Delivery-Date: Mon, 15 Sep 2014 15:11:23 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id BA4701E068E;
	Mon, 15 Sep 2014 15:11:21 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id CAB6A249AA;
	Mon, 15 Sep 2014 19:11:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id EF96A2442D
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 19:11:12 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id EeHlB2oO6XKh for <tor-talk@lists.torproject.org>;
 Mon, 15 Sep 2014 19:11:12 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id C7F50235B2
 for <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 19:11:12 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus001)
 with ESMTPSA (Nemesis) id 0Lm3Lb-1Y2fJU3a8P-00Zgiv for
 <tor-talk@lists.torproject.org>; Mon, 15 Sep 2014 21:11:10 +0200
Message-ID: <541739B5.4070103@gmx.com>
Date: Mon, 15 Sep 2014 14:10:45 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
X-Provags-ID: V03:K0:ZXy/SPnAZ6ij6cZlcTulrULUveIVKgaGsNvOqCdSVUYXZoKiZet
 7DW/6IA1aN90u8+ZwZzXLDxzZS6Ln4u39LT94+3C9klsFef13lXCobsJrNtvAhqwwWWflY7
 XZzoyTaS53u60OqYaxNtRhnWiQPYYyKWVrEwnKjJwsfQHFKCxg+2I70X5dD3FgR0/qQzsOm
 WkebyrhkUNKi+/ma7wSbg==
X-UI-Out-Filterresults: notjunk:1;
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [tor-talk] more sites requiring captchas from Cloudfare (using
	Google API?)
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Using TBB, I've noticed a LOT more captchas in the last couple months - 
just to view the front page, or see the page linked from a search 
through StartPage or Ixquick.
Some of the same sites presenting captchas in TBB, I tested in Firefox 
(31, 32) & did not get a captcha.  But, I didn't repeat that test on 
hundreds of sites.

These captchas recently started appearing (more often) on all kinds of 
sites.   By far the most common name that pops up associated with this 
security is "Cloudfare," but also some others.
Aside from being forced to allow scripts in NoScript from Cloudfare for 
the captcha to work (or which ever one it is), it also seems to require 
allowing scripts from... Google.com.

No messages pop up on the captcha pages (which completely block seeing 
any content from original target site) that say Google must be allowed.
There aren't even messages saying "scripts must be allowed from 
Cloudfare" (or which ever one it is).

But if you don't allow scripts from the main "security" provider (such 
as Cloudfare), entering the captcha doesn't work.
If "Google.com" isn't also allowed, the captcha process usually isn't 
successful.  I don't routinely allow these - just as a test to see what 
was required.

Based partly on the Page Source, I assume the security company is using 
one of Google's APIs as part of the overall captcha process.
But, once you've allowed Google.com in NoScript (if you do), then it's 
"no holds barred."  I would think Google could then do pretty much anything.

Entering a captcha isn't the biggest issue (to me).  It's that you're 
forced to allow scripts from 3rd parties, which in addition to providing 
captcha service, could easily do lots of other things.
Most people (in any browser) don't allow 3rd party *cookies*, but on 
more & more sites we're forced to allow scripts from 3rd parties - which 
are potentially much worse than 3rd party cookies.

Some of the worst sites for requiring to allow scripts "from everyone & 
his brother" are many of the legitimate news sites.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

