23 提交 / 0 new
最新文章
#1 2018-08-17 02:24

reCAPTCHA now blocking privacy protective browsers

Posting from a substitute account off a Live OS due to not being able to log into my own account anymore.

reCAPTCHA, a Google service, will now refuse to take you through the sign-in process if you're using a more privacy-minded browser with tracking protection measures.
I tried to sign in today like I normally do using Pale Moon, a Firefox fork, and am greeted with this "lovely" message.

"Please upgrade to a supported browser to get a reCAPTCHA challenge."

What are these "supported browsers"?
https://support.google.com/recaptcha#6223828

Quote:
Browser requirements for reCAPTCHA

We support the two most recent major versions of the following:

desktop (Window, Linux, Mac)
Chrome
Firefox
Safari
IE / Edge
mobile
Chrome
Safari
Andriod native browser (4.0+)

No mentions of browsers like Brave or Vivaldi, i.e. those that have the deceny to not be constantly tracking you and phoning home. Also, note the line "two most recent major versions." They are demanding that not only you use the more spyware ridden browsers, but also demanding that you accept whatever forced updates come with those browsers, including whatever settings tampering and additional spyware comes with those updates. If you try to foil their constant tracking with a browser or add-ons they don't approve of, they will deny you access to your accounts.

This is absolutely unacceptable. ESPECIALLY for a site like iwara, which has a sizable population of users from countries like China and South Korea, where they risk imprisonment if they are caught accessing a site like this. As well as Japanese artists who do not wish to be forced to censor their works.

Already you have another topic complaining about the reCAPTCHA. The message is clear. The reCAPTCHA has got to go.

2018-08-17 03:20

The type captcha is a worse version {type what you see code} It always goes nutty and says cant find captcha site error.

2018-08-17 04:02
Quote:
The type captcha is a worse version {type what you see code} It always goes nutty and says cant find captcha site error.

What are you going on about? Are you seriously trying to argue that a critical part of the site being this broken for some users is perfectly fine because some other kinds of captchas also don't work?

Screencap transferred from my other machine. This is what I now encounter every single time since this afternoon.

2018-08-17 04:25

I think you're being paranoid in classifying Firefox as a "spyware-ridden browser".

2018-08-17 04:44

What I tried saying is the other captchas can be worse thats all. I dont like any of those codes myself but the Admin thinks its Necessary to keep bots out of the site.

2018-08-17 05:31
DNNinetail wrote:
What I tried saying is the other captchas can be worse thats all. I dont like any of those codes myself but the Admin thinks its Necessary to keep bots out of the site.

What, specifically, are his concerns regarding bots? Is he worried about spam causing server load issues? Good flood detection and limits on how much posting new accounts can do within a time period accomplish the same goal. Is it advertising, someone uploading gore or other such things? Just have a proper flagging system in place and enough volunteers on duty to handle to get rid of it when it crops up.

Also, it's worth mentioning that captchas can only stop the low hanging fruit among spammers. If a spammer is truly dedicated, he can simply fill out the captchas himself in the bot's stead and proceed as normal.

Ketsuban wrote:
I think you're being paranoid in classifying Firefox as a "spyware-ridden browser".

HAHAHAHAHAHA

Straight from the horse's mouth: https://www.mozilla.org/en-US/privacy/

Quote:
What do we mean by "personal information?"

For us, "personal information" means information which identifies you, like your name or email address.

Quote:
How do we learn information about you?

We learn information about you when:

  • you give it to us directly (e.g., when you choose to send us crash reports);
  • we collect it automatically through our products and services (e.g., when your Firefox browser checks with us to see if is up to date);
  • someone else tells us information about you (e.g., when Thunderbird works with your email providers to set up your account); or
  • when we try and understand more about you based on information you've given to us (e.g., when we use your IP address to customize language for some of our services).

And for our asian firends, there's this little gem:

Quote:
What else should you know?

We're a global organization and our computers are in several different places around the world. We also use service providers whose computers may also be in various countries. This means that your information might end up on one of those computers in another country, and that country may have a different level of data protection regulation than yours. By giving us information, you consent to this kind of transfer of your information. No matter what country your information is in, we comply with applicable law and will also abide by the commitments we make in this privacy policy.

You can confirm this for yourself. Type about:config in a new tab and look at how many URLs you see. Search "google" or "facebook" and you'll be disgusted at just how much spying there is in Firefox. And that's not even going into other things like Pocket or EMEs, or how often users have reported changes they made to their settings being reverted after yet another forced update.

