Jump to content

TOR Browser


Fledermaus

Recommended Posts

Ordinarily, I use Slimjet, [Version 36.0.4.0 (based on Chromium 104.0.5112.39) (Official Build) (32-bit)] for most of my internet access.

However and due to security issues that may occur on various questionable websites,

I have started using the TOR Browser, since it uses multiple VPNs.

So, why do I have to go through a myriad of Robot/Image testing, after properly entering my username, password and allowing cookies.

Is this a problem with GC, the TOR Browser or what???

If this is a problem with GC's login process, then I hope they get it fixed!!!

Link to comment

That would be the provider of login verification like captcha ensuring you're not a bot and you are human. The more you use VPNs and proxies, the more you'll have to deal with automated systems thinking you may be a bot or non-human. GC wouldn't have control over that.  It's like, do it once, and you've proved you're "human" at that particular manner of accessing the internet. But if your privacy browser uses any method of masking who you are or where you are, security checks like that may not remember you or think you are human any more.  It's a risk tradeoff for using those kinds of privacy services.  There may be options to make that a little more user friendly, but the concept is there, and something to be aware of when using a browser like Tor.

  • Helpful 4
Link to comment

But once you're logged in, Groundspeak knows it's you, also on subsequent visits via the cookie which a bot can't fake.  So, assuming you allow cookies from Groundspeak, there should be no further challenges.

 

TOR- and VPN exit nodes can present multiple users (real and/or bot) to Groundspeak from a single IP address, and various websites treat that as suspicious, hence the captcha challenges.

 

I use a VPN and see the challenges occasionally from miscellaneous sites, but never from Groundspeak ... because of the cookie that keeps me logged in.

 

Greetings from [checks...] Mexico!

 

Edited by Viajero Perdido
  • Upvote 1
Link to comment
39 minutes ago, Viajero Perdido said:

But once you're logged in, Groundspeak knows it's you, also on subsequent visits via the cookie which a bot can't fake.  So, assuming you allow cookies from Groundspeak, there should be no further challenges.

 

I may be completely wrong, feel free to ignore me. I suspect the issue may be all the privacy levels of TOR and VPN's may stop the website being visited from seeing the previously placed cookies, not realise you've already proved yourself and prompt a subsequent check? I thought that was the point of the high-privacy approach, websites wouldn't be able to track you.

 

Comes back to the old border problem - let the right people in to our house / village / country, and make sure not to let those people in. But then who gets to define who the right people are, and what happens with those gray areas? There was a near-international incident in Australia a few years ago, where a comedy show was able to pass a lot of the security at the APEC summit. What wasn't publicized much was that the reason they were able to penetrate so many levels of security (and this was one of the most high-security summits in Australian history) was because all the politicians were getting annoyed by the constant stops and checks by the security staff. So they told security to chill a bit and let the politicians through. Because after all, they were the "right" people and shouldn't need to be challenged, but security was still expected to stop all the "wrong" people without harassing the right ones.

Link to comment

VPNs and TOR wouldn't be able to see anything in your traffic except gibberish; it's all encrypted.  So they won't block cookies because they can't recognize them ... and because it would defeat the whole premise for their existence.  :)  And your ISP won't be able to block/filter/throttle anything (except everything) because it's all a mystery to them too, just encrypted data.

 

Privacy comes from the website knowing nothing about you, other than what you willingly share ... such as your login info.  Until then, you're just some unknown visitor from, say Tokyo.  (So you may see prices in Yen, heh.)


Re the analogy...  I'd love to see our politicians endure the travel bans and hassles the rest of us had to endure.  :mad:  Don't get me started; there's still the endgame.

 

PS to the OP:  are you sure you've ticked the "remember me" checkbox?  (Or however Groundspeak words it.)  Without that, you won't get a cookie and will have to re-login every time.  That would explain the ongoing challenges.

 

Edited by Viajero Perdido
  • Upvote 1
Link to comment

Consider: You log in, and get a cookie from GC. The captcha doesn't care about the GC cookie. All it sees is a new request for human verification from a different location (whether it's IP, browser agent, etc). So boom, you get the checker. It's like GC sees a user from Australia login, gives them a cookie. Then it sees someone access the website from Tokyo using that same cookie. At that point it's up GC whether to flag that untrusted or to simply trust the cookie.

 

What you're asking for, viajero, is for GC to not even make the request for a verification on certain web functions if it believes you're logged in.  First off, it would require their security to allow multiple IPs using the same cookie (at the high security end, some may not even allow that and force a relogin, which, yes, is awful for mobile users whose IP may change on a dime).  But assuming they don't, then the request is for GC to remove a feature that's intended to capture and block non-human scripts on sensitive functions. If someone gets hacked, a cookie is lost or duplicated, able to mimick that logged in user, then a script could start hammering a sensitive function and there'd be no stop to it from the server (insofar as the captcha would thwart it).

