[tor-talk] more sites requiring captchas from Cloudfare (using Google API?)

Mon Sep 15 19:10:45 UTC 2014

Using TBB, I've noticed a LOT more captchas in the last couple months - 
just to view the front page, or see the page linked from a search 
through StartPage or Ixquick.
Some of the same sites presenting captchas in TBB, I tested in Firefox 
(31, 32) & did not get a captcha.  But, I didn't repeat that test on 
hundreds of sites.

These captchas recently started appearing (more often) on all kinds of 
sites.   By far the most common name that pops up associated with this 
security is "Cloudfare," but also some others.
Aside from being forced to allow scripts in NoScript from Cloudfare for 
the captcha to work (or which ever one it is), it also seems to require 
allowing scripts from... Google.com.

No messages pop up on the captcha pages (which completely block seeing 
any content from original target site) that say Google must be allowed.
There aren't even messages saying "scripts must be allowed from 
Cloudfare" (or which ever one it is).

But if you don't allow scripts from the main "security" provider (such 
as Cloudfare), entering the captcha doesn't work.
If "Google.com" isn't also allowed, the captcha process usually isn't 
successful.  I don't routinely allow these - just as a test to see what 
was required.

Based partly on the Page Source, I assume the security company is using 
one of Google's APIs as part of the overall captcha process.
But, once you've allowed Google.com in NoScript (if you do), then it's 
"no holds barred."  I would think Google could then do pretty much anything.

Entering a captcha isn't the biggest issue (to me).  It's that you're 
forced to allow scripts from 3rd parties, which in addition to providing 
captcha service, could easily do lots of other things.
Most people (in any browser) don't allow 3rd party *cookies*, but on 
more & more sites we're forced to allow scripts from 3rd parties - which 
are potentially much worse than 3rd party cookies.

Some of the worst sites for requiring to allow scripts "from everyone & 
his brother" are many of the legitimate news sites.