CloudFlare captchas

added component::archived/operations owner::isabela priority::medium resolution::fixed severity::normal status::closed type::task labels

I noticed that CloudFlare is using Google's reCAPTCHA version 1. It turns out that version 1 is deprecated in favor of version 2.

When JavaScript is disabled, reCAPTCHA version 1 is typically impossible for a human to solve, whereas version 2 is relatively reasonable.

The following are demos of the two types of reCAPTCHAs (v1 and v2). You can test them by copy/pasting them into your URL bar:

Demo of v1 (what CloudFlare uses now): https://www.google.com/recaptcha/api/noscript?k=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI

Demo of v2 (what CloudFlare should use): https://www.google.com/recaptcha/api/fallback?k=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI

In the URLs above, the value of k is the public site key (in this case, a demo). I tried changing the URL cloudflare uses from noscript (v1) to fallback (v2), but it returns an error. Google indicates that CloudFlare's site key is reserved for version 1, and CloudFlare will need to request a new site key to migrate to version 2.

If CloudFlare would be kind enough to upgrade to Google reCAPTCHA version 2, then I think it will be much easier for Tor Browser users to access these sites. Sites using CloudFlare would still be protected by a CAPTCHA, but one that allows humans to pass.

Full documentation for reCAPTCHA is at https://developers.google.com/recaptcha/intro

Update: https://twitter.com/octal/status/679925749545996290

Trac:
Cc: N/A to arthuredelstein
Sponsor: N/A to N/A
Severity: N/A to Normal

A lot has happened since this was first created. There is an email list just for this subject and ongoing conversations between both party. Closing this ticket as new things are being followed somewhere else.

Trac:
Status: new to closed
Resolution: N/A to fixed
Reviewer: N/A to N/A

closed

mentioned in issue #16772 (moved)

CloudFlare captchas

Child items ...

Activity