diff --git a/case-studies/main.tex b/case-studies/main.tex new file mode 100644 index 0000000..474be2e --- /dev/null +++ b/case-studies/main.tex @@ -0,0 +1,3 @@ +\section{Case Studies} +\input{case-studies/recaptcha.tex} +\input{case-studies/mcaptcha.tex} diff --git a/case-studies/mcaptcha.tex b/case-studies/mcaptcha.tex new file mode 100644 index 0000000..03ba38b --- /dev/null +++ b/case-studies/mcaptcha.tex @@ -0,0 +1,57 @@ +\subsection{mCaptcha} + +mCaptcha is a free (as in freedom), experimental Proof of Work CAPTCHA system +that uses variable difficulty proofs. The AGPL licensing guarantees freedom of +its users and allows for competing implementations. + +The system uses variable difficulty proofs to +\begin{itemize} + \item Image identification + \item IP tracking + \item Proprietary AI + \item Session tracking +\end{itemize} + +\subsubsection{Privacy} +Excellent\\ +mCaptcha doesn't use session or IP tracking, so it works when used in anonymous +networks like TOR\@. + +\subsubsection{Effectiveness} +Excellent\\ + +mCaptcha uses salts to prevent rainbow table based attacks and TTLs to ban +stale entries. It also users a caching mechanism to prevent replay attacks. To +combat an attack in-progress attack, the system is designed to temporarily +increase the difficulty of the proofs. The system also has options to +personalise proof requirements for each CAPTCHA deployment. This allows for +system administrators to select requirements which better suit their needs. + +% TODO cite CAPTCHA farm cost analysis paper +ease. +\subsubsection{Accessibility} +Good to Excellent\\ + +mCaptcha is non-interactive, so it is fully accessible to users with all +disabilities. To allow users on slow devices access to the service, mCaptcha has +options to set different difficulty levels. Webmasters can use this option to +set lower difficulties to while the website is receiving normal levels of +traffic and set higher levels of difficulties when the website receives unusual +amounts of traffic. Therefore, the website administrators are responsible for +mCaptcha's behaviour on their websites. + +\subsubsection{Accuracy} +Excellent\\ + +Success and failure are absolute states in this method. A proof that fails +verification is rejected, and a successful verification is permitted. The system +is able to sense attacks and adapts by raising the difficulty requirement for +all incoming users. An attacker who is presented with increased difficulty will +either have to allocate more resources to sustain the attack or retreat in +defeat. However, this increased difficulty might impact well behaving users too, +but this is short-lived as the difficulty requirement will be relaxed once the +attack is contained. + +Overall, mCaptcha is an attempt at strengthening the web and the internet with +open technologies. CAPTCHAs in their original sense were used as rate-limiters +and mCaptcha, with its PoW mechanism does just that. diff --git a/case-studies/recaptcha.tex b/case-studies/recaptcha.tex new file mode 100644 index 0000000..56bc7bf --- /dev/null +++ b/case-studies/recaptcha.tex @@ -0,0 +1,62 @@ +\subsection{reCAPTCHA} + +reCAPTCHA is a CAPTCHA system owned by Google. It is the most popular CAPTCHA +system currently deployed on the internet. The system uses the following methods +in its decision making process: + +\begin{itemize} + \item Image identification + \item IP tracking + \item Proprietary AI + \item Session tracking +\end{itemize} + +\subsubsection{Privacy} +Bad\\ +Google's reCAPTCHA tracks its users via IP logging and session tracking. They +use supercookies to monitor their users' internet activity. The user can ban +cookies from reCAPTCHA and related services but if they did, they will be +subjected to higher difficulty puzzles or won't be allowed to access the +service. This is one of the reasons why TOR and other VPN users face +difficulties with the system. + +The system also bans traffic from TOR exit nodes and due to their proprietary +and opaque decision mechanism, very little is known about how they blacklist +users. +\subsubsection{Effectiveness} +Good\\ + +reCAPTCHA denies access to most bots. The OCR technology used by the system is +very sophisticated. But cheap labor powered CAPTCHA farms are available which +offer CAPTCHA solving solutions for a fraction of what reCAPTCHA charges its +users. This bypass is practical as it is cheap and readily available. + +% TODO cite CAPTCHA farm cost analysis paper +ease. +\subsubsection{Accessibility} +Bad\\ + +reCAPTCHA was initially offering audio CAPTCHAs along with image identification +challenges but when audio recognition technology matured and was able to solve +most audio challenges, reCAPTCHA stopped offering audio challenges. + +Image identification poses challenges to users with visual and cognitive +disabilities. + +The IP tracking based mechanism posses accessibility threats to users behind +NATs and VPNs. + +\subsubsection{Accuracy} +Bad\\ + +IP based tracking produces poor results when users behind NATs and VPN encounter +the service. + + +Overall, reCAPTCHA is a serious threat to the internet as it can, in theory, +deny access to anyone it chooses to. The decision making process is opaque and +centralised in nature and users, service providers and visitors alike, have very +little say in how the system behaves. + +Also, the popularity of reCAPTCHA allows Google to track users across websites +and profile them which threatens the freedom of users on the internet. diff --git a/paper.tex b/paper.tex index e9fcd6f..6c7ed00 100644 --- a/paper.tex +++ b/paper.tex @@ -12,6 +12,7 @@ \input{intro/intro.tex} \input{pre-req/main.tex} \input{analysis/main.tex} +\input{case-studies/main.tex} \input{conclusion.tex} \end{document}