[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)



Using TBB, I've noticed a LOT more captchas in the last couple months - just to view the front page, or see the page linked from a search through StartPage or Ixquick. Some of the same sites presenting captchas in TBB, I tested in Firefox (31, 32) & did not get a captcha. But, I didn't repeat that test on hundreds of sites.

These captchas recently started appearing (more often) on all kinds of sites. By far the most common name that pops up associated with this security is "Cloudfare," but also some others. Aside from being forced to allow scripts in NoScript from Cloudfare for the captcha to work (or which ever one it is), it also seems to require allowing scripts from... Google.com.

No messages pop up on the captcha pages (which completely block seeing any content from original target site) that say Google must be allowed. There aren't even messages saying "scripts must be allowed from Cloudfare" (or which ever one it is).

But if you don't allow scripts from the main "security" provider (such as Cloudfare), entering the captcha doesn't work. If "Google.com" isn't also allowed, the captcha process usually isn't successful. I don't routinely allow these - just as a test to see what was required.

Based partly on the Page Source, I assume the security company is using one of Google's APIs as part of the overall captcha process. But, once you've allowed Google.com in NoScript (if you do), then it's "no holds barred." I would think Google could then do pretty much anything.

Entering a captcha isn't the biggest issue (to me). It's that you're forced to allow scripts from 3rd parties, which in addition to providing captcha service, could easily do lots of other things. Most people (in any browser) don't allow 3rd party *cookies*, but on more & more sites we're forced to allow scripts from 3rd parties - which are potentially much worse than 3rd party cookies.

Some of the worst sites for requiring to allow scripts "from everyone & his brother" are many of the legitimate news sites.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk