Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot earn passes on hCaptcha Privacy Pass web page #247

Closed
BTCAlchemist opened this issue Aug 12, 2021 · 29 comments
Closed

Cannot earn passes on hCaptcha Privacy Pass web page #247

BTCAlchemist opened this issue Aug 12, 2021 · 29 comments

Comments

@BTCAlchemist
Copy link

Describe the bug
The Privacy Pass web page to earn new passes (https://www.hcaptcha.com/privacy-pass) does not load the widget to earn passes.

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://www.hcaptcha.com/privacy-pass
  2. Scroll to "Getting started" section. There is no hCaptcha checkbox under "Once you've got the extension installed, click here (or on any hCaptcha-using website) to earn passes:" Here is a screenshot:
    image

Expected behavior
The hCaptcha check box would load

System (please complete the following information):

  • OS: Windows 10
  • Cloudflare tokens or hCaptcha tokens? hCaptcha
  • Browser [e.g. chrome, firefox] Chrome and Brave
  • Browser Version [e.g. 79, 80, ] Brave 1.28.105
  • Privacy Pass Version [e.g. 2.0.4, 2.0.5 ] 2.0.9
  • Did you install Privacy Pass from this repository or from the browser store? Store
@k1ng440
Copy link

k1ng440 commented Aug 18, 2021

https://puu.sh/I4TAy/3de6663971.png

@BTCAlchemist
Copy link
Author

https://puu.sh/I4TAy/3de6663971.png

Looks like @k1ng440 is having this issue as well. @ppopth Could you help?

@gmt2001
Copy link

gmt2001 commented Aug 20, 2021

Some web developer console messages to help with this (Firefox 91.0.1)

Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified
Content Security Policy: Couldn’t parse invalid host 'unsafe-hashes'
Content Security Policy: Couldn’t process unknown directive ‘prefetch-src’
Loading failed for the <script> with source “https://accounts.hcaptcha.com/1/api.js?hl=en&endpoint=https%3A%2F%2Fhcaptcha.com”. privacy-pass:18:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.hcaptcha.com/1/api.js?hl=en&endpoint=https%3A%2F%2Fhcaptcha.com (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

@ignat980
Copy link

Same issue here!

@ppopth
Copy link
Member

ppopth commented Aug 23, 2021

Thank you for the report. I'm looking at it. I will get back here soon.

@ppopth
Copy link
Member

ppopth commented Aug 24, 2021

It seems like hCaptcha just added the json body to their checkcaptcha request. Previously, it has no body and we sent the blinded tokens as a post param in the body of such request.

I'm contacting hCaptcha now. Please also let me know if hCaptcha is also reading this comment

Screenshot from 2021-08-24 16-48-13
Screenshot from 2021-08-24 16-43-47
Screenshot from 2021-08-24 16-43-35

@armfazh
Copy link
Member

armfazh commented Aug 24, 2021

cc @durch (hCaptcha)

@AstralDestiny
Copy link

Got some then when trying to get more it used a pass instead and very quickly told me I wouldn't be able to get more until it all ran out it seems.

@ppopth ppopth mentioned this issue Sep 2, 2021
@gmt2001
Copy link

gmt2001 commented Sep 7, 2021

As of today, this appears to be resolved on Firefox 91.0.2 with plugin version 2.0.9. It took 2 tries, but I was able to get my 5 hCaptcha passes

@ppopth
Copy link
Member

ppopth commented Sep 9, 2021

@gmt2001 I tried many times until I can get passes. I think I'm going to make it always work before marking this issue as resolved.

@ppopth
Copy link
Member

ppopth commented Sep 9, 2021

It seems like hCaptcha just added the json body to their checkcaptcha request. Previously, it has no body and we sent the blinded tokens as a post param in the body of such request.

My previous comment as quoted above may be wrong. I just noticed that with the extension installed the browser sends 2 checkcaptcha requests instead of 1 request: one is for sending the captcha answer and one is for issuing the passes.

I'm not sure why hCaptcha really needs 2 requests in this case. The protocol should have only one request.

I think it's good to document the protocol for hCaptcha somewhere

@durch
Copy link
Contributor

durch commented Sep 9, 2021

Hi folks! Apologies I’ve missed the original notification. We’ll go over our implementation internally and see if we can make improvements to get it to full protocol compliance. Will keep you posted

@e271828-
Copy link

e271828- commented Sep 9, 2021

This is working for me on FF and Chrome. Seems like a stale issue.

@BTCAlchemist
Copy link
Author

It just worked for me on Brave browser. I wouldn't say this is a stale issue, but it appears to have been fixed today. Is anyone else available to test it?

@levicki
Copy link

levicki commented Sep 10, 2021

I just visited https://captcha.website/ to test if it is possible to get CloudFlare tokens, but all I got is hCaptcha prompt on that page asking me to prove I am human.

This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.