Modern day mainline Firefox is every bit as rubbish and bullshit infested as all of the other big players.

2018-08-17 07:02

I just installed Pale Moon and reCaptcha works fine. Stop blocking javascript you autismo neckbeard, it isn't going to hurt you.

2018-08-17 07:02

Also I knew that Alex Jones had been censored from a lot of the internet, never knew that he would make Iwara his final stand

2018-08-17 14:01
Quote:
we collect it automatically through our products and services (e.g., when your Firefox browser checks with us to see if is up to date);

...yeah they learn whether or not your browser is up do date. Seriously dude, Firefox is open source. Anyone can go and check what the code actually does. It would take a worldwide conspiracy involving the entire Free and Open Source community for Firefox to phone home.

2018-08-17 20:58

Confimed, reCaptcha is shafting Pale Moon. Can no longer login. For me, nothing happens on click. After second click, captcha says "something went wrong" and tells me to reload the page.
Edit: works now. Never happened before, interesting moment it chose ^_^

2018-08-17 18:47

@Awaclus Nobody check open source code except hackers. It's literally billion eyes and NOBODY looking. If you have genuine information stating otherwise (someone you know actually studies open source code and tries to find problems with it), I stand corrected. Just don't live in convenient fantasies, ok?

2018-08-17 19:07

While I agree that Firefox is becoming more and more like Chrome, there's always Waterfox that do the hard work for you and ship without Pocket and all the other telemetry they've added.
However, in your case it's probably just a user agent check since Pale moon is like 20 versions behind Firefox, get an add-on to change it for the Google domains and it should start working again.

2018-08-17 22:58

>Also I knew that Alex Jones had been censored from a lot of the internet, never knew that he would make Iwara his final stand
was going to say something in the lines of this issue is not fixable by average joes using different software, but this broke me in laughter

2018-08-18 00:32

There's a reason why this exists my good friend, it's to prevent bot accounts from getting into the website and doing shit that can harm the website. So take the tinfoil hat off and bite the bullet.

2018-08-18 01:20

Ever heard of bot makers. The New ones make bots that can by pass captcha code thank god the dumb asses dont know of them or how to use them. Make security measures and some Asshole hackers find a defect in the code and we all get fucked.

2018-08-18 05:04

Just as I had finished up with this write-up I had noticed that you had switched to keycaptcha instead. While I suppose what I'm about to post isn't quite as revelant now, there's still important information here that I feel like people here should be informed about, and I don't want it to go to waste. Consider this information in the event of a reversion, I suppose.

Original write-up below:

Awful lot of folks willing to defend reCAPTCHA and Firefox cropping up here. Perhaps I didn't make my case clear enough.

reCAPTCHA uses techniques that can be used to fingerprint and deanonymize users.

http://qnimate.com/how-does-googles-no-captcha-recaptcha-work/

Quote:
Clicking on the virtual checkbox is not the only factor. Google also relies pattern of movements of mouse that differences humans and bots. It looks for overall user engagement with the captcha. It also uses user time on page algorithms, bots IP addresses database, HTTP referer, number of requests etc. We still don’t know all the methods used by Google to detect bots.

Bolded items in the quote are all factors that can be used to differentiate between different individuals and narrow down who you are. Furthermore, the general behavior analysis techniques can only be performed using javascript techniques, and said techniques likely come with other measures to further fingerprint the user. Google makes its money through collecting and selling information, so they have every incentive to do so.

From another section of the article:

Quote:
It actually create a virtual checkbox inside the iframe and user clicks the virtual check box. Google also inserts a invisible textarea inside the form. Google populates the textarea with a unique value indicating weather the user is a bot or not. We will see how it finds bot or not later on in this article.

Text inside the textarea is a unique value, true and false indicating human or bot is stored in Google servers. We need to retrieve the boolean using this unique value once form is submitted. And than act accordingly.

And there you go. The reCAPTCHA system constantly calls back to a database on its servers and stores the data it processed about your machine and your habits. If you constantly have to click through the crap in reCAPTCHAs you're probably still somewhat anonymized. But if you never have to go through that hassle, it means that Google has definitely isolated you and has your unique fingerprint in their databases.

reCAPTCHA is not as foolproof as you may think, and has already been cracked on more than one occasion.

https://threatpost.com/googles-recaptcha-cracked-again/128690/
reCAPTCHA has already been broken by bots more than once, and it will certainly be broken more times in the future.

