recaptcha and mcaptcha case studies

This commit is contained in:
Aravinth Manivannan 2021-09-21 18:03:06 +05:30
parent 7efefa604c
commit 0a342ea2fb
Signed by: realaravinth
GPG key ID: AD9F0F08E855ED88
4 changed files with 123 additions and 0 deletions

3
case-studies/main.tex Normal file
View file

@ -0,0 +1,3 @@
\section{Case Studies}
\input{case-studies/recaptcha.tex}
\input{case-studies/mcaptcha.tex}

57
case-studies/mcaptcha.tex Normal file
View file

@ -0,0 +1,57 @@
\subsection{mCaptcha}
mCaptcha is a free (as in freedom), experimental Proof of Work CAPTCHA system
that uses variable difficulty proofs. The AGPL licensing guarantees freedom of
its users and allows for competing implementations.
The system uses variable difficulty proofs to
\begin{itemize}
\item Image identification
\item IP tracking
\item Proprietary AI
\item Session tracking
\end{itemize}
\subsubsection{Privacy}
Excellent\\
mCaptcha doesn't use session or IP tracking, so it works when used in anonymous
networks like TOR\@.
\subsubsection{Effectiveness}
Excellent\\
mCaptcha uses salts to prevent rainbow table based attacks and TTLs to ban
stale entries. It also users a caching mechanism to prevent replay attacks. To
combat an attack in-progress attack, the system is designed to temporarily
increase the difficulty of the proofs. The system also has options to
personalise proof requirements for each CAPTCHA deployment. This allows for
system administrators to select requirements which better suit their needs.
% TODO cite CAPTCHA farm cost analysis paper
ease.
\subsubsection{Accessibility}
Good to Excellent\\
mCaptcha is non-interactive, so it is fully accessible to users with all
disabilities. To allow users on slow devices access to the service, mCaptcha has
options to set different difficulty levels. Webmasters can use this option to
set lower difficulties to while the website is receiving normal levels of
traffic and set higher levels of difficulties when the website receives unusual
amounts of traffic. Therefore, the website administrators are responsible for
mCaptcha's behaviour on their websites.
\subsubsection{Accuracy}
Excellent\\
Success and failure are absolute states in this method. A proof that fails
verification is rejected, and a successful verification is permitted. The system
is able to sense attacks and adapts by raising the difficulty requirement for
all incoming users. An attacker who is presented with increased difficulty will
either have to allocate more resources to sustain the attack or retreat in
defeat. However, this increased difficulty might impact well behaving users too,
but this is short-lived as the difficulty requirement will be relaxed once the
attack is contained.
Overall, mCaptcha is an attempt at strengthening the web and the internet with
open technologies. CAPTCHAs in their original sense were used as rate-limiters
and mCaptcha, with its PoW mechanism does just that.

View file

@ -0,0 +1,62 @@
\subsection{reCAPTCHA}
reCAPTCHA is a CAPTCHA system owned by Google. It is the most popular CAPTCHA
system currently deployed on the internet. The system uses the following methods
in its decision making process:
\begin{itemize}
\item Image identification
\item IP tracking
\item Proprietary AI
\item Session tracking
\end{itemize}
\subsubsection{Privacy}
Bad\\
Google's reCAPTCHA tracks its users via IP logging and session tracking. They
use supercookies to monitor their users' internet activity. The user can ban
cookies from reCAPTCHA and related services but if they did, they will be
subjected to higher difficulty puzzles or won't be allowed to access the
service. This is one of the reasons why TOR and other VPN users face
difficulties with the system.
The system also bans traffic from TOR exit nodes and due to their proprietary
and opaque decision mechanism, very little is known about how they blacklist
users.
\subsubsection{Effectiveness}
Good\\
reCAPTCHA denies access to most bots. The OCR technology used by the system is
very sophisticated. But cheap labor powered CAPTCHA farms are available which
offer CAPTCHA solving solutions for a fraction of what reCAPTCHA charges its
users. This bypass is practical as it is cheap and readily available.
% TODO cite CAPTCHA farm cost analysis paper
ease.
\subsubsection{Accessibility}
Bad\\
reCAPTCHA was initially offering audio CAPTCHAs along with image identification
challenges but when audio recognition technology matured and was able to solve
most audio challenges, reCAPTCHA stopped offering audio challenges.
Image identification poses challenges to users with visual and cognitive
disabilities.
The IP tracking based mechanism posses accessibility threats to users behind
NATs and VPNs.
\subsubsection{Accuracy}
Bad\\
IP based tracking produces poor results when users behind NATs and VPN encounter
the service.
Overall, reCAPTCHA is a serious threat to the internet as it can, in theory,
deny access to anyone it chooses to. The decision making process is opaque and
centralised in nature and users, service providers and visitors alike, have very
little say in how the system behaves.
Also, the popularity of reCAPTCHA allows Google to track users across websites
and profile them which threatens the freedom of users on the internet.

View file

@ -12,6 +12,7 @@
\input{intro/intro.tex} \input{intro/intro.tex}
\input{pre-req/main.tex} \input{pre-req/main.tex}
\input{analysis/main.tex} \input{analysis/main.tex}
\input{case-studies/main.tex}
\input{conclusion.tex} \input{conclusion.tex}
\end{document} \end{document}