Opened 5 years ago

Closed 3 years ago

#16072 closed defect (fixed)

Stop using reCaptcha on all your services

Reported by: cypherpunks Owned by:
Priority: High Milestone:
Component: Internal Services/Service - trac Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

because
1 reCaptha is unsolvable when you are using Tor
2 reCaptcha allows Google to track user's visits

Child Tickets

Attachments (1)

DO_IT_YOURSELF_CAPTCHA_SAMPLE.php (1.1 KB) - added by ikurua22 4 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 5 years ago by cypherpunks

Related to #10809

comment:2 Changed 4 years ago by cypherpunks

Priority: MediumHigh
Severity: Major

Captchas should be self-hosted. Or, at least, not hosted by an effing PRISM provider!

STR: Post a comment containing a blacklisted word, such as busin3ss.

Result: Trac decides you're a spammer and serves you a Google captcha.

Raising priority/severity to try and get some attention.

comment:3 Changed 4 years ago by ohheyalan@…

@cypherpunks, what does STR stand for?

comment:4 in reply to:  3 Changed 4 years ago by cypherpunks

Replying to ohheyalan@…:

@cypherpunks, what does STR stand for?

Steps to reproduce.

comment:5 Changed 4 years ago by cypherpunks

Really, the fact that they switched to serving the images from google.com instead of recaptcha.net shows it's just another avenue for them to collect google auth cookies.

comment:6 Changed 4 years ago by cypherpunks

@OP while I completely agree torproject should not use google for captchas (wtf!), just FYI tor browser has a different set 3rd party cookies for each site so even if you're logged into google while getting a google captcha on this site you will not be sending your logged-in google cookies with the captcha requests.

comment:7 Changed 4 years ago by ikurua22

Yes! Yes! Tor should NOT sleep with evil Google!!

Hey, I wrote a captcha code for myself a few years ago.
If you're interested, feel free to use/edit my code to see fit.

I hope Tor websites(all, incl. Trac) serve 100% pure torproject.org server's data.

Changed 4 years ago by ikurua22

comment:8 Changed 4 years ago by cypherpunks

Please, don't use ikurua22's shit and take some good captcha library (there are plenty of them).

comment:9 Changed 3 years ago by qbi

Resolution: fixed
Status: newclosed

captchas are currently disabled.

Note: See TracTickets for help on using tickets.