Cloudflare captcha [split] prox-config-sidki_2019-01-26b1

[ProxRocks]

Um, I've watched that video loop a half a dozen times.

What am I supposed to be seeing?

I see zero Cloudfare captcha before or after which seems to me is what is "required" to demonstrate any "solution".

[cattleyavns]

(Mar. 22, 2022 11:10 AM)ProxRocks Wrote:  Um, I've watched that video loop a half a dozen times.

What am I supposed to be seeing?

I see zero Cloudfare captcha before or after which seems to me is what is "required" to demonstrate any "solution".

If you use a transparent proxy like Proxydomo, mitmproxy with SSL Filtering enabled, the website will show a captcha page, because CF side will fingerprint your Ciphersuite+TLS Extensions, then compare your JA3 string with a blacklist/whitelist and then they decide to block your request with a captcha or not (depends on many factors: IP history, JA3 string...)

I think, you may not see captcha page if your IP history is trustworthy, but not in my case haha (mine is dynamic IP, and because it's dynamic IP so people likely did many evil activities with my IP), maybe.This is what I get if I don't use my local proxy and use mitmproxy instead:

IMG LINK: https://i.imgur.com/lVfBhKI.png

[amy]

(Mar. 22, 2022 03:02 AM)cattleyavns Wrote:  Should I share the whole progress ?

I think you've given sufficient information already; on the other hand, browsers' ciphersuites and user-agent strings are not exactly secret either. There's a nice list of their ciphersuites here:

Code:

https://www.ssllabs.com/ssltest/clients.html

Removing the SCSV from OpenSSL requires a patch/recompile (it's hardcoded) so it is not easy to do, but on the other hand, looking through that list, it seems besides bots some older Android and Apple systems will send it. (They might also be using OpenSSL internally.)

The other thing I'm considering is allowing Proxomitron Reborn to use one of the varyingly-compatible forks of OpenSSL like BoringSSL, which is used in e.g. Chrome and doesn't send SCSV. Another alternative is the native Windows Schannel, but it's significantly different in API and would require quite a lot more work. Stock OpenSSL is indeed quite bot-like in its default fingerprint, no doubt because it's a widely used default SSL library for everything---except, unfortunately, most browsers.

[ProxRocks]

Has there been any behind-the-scenes advancements regarding Proxomitron Reborn not playing nicely with Cloudfare captchas?

[cattleyavns]

I don't think so, all secrets are very likely revealed, we just need to implement our anti-TLS Fingerprint algorithms/code.
Just we'll need to use non-OpenSSL code/recompile OpenSSL to achieve perfection. And BoringSSL is a very good candidate.

[ProxRocks]

Kind of a bummer that this topic seems to have died.

[amy]

I'm just very busy with other things, and I suspect others are too...

(Apr. 10, 2022 08:46 AM)cattleyavns Wrote:  And BoringSSL is a very good candidate.

Unfortunately not. I did a little more research and the very first thing its description says is "Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability." I am reminded of the difficulties caused by switching from the 0.9.x that Scott originally used and the 1.0.x that Proxomitron Reborn uses, and think patched OpenSSL will probably be the best choice for now. I haven't had time to figure out how to compile OpenSSL 1.1 yet (TLS 1.3 - might be part of future fingerprinting - is the most needed from that) but once more sites start doing this stuff I'll be forced to do it at some point.

[cattleyavns]

Hi, I'm here again, just want to update the progress of TLS Fingerprint cracking, this curl-impersonate-win project managed to crack TLS Fingerprint (tested), download link: https://github.com/depler/curl-impersona...tag/7.84.0

To test, type:

Code:

curl_chrome104.bat https://alternativeto.net

Success, return 200 status.

Download "normal" curl ( https://curl.se/windows/ ), and test again:

Code:

curl https://alternativeto.net

WILL fail, return 403.

So yeah, I think people are starting to fight back this degeneration technology, and have made success.

For some high-level language like Python, or libraries with very limited customization like OpenSSL, it's still pretty hard to crack TLS Fingerprint because Python doesn't support changing TLS's ClientHello packet, sadly and it's very popular.