N.b. that the login page CAPTCHA is not from Cloudflare. theymos
added the login CAPTCHA sometime before 2017-10-19, and
moved behind Cloudflare 2017-11-29. But of course, the same Google CAPTCHA is involved; and the point you raise is interesting. Compare:
This brings to mind another thought: Google could force Tor users to rapidly rebuild circuits to the same endpoint, then potentially watch for any other network activity which could be correlated by timing, size, etc. Hmmm. How many Tor nodes are hosted on Google Compute, or otherwise network-visible to Google? Next question: Does the NSA like to see Tor users rapidly rebuild circuits to the same endpoint?
Those are the sorts of subtle questions which make for papers on anonbib. Or for attacks. For a cloud provider who hosts many Tor nodes, I think I smell at least the possibility of a guard-discovery attack here.
[
]
I suggest reading that post at length.
More secure alternative means of login would sufficeno, Im not thinking 2FA (which I hate), but rather, public keys. (2) does require distinguishing bots, which definitionally requires a Turing test. Ouch.
Your public keys idea sounds interesting. Alternatively giving each tor user a unique message to sign from a bitcoin address associated with their account might work.
Good idea. I suggested exactly that, in a post which seems to have been axed for reasons unknown to me. (Do I need to snap public archives of all my posts? I do save the text locally.)
Frankly, my part, I would find it less inconvenient to digitally sign a challenge with a Bitcoin key or PGP key, and paste the result into a textarea. The CAPTCHA is that much of a deterrent for anyone who is accustomed to crypto, and has limited time.
Any which way, if
any popular forum has users who can handle public-key crypto, it should be Bitcointalk.org!