Opened 10 years ago

Closed 10 years ago

#1722 closed defect (fixed)

Captcha at does not follow https

Reported by: koryk Owned by: pde
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: torbutton, google, captcha
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


When using Torbutton, google queries are often forwarded to When using https-everywhere along with Torbutton, a https request gets forwarded to a non http site, When trying to change the scheme to https, you get forwarded back to the search page. So the url of the captcha page is something like this where your search url is after the 'continue='. So someone listening on the exit node could see what your query is even if you're trying to use https. In addition, this leaks your cookie if you are signed in. According to the PETS presentation 'Private Information Disclosure from Web Searches' given by Emiliano De Cristifaro, this can be a dangerous disclosure of personal information.

In addition, after successfully filling out the captcha, you get redirected to your search url without the https, and that returns with a 301 request forwarding to the https request. I believe this part can be caught by https-everywhere. This get request also will contain your cookie. I confirmed this by examining the http requests through firebug while using https-everywhere and torbutton.

Child Tickets

Change History (1)

comment:1 Changed 10 years ago by mikeperry

Resolution: fixed
Status: newclosed

I think this is a torbutton issue. It is fixed in 1.3.0-alpha and should be fixed in 1.2.6. We fix it by sending google users to ixquick when google gives us captchas.

Note: See TracTickets for help on using tickets.