[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)
Joe Btfsplk
joebtfsplk at gmx.com
Mon Sep 15 19:10:45 UTC 2014
Using TBB, I've noticed a LOT more captchas in the last couple months -
just to view the front page, or see the page linked from a search
through StartPage or Ixquick.
Some of the same sites presenting captchas in TBB, I tested in Firefox
(31, 32) & did not get a captcha. But, I didn't repeat that test on
hundreds of sites.
These captchas recently started appearing (more often) on all kinds of
sites. By far the most common name that pops up associated with this
security is "Cloudfare," but also some others.
Aside from being forced to allow scripts in NoScript from Cloudfare for
the captcha to work (or which ever one it is), it also seems to require
allowing scripts from... Google.com.
No messages pop up on the captcha pages (which completely block seeing
any content from original target site) that say Google must be allowed.
There aren't even messages saying "scripts must be allowed from
Cloudfare" (or which ever one it is).
But if you don't allow scripts from the main "security" provider (such
as Cloudfare), entering the captcha doesn't work.
If "Google.com" isn't also allowed, the captcha process usually isn't
successful. I don't routinely allow these - just as a test to see what
was required.
Based partly on the Page Source, I assume the security company is using
one of Google's APIs as part of the overall captcha process.
But, once you've allowed Google.com in NoScript (if you do), then it's
"no holds barred." I would think Google could then do pretty much anything.
Entering a captcha isn't the biggest issue (to me). It's that you're
forced to allow scripts from 3rd parties, which in addition to providing
captcha service, could easily do lots of other things.
Most people (in any browser) don't allow 3rd party *cookies*, but on
more & more sites we're forced to allow scripts from 3rd parties - which
are potentially much worse than 3rd party cookies.
Some of the worst sites for requiring to allow scripts "from everyone &
his brother" are many of the legitimate news sites.
More information about the tor-talk
mailing list