But, as I already said, a truly determined spammer can simply employ human assistance to clear the reCAPTCHAs so the bots can get back to business.

https://anti-captcha.com/
This is just one such example of a reCAPTCHA task force for hire.

I ask again, what are the specific concerns regarding bots, and are these issues that cannot be resolved with other measures like flood detection, limited posting for new accounts, and a proper flagging system? That last one especially, as iwara is the only site I can recall being on that did not have any sort of report function integrated into its interface whatsoever.

And as for those claiming not to worry about Firefox phoning home, here is yet another example circa late 2017:
https://www.reddit.com/comments/73t2py
If you read through the thread it clearly shows that the data sent back to their servers (IP address, OS, CPU) is more than enough to identify individual users (Related link from the same thread: https://www.emptywheel.net/2017/09/30/why-did-google-miss-a-lot-of-users...). Furthermore, these requests are sent via plaintext, which means that they can easily be MitMed by and spying agency. And even though they claim that these logs are only kept a maximum of two weeks, there's also the case of this US law:
https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act
Which basically shields any U.S. based tech company or site from any liability in sharing information with these spying agencies. And even though as written the law states that they are not allowed to share info that is "personally identifiable" in most cases, Mozilla itself claims that this information is not personally identifiable. So they have a legal shield which allows them to collect the telemetry data that can identify users, pass it off to TLAs, delete the data afterward, and not be required to disclose this to anyone.

I realize that I sound like a paranoid lunatic to the uninitiated. But again, as I alluded to my opening post, I'm not as worried about some spook coming after me as I am about something happening to some of the creators here. Anyone remember this lunacy that went through earlier this year?
https://www.eff.org/deeplinks/2018/03/responsibility-deflected-cloud-act...

Consider the possibility that this law could be used to enter an agreement with an asian country like Japan, China, or South Korea. And consider that any of those countries afterward could start a legal crackdown against uncensored works in the former case, or R18 content in general in the latter two.

And if you remember one detail from this rant, remember this, because this is ultimate the main thing I'm trying to warn you about.

Even though iwara itself has said that they won't cooperate with agencies trying to go after these artists, Google and their reCAPTCHA are NOT iwara. Google can, via the legal mechanism of the CLOUD act, potentially use the information it collects via reCAPTCHA to help foriegn law enforcement agencies locate and identify artists here who are subject to unjust laws.

THAT is ultimately why we need to be rid of the reCAPTCHA as soon as we are able. I've already seen multiple eastern artists here who either started self-censoring later on with their works, wiped their uploads and reuploaded with mosaics, or simply hit the panic button and wiped everything altogether. Iwara itself has already been strongarmed into self-censoring due to a third-party once before. Do you really think there's no possibility they use the profiling data from reCAPTCHA to strongarm iwara and its owners and operators in the future?

The sooner we ditch the reCAPTCHA, the better.

2018-08-18 07:52
Quote:
Nobody check open source code except hackers. It's literally billion eyes and NOBODY looking. If you have genuine information stating otherwise (someone you know actually studies open source code and tries to find problems with it), I stand corrected. Just don't live in convenient fantasies, ok?

Hackers, security experts, people who work on the code (e.g. for forks), people who work on other code that has to be compatible, and random people who just happen to care. You could check the source code yourself if you wanted.

2018-08-18 08:00
Quote:
If you read through the thread it clearly shows that the data sent back to their servers (IP address, OS, CPU) is more than enough to identify individual users

No shit, sherlock. If you're downloading any software from anyone's server, they know your IP address, OS and CPU 100% of the time because they need to know your IP address in order to send the data over, and they can figure out your OS and CPU architecture based on what version of the software you downloaded.

2018-08-22 06:04

Is key captcha working out better?

2018-08-23 16:10

As i know it after it add this annoying thing I cannot save my cookies any more , everytime I go in here I need to login every times

2018-08-25 00:36

It's working out better for anyone interested in their privacy. The fact that it doesn't track you (remember you next time) speaks for itself.

2018-09-08 17:36
Into the GOOlag wrote:
ESPECIALLY for a site like iwara, which has a sizable population of users from countries like China and South Korea, where they risk imprisonment if they are caught accessing a site like this.

Accessing sites like Iwara is actually not illegal in China, I think. I never heard anyone arrested simply for that. Who f*ching cares about that. It may be worse to be caught by your parents than a policeman when you are watching porns.
But spreading R18 pics or videos is illegal, that really makes you imprisoned.

2018-09-09 02:12

too much tinfoil here...