 

Ultimately, the ask is for HQ to remove a bot-blocker on a function that is benign to humans on standard browsers which do not have the to goal to appear anonymous and private to the extreme level, which are few and far between.

 

The catpcha won't change; use Tor and you'll get those way more often.

But would HQ remove the captcha feature for logged in users, which would only otherwise be an annoyance for 'private' browser users?  *shrug*

Edited by thebruce0
Link to comment
2 hours ago, thebruce0 said:

But would HQ remove the captcha feature for logged in users

 

I don't think it exists for logged-in users.  I stay logged in indefinitely, and never see it, even when I jump around the planet by tweaking the VPN settings.  Once GC sees your cookie, it knows you're real, and not to be annoyed with captchas.

 

I'm not asking GC to do anything. Just observing.

 

Edited by Viajero Perdido
Link to comment
14 hours ago, Fledermaus said:

However and due to security issues that may occur on various questionable websites,

I have started using the TOR Browser

Out of couriosity: Does using a TOR Browser ideed reduce *security* issues with websites? Or do you use it as synonym for *privacy* issues?

Link to comment
6 hours ago, Viajero Perdido said:

I don't think it exists for logged-in users.

I was responding to:

17 hours ago, Viajero Perdido said:

But once you're logged in, Groundspeak knows it's you, also on subsequent visits via the cookie which a bot can't fake.

 

My point was that a cookie can technically be spoofed. It's just a piece of text sent with request headers. A request doesn't have to come a web browser. If all you have to do is mimick the headers and add the "don't captcha me" cookie, then what's the point?

If they put the captcha on a sensitive web function, and do have it universally active regardless of login, then the ask is for them to reduce that security by removing a bot-blocker that's only an annoyance to a user who chooses to use a browser that "fools" the service and causes it to think it's someone new. Whether it's a persistent login or just a "this user did the captcha" cookie, the whole point of the captcha is to let the captcha system decide whether it thinks the request is from a human or not.  If it is, it won't appear again. If you use a service that obfuscates who you are or where you're from, you need to be ready to deal with repeated captchas on functions the website owners feel is worth keeping under that check. A typical standard user will only see it once (or until something changes in their access route to the website they have no control over).

The whole concept is placing a minor annoyance on the user in exchange for added protection against bots/ddos/etc on relevant web functions.

  • Helpful 1
Link to comment
4 hours ago, ChriBli said:

Or do you only get captchas when using VNP?

 

Usually (for sites in general), captchas only happen when using a VPN or TOR.  Because...  6 human users and 23 bots might be using the same IP address to reach the website, when exiting the encrypted tunnel via VPN or TOR.  Existence of the 6 human users might suggest they're coming from a company's gateway (surfing at work, oh no!), but the malicious bots would suggest otherwise.  The trick is to allow one, but not the other.  Seeing a cookie from a previous login is a strong clue: this one's legit.

 

Website operators have to acknowledge that legitimate users might use VPNs or TOR, and try their best to not annoy them.  They can't just ban the IP address due to a bot because the IP is shared by many.  A fine balance.  I think at one point Groundspeak was annoying VPN users, but they turned the knob a bit, and the problem went away.  </technical>

 

Edited by Viajero Perdido
  • Helpful 1
  • Love 1
Link to comment
On 10/13/2022 at 5:43 PM, Fledermaus said:

Ordinarily, I use Slimjet, [Version 36.0.4.0 (based on Chromium 104.0.5112.39) (Official Build) (32-bit)] for most of my internet access.

However and due to security issues that may occur on various questionable websites,

I have started using the TOR Browser, since it uses multiple VPNs.

So, why do I have to go through a myriad of Robot/Image testing, after properly entering my username, password and allowing cookies.

Is this a problem with GC, the TOR Browser or what???

If this is a problem with GC's login process, then I hope they get it fixed!!!

I have never been asked for a captcha from geocaching.com and would be greatly vexed if I was, as I have a premium subscription. The site does use cookiebot.com to effect compliance with EU rules on cookies (the UK has left the EU but I still get asked all the time, perhaps because I voted 'remain' :)) . That site might be the cause of the captcha request.

 

Edited by and1969
typo
Link to comment
On 10/14/2022 at 8:59 PM, Viajero Perdido said:

Website operators have to acknowledge that legitimate users might use VPNs or TOR, and try their best to not annoy them

This is why I said:

On 10/14/2022 at 12:04 AM, thebruce0 said:

the ask is for HQ to remove a bot-blocker on a function that is benign to humans on standard browsers which do not have the to goal to appear anonymous and private to the extreme level, which are few and far between.

 

 

Link to comment
On 10/14/2022 at 1:18 AM, Hynz said:

Out of couriosity: Does using a TOR Browser ideed reduce *security* issues with websites? Or do you use it as synonym for *privacy* issues?

