follower configuration. I was authorised to use the
|
|
netsec lab for three days, which unfortunately wasn't enough to go
|
|
finish running the experiment. [Dr. Sibi Chakkaravarthy
|
|
Sethuraman](https://sibichakkaravarthy.github.io/) has kindly offered to
|
|
arrange authorisation to use the netsec lab once again in July 2022,
|
|
during which I hope to finish running the experiment
|
|
|
|
Special thanks to [ackr-8](http://ackr8.com/) and
|
|
[alan2000alex](https://github.com/alan2000alex) for help with setting up
|
|
infrastructure of the experiment.
|
|
|
|
## Refactor
|
|
|
|
mCaptcha underwent a major refactor during the month of May: We re-wrote
|
|
and cleaned up all database-related stuff for higher flexibility
|
|
flexibility and generally good architecture. This refactor lays the
|
|
foundation for implementing support for alternate database software
|
|
programs(we currently support PostgreSQL only).
|
|
|
|
## mCapthca is now on the Fediverse
|
|
|
|
We recently joined the Fediverse on a
|
|
[GoToSocial](https://docs.gotosocial.org/) instance run by
|
|
@realaravinth. We'll soon be deleting our Twitter account in favour of
|
|
the Fediverse account.
|
|
|
|
**Fediverse account:**
|
|
[@mCapthca@batsense.net](https://gts.batsense.net/@mcaptcha)
|
|
|
|
## Generic hosting
|
|
|
|
I, @realaravinth, have been busy with [ForgeFlux](https://forgeflux.org)
|
|
and [Hostea](https://hostea.org) --- both of which are [software
|
|
forge](<https://en.wikipedia.org/wiki/Forge_(software)>) related and so
|
|
when usable, will mostly improve the Free Software ecosystem. Hostea is
|
|
a project that aims to create a libre software development ecosystem and
|
|
provide managed hosting for the same. The project is [built by a
|
|
horizontal community](https://forum.hostea.org/t/a-guide-to-hostea-governance/57), which allows for multiple service providers who
|
|
adhere to the Hostea policies to operate
|
|
under the Hostea umbrella --- essentially allowing for the creation of
|
|
smaller, highly localised cooperatives.
|
|
|
|
Cooperatives are interesting, and we believe that mCapthca, too, can
|
|
benefit from such an architecture as it will prevent any one party from
|
|
single-handedly sabotaging the project. The experience gained from
|
|
Hostea will be reused in providing managed hosting for mCapthca.
|
|
|
|
By the end of this year, mCapthca will reorganise into a horizontal
|
|
community and adopt [radical transparency](https://en.wikipedia.org/wiki/Radical_transparency#Radical_corporate_transparency) to improve trust and
|
|
reliability of the project
|
|
|
|
> P.S: I, realaravinth, would do it sooner but I'm a little busy right
|
|
> now, so if someone is interested to help out do reach out and so that
|
|
> we could do it sooner!
|
|
|
|
In context of mCapthca, radical transparency will include all decisions
|
|
publicly made, funding and expenses publicly documented, and all
|
|
collaborations, too, publicly documented. This of course doesn't imply
|
|
that private, personally identifiable information(addresses and phone
|
|
numbers, for instance) will be publicly disclosed. Such information will
|
|
be redacted and published.
|