February 2, 2020

Finally! Got past the login CAPTCHA - on Linux, this time

Yeah, I know, no blog updates in two months. Sorry about that, but there wasn't really anything to write about.

So, where do we stand now? Good news first: I just managed to complete the first step of the login process without being stopped by a CAPTCHA. All the handler code, I wrote for it was completely unnecessary. The whole thing is just a giant diversion. When you get it, Google has already decided not to let you in. That decision is based entirely on the parameters, set in the SSL handshake. The trick is just figuring out which ciphers and extensions must be enabled and/or disabled (and in which order).

This brings us to the bad news: Google fingerprints for OpenSSL. Why OpenSSL? Isn’t Android suppose to be Java based? Doesn’t Java have it’s own TLS implementation? Yes, it is and yes it does, but Google just can’t help shipping code without improving it for the worse. In this case, replacing parts of the TLS stack with an implementation that can keep connections alive, even when the corresponding app gets killed (the idea here being able to be able to resume without handshaking again when the app is restarted). Why is this bad news? Well, OpenSSL uses two extensions, related to elliptic curves, that Java doesn’t seem to support.

So, the choices I have are either going the Android way and putting a native library in Raccoon that wraps OpenSSL or finding an alternative TLS implementation that can mimic OpenSSL. Bouncycastle looks like it might do the trick, but their docs are horrible.