Flood Resiliency: Graphical Captcha

[vecna]

In relation to the GlobaLeaks Submission Flood Resiliency Project this ticket is to implement Graphical Captcha support.

After #188 would be easy trigger anomalies in the network traffic. being anonymous, the anomalies may be detected only checking the relationship of event type, amount of the events in a timelapse.

Whenever the amount of Tip creation is most than usually, it may be an applicative DoS, in this case:

• When a InternalTip is created, if the anomaly is detected, only HTTP session with the captcha-cookie may perform new submission or file upload.
• If a session without captcha-cookie try to create a new InternalTip, need to be generated an image using an appropriate library and tracked in memory (like sessions) the correspondent identified and human-readable content.
• Creation of a new InternalTip need to return a dedicated error code, with a base64 image in the HTTP payload
• Error code need to be catch by GLClient and render the captcha
• Captcha solution is posted in a dedicated API, like /captchaauth
• If match with the human readable content, is assigned a new cookie like the authentication one.

Appropriate library need to be chosen between some PIL usage or a dedicate captcha library.

[fpietrosanti]

I noticed that most commercial whistleblowing system have by default a simple captcha

[vecna]

Moved in desiderata

[vecna]

blocked by #938 #934

[fpietrosanti]

Remember internationalization of captcha to be supported in multiple charset (arabic, chinese, etc)

[vecna]

yes yes, is a prerequisite of the analysis. The latest thing I see:

• permit to choose randomly based on an array selected by me, so, based on the charset, I can provide the symbol
• depends on the font, and not every font support all the charset. this is the current limitation of the i18n.

[vecna]

https://pypi.python.org/pypi/PyCAPTCHA/0.4 this is a debian package:

Package: python-captcha                  
State: not installed
Version: 0.4-1
Priority: optional
Section: universe/python
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: all
Uncompressed Size: 516 k
Depends: python2.7, python (>= 2.7.1-0ubuntu2), python (< 2.8), python-imaging (>=
     1.1.5), ttf-bitstream-vera
Description: collection of Python modules implementing CAPTCHAs
 This package contains Python modules to add some captcha in an application to
 recognize a human versus a robot. The package generates an image based on a
 dictionary.
Homepage: http://pypi.python.org/pypi/PyCAPTCHA/0.4

And is quite simple http://svn.navi.cx/misc/trunk/pycaptcha/simple_example.py

[vecna]

This will be implemented when the actual token system (that imply #795 and #796) is stabilized.

[vecna]

As the last call decided, now we'll see how's go with Human Captcha, removed from milestone.

[evilaliv3]

agreed, thanks @vecna