TL;DR: If you can, consider not using that services/sites find alternatives and promote them.
On Sat, Jun 20, 2015 at 03:43:37PM +0200, Juan Miguel Navarro Martínez wrote: > El 20/06/2015 a las 10:18, Mirimir escribió: > > Is Javascript always needed to get the number photo CAPTCHAs? > At least for me, it does 100% of the time: > No JS: Infinite unreadable CAPTCHA. > JS: Either number photo or readable CAPTCHA that work at first try. I like to confirm that, and I like to add, that to get those captchas you are doing at least two requests not related to the site you are visiting, one is to g**gle.com (for the captcha) and one to ajax.clo*dflare.com. So you need Javascript and additional sites whitelisted in noscript or your other favorite blocking tool. If cl*udflare is involved, you may requesting data from them too. If javascript stays enabled, your session (until cookies expire or your filesystem cache is cleared) is very trackable by either g**gle (analytics i.e.) and/or cl*udflare (their cdn), as long as sites you visit use at least one of their many services like g**gle analytics or cl*udflare cdn. In terms of cdns, turning javascript off isn't enough (see E-tags and Cache-Control like Modified-since). One reason may be that the captcha process isn't working anymore. Sopisticated adversaries break those captchas, thats the reason you get so many of them. The idea of proving you are human is insane, imho you are proving you are no bot and worth tracking when you solve the easy captchas, and doing google a favor doing OCR for their whatever-services. Consider charging them for that. :) If cl*udflare would care, the process would be, solve that captcha provided by cl*udflare or use their "Darknet CDN" and visit the site under the following onion adress. Because their customers care about tor users etc. But they are busy in terms of legal compliance, certainty. :) There are many other options - and in my experiance most cl*udflare customers don't know or don't understand that. cl*udflare is cheap (in implementation and price) and solves these problems for their customers, they consider us site-effects. Anyway, many popular sites that have content and community using cl*udflare, project.h*neyblock or simliar blacklists. They are easy to implement and keep the trolls and trouble at bay. I've tried to reason with some sites to keep the site at least read only or offer a hiddenservice, most to no avail. Often, if it comes to offer a hiddenservice someone insists that tor isn't safe enough. :) Seems like most software hasn't such elaborate and fine grained acls, it seems. Site operators are frustrated and won't give tor users an inch. If you understand that, you have solved half of the equation. Their assumption is, that one identifies users by ip, and by using tor you become indistinguishable from the bad bots and possible adversaries, so you are not allowed to participate or denied usage. Btw, that is proof enough, that tor is working very well for most of my thread models which involve malicous or clueless siteoperators, users that may compromise my privacy or anonymity. I like to elaborate about the presumption of innocence, that is reversed on tor-users: If you use tor you are presumed an adversary or bot by those entities and have to jump through their hoops to proof you are a good person (worth tracking). It is usually not enough to whitelist two sites, you may need various other cdns for liraries, g**gly fonts and apis and what not to let these "programs" render the data in a way you can receive them (you can't simply "view" them anymore). This sounds like bad news, but the www is so diverse, finding a replacement site is in most cases a matter of breaking with some habits - usually one can migrate members to the newfound site too. Some food for thought, since you usally provide valuable personal information to those entities or sites, do you really think their security, which based on the assumption earlier, is good enough to protect your data? In my experiance it isn't, if so, they wouldn't need such desperate measures and tolerate such a high rate of false positives when it comes to tor-users. Personlly, I find it amusing, that webdevelopers still believe I accidently turend off javascript or I am not understanding my client well enough, and need to be reminded to turn it on again. :) Or try this reasonsing: Do you like to do business with, receive information, data, content from or participate in a community provied or hosted by an entity that considers you, or tor users in general bad persons or adversaries while itself waives any responsibility for your data, your privacy, your anonymity? Yes, **** ****! Feel free to remind them, that tor users, in most cases aren't adversaries, they are using tor to circumvent censorship, blocking or insisting on some form of privacy or anonymity. It is we, who have to use such desperate measures to protect our privacy or anonymity. They could try to respect that, they are not interested. Sorry for being so elaborate, and using the term adversary so often. "Darknet CDN" is meant ironically, if that wasn't clear. I can haz udp too in the future pls. :) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
