Dear web developers and admins,
please stop embedding Google's hideous #ReCaptcha into your websites. Its algorithm is faulty, forcing regular users to click dozens or even hundreds of fire hydrants, bicycles, or traffic lights each day. It puts a 'suspicious activity' flag on users who won't obey to Google's business model - such as people who don't sign into Chrome, use anonymity VPNs, or use browser extensions to suppress common tracking mechanisms. Enough is enough. Stop it.


Please. If you must, Cloudflare's captcha is much more Tor-friendly.


There is so much wrong w/your comment. If you're logged into #Google, the #reCAPTCHA pushes fewer puzzles. Of course that tracking abuses #privacy & defeats the reason for using #Tor, but #CloudFlare is a bigger threat to Tor users than Google. No one who is informed & groks privacy visits CF sites. Also, #hCAPTCHA *pays* CF for CAPTCHA solutions, so you financially feed the biggest Tor adversary when you solve an hCAPTCHA.


@koherecoWatchdog Jesus dude, drop your guns for a moment. This is why I don't tweet.

I said "if you must," Cloudflare's captcha provides a much better UX for Tor users. If I'm (or my less tech savvy and privacy conscious relatives) trying to access a site over Tor and my choices are Google or Cloudflare, at least Cloudflare will let me through with less hassle. A hidden service is ideal, as is a website that truly respects privacy, but perfect is the enemy of good here w/r/t adoption of Tor.

@koherecoWatchdog Trying to de-google and de-cloudflare my life is a constant uphill battle. I try to run everything to Tor too, and it's exhausting. I can't even get my wife to use ad-blocking DNS (it breaks Facebook, you see 🙄), much less the access point I set up that routes everything through Tor, or a privacy respecting OS.

@koherecoWatchdog "No one who is informed & groks privacy visits CF sites."

How does one know if a given site is CF-backed or not?

@vesperto if you use a browser other than Tor Browser on Tor, a #CAPTCHA will block you from most #CloudFlare sites. Regardless of Tor, you can hit F12 & in the network tab click on a file. If "cf-ray" appears in the headers then it's a CF site. Some plugins signal when a site is CF.

@vesperto The "CloudBleed" plugin signals when you visit a CF website. There's a "bcma" plugin that will detect when you try to visit a CF site & auto redirect you to the version of that page. This project keeps track of the massive list of privacy-abusing #CloudFlare sites: That's also where you can find the BCMA plugin.

@vesperto For anti-CF plugins, have a look here: The "ismitmlink" plugin looks for #CloudFlare links on the page you visit and puts a strikethrough over the link so you know before you click a link if it leads to CF.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.