Opened 5 years ago

Closed 4 years ago

#16072 closed defect (fixed)

Stop using reCaptcha on all your services

Reported by: cypherpunks Owned by:
Priority: High Milestone:
Component: Internal Services/Service - trac Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


1 reCaptha is unsolvable when you are using Tor
2 reCaptcha allows Google to track user's visits

Child Tickets

Attachments (1)

DO_IT_YOURSELF_CAPTCHA_SAMPLE.php (1.1 KB) - added by ikurua22 4 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 5 years ago by cypherpunks

Related to #10809

comment:2 Changed 4 years ago by cypherpunks

Priority: MediumHigh
Severity: Major

Captchas should be self-hosted. Or, at least, not hosted by an effing PRISM provider!

STR: Post a comment containing a blacklisted word, such as busin3ss.

Result: Trac decides you're a spammer and serves you a Google captcha.

Raising priority/severity to try and get some attention.

comment:3 Changed 4 years ago by ohheyalan@…

@cypherpunks, what does STR stand for?

comment:4 in reply to:  3 Changed 4 years ago by cypherpunks

Replying to ohheyalan@…:

@cypherpunks, what does STR stand for?

Steps to reproduce.

comment:5 Changed 4 years ago by cypherpunks

Really, the fact that they switched to serving the images from instead of shows it's just another avenue for them to collect google auth cookies.

comment:6 Changed 4 years ago by cypherpunks

@OP while I completely agree torproject should not use google for captchas (wtf!), just FYI tor browser has a different set 3rd party cookies for each site so even if you're logged into google while getting a google captcha on this site you will not be sending your logged-in google cookies with the captcha requests.

comment:7 Changed 4 years ago by ikurua22

Yes! Yes! Tor should NOT sleep with evil Google!!

Hey, I wrote a captcha code for myself a few years ago.
If you're interested, feel free to use/edit my code to see fit.

I hope Tor websites(all, incl. Trac) serve 100% pure server's data.

Changed 4 years ago by ikurua22

comment:8 Changed 4 years ago by cypherpunks

Please, don't use ikurua22's shit and take some good captcha library (there are plenty of them).

comment:9 Changed 4 years ago by qbi

Resolution: fixed
Status: newclosed

captchas are currently disabled.

Note: See TracTickets for help on using tickets.