On Sat, Jun 20, 2015 at 09:30:11PM -0500, Joe Btfsplk wrote: > Just to clarify (to all that replied) - I have JS enabled. At least, > when trying to get captchas to work. > Then, I'm using Tor Browser's default settings for NoScript.
My observations and conclusions: - two captchas, both unreadable : the tarpit for robots, you usally don't get other captchas until you turn js on. - two captchas, one readable, one unreadble : the original captcha approach as seen in recaptcha (it is considered broken since 2010). - one captcha (usally parts of google streetview): they consider you human, you usually need javascript to get those (easy to ocr). > in a "well behaved" European country. I wouldn't count on that. > Other times when Cloudfare didn't work, I didn't always think to check, > to see if there's any pattern to Cloudfare not working & specific exit > relay countries. I don't think it helps much to change exit nodes, you may need to clear your filesystem cache and cookies too (or not). Someone who abuses exitrelays just tries one after another until he succeeds. Could be worth to automate TBB and check. Most services which try to detect abuse automatically use blacklists and/or signatures/fingerprints. If you like to understand captchas better see: https://www.google.com/recaptcha/intro/index.html There are some papers from 2005 and 2010 were captchas got ocr'd and broken. Adam Langley had some more information on his blog, some of it got lost, somehow. A cdn like clouldflare can track you very easy over various exits, tor currently has 1115 relays that are exits, its possible to mark all of them "malicious" on a blacklist-providers sensor in 15-30 minutes. You may also see messages like: Your IP address *.25.103.* has been flagged as a scanner. Scanners are not permitted. If you are seeing this message in error, please contact security@*********.io. And that says it all: - its not my ip :) - you can't flag an ip :) - I am not a scanner :) - I won't contact them - BTDT :) Even if I would contact them, all I can tell them, its not my ip and their assumptions are all false and their service is prone to false positives. As said earlier, if the site you are visiting is one of a kind, it may be worth your time to talk to them and about cloudflare, usually they are not interested. Reddit gives a good example, how to treat tor-users. CC;DR - Cloudflare captcha, didn't read. Anyway, funny is pirates are using cloudflare too, I consider them busy until they solve that problem. :) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk