[tor-bugs] #16096 [operations]: CloudFlare captchas
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 24 06:25:09 UTC 2015
#16096: CloudFlare captchas
------------------------+-------------------------
Reporter: isabela | Owner: isabela
Type: task | Status: new
Priority: Medium | Milestone:
Component: operations | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------+-------------------------
Changes (by arthuredelstein):
* cc: arthuredelstein (added)
* severity: => Normal
Comment:
I noticed that CloudFlare is using Google's reCAPTCHA version 1. It turns
out that version 1 is deprecated in favor of version 2.
When JavaScript is disabled, reCAPTCHA version 1 is typically impossible
for a human to solve, whereas version 2 is relatively reasonable.
Demo of v1 (what CloudFlare uses now):
https://www.google.com/recaptcha/api/fallback?k=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
Demo of v2 (what CloudFlare should use):
https://www.google.com/recaptcha/api/noscript?k=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
In the URLs above, the value of `k` is the public site key (in this case,
a demo). I tried changing the URL cloudflare uses from `fallback` to
`noscript`, but it returns an error. My reading suggests that CloudFlare's
site key is reserved for version 1, and CloudFlare will need to request a
new site key to migrate to version 2.
If CloudFlare would be kind enough to upgrade to Google reCAPTCHA version
2, then I think it will be much easier for Tor Browser users to access
these sites. Sites using CloudFlare would still be protected by a CAPTCHA,
but one that allows humans to pass.
Full documentation for reCAPTCHA is at
https://developers.google.com/recaptcha/intro
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16096#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list