Opened 4 years ago

Closed 4 years ago

#1722 closed defect (fixed)

Captcha at sorry.google.com does not follow https

Reported by: koryk Owned by: pde
Priority: major Milestone:
Component: EFF-HTTPS Everywhere Version:
Keywords: torbutton, google, captcha Cc:
Actual Points: Parent ID:
Points:

Description

When using Torbutton, google queries are often forwarded to sorry.google.com. When using https-everywhere along with Torbutton, a https request gets forwarded to a non http site, sorry.google.com. When trying to change the scheme to https, you get forwarded back to the encrypted.google.com search page. So the url of the captcha page is something like this http://sorry.google.com/sorry/Captcha?continue= where your search url is after the 'continue='. So someone listening on the exit node could see what your query is even if you're trying to use https. In addition, this leaks your cookie if you are signed in. According to the PETS presentation 'Private Information Disclosure from Web Searches' given by Emiliano De Cristifaro, this can be a dangerous disclosure of personal information.

In addition, after successfully filling out the captcha, you get redirected to your search url without the https, and that returns with a 301 request forwarding to the https request. I believe this part can be caught by https-everywhere. This get request also will contain your cookie. I confirmed this by examining the http requests through firebug while using https-everywhere and torbutton.

Child Tickets

Change History (1)

comment:1 Changed 4 years ago by mikeperry

  • Resolution set to fixed
  • Status changed from new to closed

I think this is a torbutton issue. It is fixed in 1.3.0-alpha and should be fixed in 1.2.6. We fix it by sending google users to ixquick when google gives us captchas.

Note: See TracTickets for help on using tickets.