Silk Road forums
Discussion => Security => Topic started by: dinosaurpoop on May 29, 2012, 09:55 pm
-
Hey,
I just wanted to voice my minor concern regarding Silk Road's login CAPTCHA.
While my intention is to be as constructive as possible, I must be frank: Silk Road's CAPTCHA is absolute garbage. It may use dictionary words or look somewhat nice, but it fails to succeed with respect to any CAPTCHA's main objective, that is, to distinguish humans from bots.
Though I haven't cracked it as there's no exigency for me to do so, I'm sure I could crack it within an hour or two. It'd be very easy to separate the characters; as I recall, they're evenly spaced. They are not warped. They are easy to isolate from the background. The list goes on.
There are a number of reasons why a solver could be troubling to SR and its community. First and foremost, if it's easily solvable even by novice programmers, then it's nothing more than a waste of human time. That is, it fails to prevent bots, but still wastes human time. Second, a solver could be a nuisance or worse to SR and its members. For instance, somebody could write a script to register many many accounts. This makes the site slower, wastes server space, and leaves the door open to further problems. What if somebody wrote a script to spam users? How would 100 spam messages a day feel? Worse yet, if security vulnerabilities were to be discovered somewhere on the site, they could be perpetrated throughout the site rapidly.
I don't intend to scare anyone, I just figured I'd get my point across. As a disclaimer, I am not paranoid, nor am I intoxicated at the time of writing.
Best,
DP
-
Never gave this much thought... I was just happy that the CAPTCHA was easy to read! ;)
-
Captchas in general are garbage, and there are actually very few of them which cannot be cracked by programmers of reasonable skill using various image processing libraries. The only one I know of that seems fairly crack-proof is the RECAPTCHA service [not like SR is going to sign up for such a thing] - some of those are even hard for me to do unless I get right up close to the screen and squint a little in order to try to figure out if what I'm seeing is an "a" or an "o". :o
As to whether or not a captcha-solver bot could be troubling for SR.... Your first point about the captcha being a waste of human time is sort of meaningless. Do an extra few seconds really matter to you that much? If so, then you probably shouldn't be using Tor hidden services to begin with. Could a bot register lots of accounts? Sure. But think about your own account and the kind of information contained in it. How much space do you think that really takes up? Think about the latency and the overhead involved in each connection to a Tor hidden service. It's not the same as scraping a bunch of data from a clearnet website, where you can just pound the fuck out of the target with every ounce of bandwidth you have.
Could a bot spam users? Sure. But that's already possible, and it would remain possible even in the presence of a much more difficult captcha unless a captcha were required every time you wanted to send a message. As it is, though, all you'd have to do is manually perform the login step, and then let the bot take over from there.
All of this assumes that there aren't any other hidden security features behind the scenes that watch out for this kind of bad behavior. Maybe there are, maybe there aren't. I don't know anything about the SR server and what is or isn't running on it. That said - could the captcha be "better" or "more secure"? Sure. But in the grand scheme of things, there are probably more important things to worry about.
Yeah, I'm just in an argumentative mood today. You could tell me that the sun is shining and I'd find a way to tell you that it isn't. :-)
-
Many of your points are well taken. Of course, it is only a minor issue, as I stated in my first post. I don't mind spending a few seconds entering in the text. I just wonder why it's there at all if it's so half-assed. But I don't think it'd take more than a few minutes to improve it at least to the point where it'd be a considerable project to solve it rather than something that can be done in a matter of minutes. It's actually very easy to drastically improve CAPTCHAs. As with any CAPTCHA, of course some clever programmers can solve an improved version, but I posit that fewer would attempt to solve an inherently better CAPTCHA.
-
I've always have been wondering how safe the captions were on silkroad.i've never seen a caption use words before but my theory is maybe tor is a bit slow for a full on brute force attack but i'm probably wrong