[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
From: Joe Btfsplk <joebtfsplk@xxxxxxx>
Date: Mon, 15 Sep 2014 14:10:45 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 15 Sep 2014 15:11:23 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1

Using TBB, I've noticed a LOT more captchas in the last couple months -just to view the front page, or see the page linked from a searchthrough StartPage or Ixquick.Some of the same sites presenting captchas in TBB, I tested in Firefox(31, 32) & did not get a captcha. But, I didn't repeat that test onhundreds of sites.

These captchas recently started appearing (more often) on all kinds ofsites. By far the most common name that pops up associated with thissecurity is "Cloudfare," but also some others.Aside from being forced to allow scripts in NoScript from Cloudfare forthe captcha to work (or which ever one it is), it also seems to requireallowing scripts from... Google.com.

No messages pop up on the captcha pages (which completely block seeingany content from original target site) that say Google must be allowed.There aren't even messages saying "scripts must be allowed fromCloudfare" (or which ever one it is).

But if you don't allow scripts from the main "security" provider (suchas Cloudfare), entering the captcha doesn't work.If "Google.com" isn't also allowed, the captcha process usually isn'tsuccessful. I don't routinely allow these - just as a test to see whatwas required.

Based partly on the Page Source, I assume the security company is usingone of Google's APIs as part of the overall captcha process.But, once you've allowed Google.com in NoScript (if you do), then it's"no holds barred." I would think Google could then do pretty much anything.

Entering a captcha isn't the biggest issue (to me). It's that you'reforced to allow scripts from 3rd parties, which in addition to providingcaptcha service, could easily do lots of other things.Most people (in any browser) don't allow 3rd party *cookies*, but onmore & more sites we're forced to allow scripts from 3rd parties - whichare potentially much worse than 3rd party cookies.

Some of the worst sites for requiring to allow scripts "from everyone &his brother" are many of the legitimate news sites.

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
  - From: Öyvind Saether
- Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
  - From: Öyvind Saether
- Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
  - From: John Pinkman

Prev by Author: Re: [tor-talk] Tor Browser Bundle 3.6.3: bad start
Next by Author: Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
Previous by thread: Re: [tor-talk] Misogyny on tor-talk is an existential threat to Tor (was: Re: Comcast looking for Tor traffic, contacting customers to threaten termination of service.)
Next by thread: Re: [tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
Index(es):
- Author
- Thread