Captcha at sorry.google.com does not follow https
|Reported by:||koryk||Owned by:||pde|
|Severity:||Keywords:||torbutton, google, captcha|
When using Torbutton, google queries are often forwarded to sorry.google.com. When using https-everywhere along with Torbutton, a https request gets forwarded to a non http site, sorry.google.com. When trying to change the scheme to https, you get forwarded back to the encrypted.google.com search page. So the url of the captcha page is something like this http://sorry.google.com/sorry/Captcha?continue= where your search url is after the 'continue='. So someone listening on the exit node could see what your query is even if you're trying to use https. In addition, this leaks your cookie if you are signed in. According to the PETS presentation 'Private Information Disclosure from Web Searches' given by Emiliano De Cristifaro, this can be a dangerous disclosure of personal information.
In addition, after successfully filling out the captcha, you get redirected to your search url without the https, and that returns with a 301 request forwarding to the https request. I believe this part can be caught by https-everywhere. This get request also will contain your cookie. I confirmed this by examining the http requests through firebug while using https-everywhere and torbutton.