@durch I keep getting false positives on every CloudFlare protected website using hCaptcha every time I visit them in a new browser session (I am using Brave on Windows 10). I am sure my own home network and all devices in it are malware-free. Having to solve hCaptcha on every site visit is getting mighty annoying, is there anyone from hCaptcha team who can suggest some troubleshooting steps?

@e271828-
Copy link

I just visited https://captcha.website/ to test if it is possible to get CloudFlare tokens, but all I got is hCaptcha prompt on that page asking me to prove I am human.

This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.

@durch I keep getting false positives on every CloudFlare protected website using hCaptcha every time I visit them in a new browser session (I am using Brave on Windows 10). I am sure my own home network and all devices in it are malware-free. Having to solve hCaptcha on every site visit is getting mighty annoying, is there anyone from hCaptcha team who can suggest some troubleshooting steps?

This has nothing to do with hCaptcha: Cloudflare (and its users) decide when to show a challenge.

@levicki
Copy link

levicki commented Sep 12, 2021

This has nothing to do with hCaptcha: Cloudflare (and its users) decide when to show a challenge.

I understand that you are correct in the technical sense. However, this still has something to do with hCaptcha so please hear me out.

Perception of a regular, non tech-savvy user is that hCaptcha is the problem, because that's what is prominently shown at the top center of the page and what they have to deal with. Cloudflare is mentioned in small font at the very bottom of the page which you can't read even in full screen mode at 1080p:

image

Cloudflare is using hCaptcha while giving end users absolutely no recourse when they are unfairly judged as a bot. There is no "contest this check" link, no "report a problem" link, no contact email for Cloudflare support to even try to reach a human being in an attempt to find the problem and fix it.

IMO this is just souring hCaptcha (and Privacy Pass because it makes it useless) for end users and hCaptcha and Privacy Pass developers should lean on Cloudflare (because the end users cannot) to include a way to complain about repeated misidentifications if they want to continue using it.

@ppopth
Copy link
Member

ppopth commented Sep 13, 2021

@levicki

This is getting ridiculous -- spending hCaptcha tokens to earn CloudFlare tokens doesn't make sense.

Yes, this doesn't make sense and we have a plan to fix this issue soon. However, this is not related to the issue since this issue is about the hCaptcha captchas outside the Cloudflare pages like

@ppopth
Copy link
Member

ppopth commented Sep 13, 2021

@durch Do you have any update? I think it's better if we can document the Privacy Pass protocol on hCaptcha tokens in both the issuance stage and redemption stage, so that I can help debug it when there is an issue next time.

@levicki
Copy link

levicki commented Sep 14, 2021

@ppopth

Yes, this doesn't make sense and we have a plan to fix this issue soon.

Very well, in the meantime I have uninstalled Privacy Pass because it is useless due to Cloudflare's overzealousness, and I have stopped visiting all websites which use Cloudflare and hCaptcha -- I don't want an intersection of those two faceless "security through obscurity" technologies treating me as a criminal without due process while they shamelessly use my eyeballs and clicks to generate revenue.

@fisforfaheem
Copy link

no o ne i willling to fix this

@ppopth
Copy link
Member

ppopth commented Dec 16, 2021

@durch hi, do you have any documentation on Privacy Pass protocol for hCaptcha? We just released v3.0.0 last month which has a big refactor of the extension code base. As a result, we didn't include the hCaptcha implementation because we don't know how it works. I think some kind of documentation will help. Otherwise, I have to spend some time to dig into the v2 code.

@fisforfaheem
Copy link

fisforfaheem commented Dec 16, 2021 via email

@warren-bank
Copy link

warren-bank commented Jan 30, 2022

since I don't want to be too overly verbose here, I'll just cross-reference some relevent comments/observations/questions ( 1, 2, 3, 4, 5, 6 ) in PR #283 with corresponding pre-built test extensions here

@theg00s3
Copy link

As a result, we didn't include the hCaptcha implementation because we don't know how it works

Well that's a horrendous decision

@armfazh
Copy link
Member

armfazh commented Nov 14, 2022

Some good news: Support for hCaptcha tokens has been re-enabled as of v3.0.4

@armfazh armfazh closed this as completed Nov 14, 2022
@BTCAlchemist
Copy link
Author

@armfazh I appreciate the update. I am using v3.0.4. I just completed hcaptcha challenges to earn hcaptcha passes at https://www.hcaptcha.com/privacy-pass (screenshot below). However, the extension is still showing 0 passes. I am on Brave browser on macOS. What else do you suggest I try?

image

@armfazh
Copy link
Member

armfazh commented Dec 12, 2022

I just completed hcaptcha challenges to earn hcaptcha passes at https://www.hcaptcha.com/privacy-pass (screenshot below). However, the extension is still showing 0 passes. I am on Brave browser on macOS. What else do you suggest I try?

@fedecarpy : are there any changes or disruption observed in the hCaptcha side?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

14 participants