03.23.08
Using Tor Users to Solve CAPTCHAs
A discussion elsewhere got me thinking about this, and some quick googling didn't turn anything up. If there are already write-ups on this, I would love if people could point me toward them.
Let's say that you are using Tor. When your traffic traverses Tor, it hits an end-point somewhere. That end-point knows that it is your end-point. Now, I'm a malicious individual... a spammer who needs CAPTCHAs solved. What do I do? I setup a Tor server and pass you my CAPTCHAs to solve. I don't believe it would be that difficult to inject CAPTCHAs into the mix. Your Tor connection comes into the server, but outbound HTTP passes through a proxy... this proxy is designed to display CAPTCHAs.
As I said, maybe this has already been discussed elsewhere, and maybe Tor even has protections against it. Either way, I'm really surprised that you don't hear about this more often. I've read about people paying to have CAPTCHAs solved... the only cost associated with this would be bandwidth. You could even expand on it to save bandwidth. A botnet deploys Tor across several thousand machines... these machines all forward the non-local HTTP traffic to "CAPTCHA proxies".
Since Tor users are accustomed to solving proxies for search engines and other big sites, they may not even notice these CAPTCHAs.
So let me know what you think... Thoughts, ideas, evidence of this, papers on this... it's all good.