As far as I am concerned, multiple VPNs vs. a single VPN improves both privacy and security issues, due to all the carp and viruses running around out the on the web!

Link to comment

VPNs / TOR are great for privacy*.  For security, you need a different solution or combination thereof.  Long story.

 

* By logging in, you give up some privacy to the website - you just identified yourself - but others in the middle, such as gov't spy agencies, are still in the dark.  Just knowing I'm frustrating them gives me some value for my VPN dollars.  B)

Link to comment
On 10/13/2022 at 8:43 PM, Fledermaus said:

I have started using the TOR Browser, since it uses multiple VPNs.

So, why do I have to go through a myriad of Robot/Image testing, after properly entering my username, password and allowing cookies.

Is this a problem with GC, the TOR Browser or what???

 

If you want a VPN you should use a VPN. TOR browser is something else than a VPN. It is tool to disguise your identity. That is why you are asked about cookies every time etc.

Detecting wether you are a robot or not is not depending your login credentials, it is based on data collected from your prior activities that are non existent when using the TOR browser. This does not happen when using an ordinary VPN solution.

Link to comment
On 10/20/2022 at 7:13 PM, arisoft said:

 

If you want a VPN you should use a VPN. TOR browser is something else than a VPN. It is tool to disguise your identity. That is why you are asked about cookies every time etc.

Detecting wether you are a robot or not is not depending your login credentials, it is based on data collected from your prior activities that are non existent when using the TOR browser. This does not happen when using an ordinary VPN solution.

So, what your saying is, I am not allowed to be on GC in an anonymous mode and must reveal my past GC activities. Well, so much for anonymity and or privacy. Now that the TOR/VPN issue has been resolved, more or less, how about some information leading to a "free" VPN, if such a thing exists? BTW, I don't care about cellphones, just computers being used in public areas and the like. One more thing! What if anything does Premium Membership play if the anonymity/VPN game?

Edited by Fledermaus
  • Funny 1
Link to comment

GC.com isn't very useful if you're not logged in.  When you log in, you identify yourself as the same person who used that nickname before.  You don't need to use your real name, which is a big plus.  VPNs/TOR just keep people between you and GC (eg, ISPs, gov't, public WiFi snoops) from listening in.  Hardly worth their trouble for a game.  GC does allow those connection methods; I use them all the time.

 

Good free VPNs are hard to find. Proton's free tier sounds good.  I'm a paying user, so I subsidize it. If you find it useful, please come back and say thanks.

 

PS, you give a little personal info to GC when you sign up.  In all my years, I've always known them to respect that data and your privacy.  Turn off marketing emails (which only come from GC) = no spam.

 

Cheers from [where today?] Vancouver!  B)

 

Edited by Viajero Perdido
  • Upvote 1
Link to comment
1 hour ago, Viajero Perdido said:

VPNs/TOR just keep people between you and GC (eg, ISPs, gov't, public WiFi snoops) from listening in.

 

Pardon my ignorance if it doesn't, but doesn't SSL do that anyway? Just about everything on geocaching.com is https now.

 

1 hour ago, Viajero Perdido said:

PS, you give a little personal info to GC when you sign up.

 

Actually, apart from an email address (and it can be any email address if you want to dedicate one just for caching) and a made-up user name, they require no personal information at all. No real name, address, phone number, etc. is required when creating a gc account. There is nothing linking your player account to your real identity unless it's something you've put into your profile or logs.

  • Upvote 1
Link to comment
5 hours ago, barefootjeff said:

Pardon my ignorance if it doesn't, but doesn't SSL do that anyway? Just about everything on geocaching.com is https now.

 

Yes it does but it does not circulate the connection thru a trustworthy:ph34r: VPN company.

 

If I were in charge of the NSA, I would immediately establish a leading VPN service provider and offer the market a secure browser that the security services of other countries would not be able to track. But since I'm not in this position, someone else has done it.

 

Link to comment
11 hours ago, Fledermaus said:

So, what your saying is, I am not allowed to be on GC in an anonymous mode and must reveal my past GC activities.

 

Not only past GC activities but everything what Google can track. If your tracking health score is good, you are allowed to skip most CAPTCHA verifications that Google is performing. In your case, the tracking health score is too low due to your countermeasures and you are treated as an anonymous user.

Link to comment

And no it's not like there's some person observing and watching every move you make on the internet. "Tracking"  isn't an evil in and of itself. It's easy to get paranoid over "privacy".  People want great experiences on the internet, without realizing that it requires a level of "tracking". If you don't want to see certain ads, for example, you're already customizing your experience for yourself, which means someone has that data. That's a form of tracking. SSL keeps connections private and encrypted, but can still be tracked.  VPN is an additional basic step to thwarting tracking.

The more you incorporate privacy strategies into your general internet usage, by necessity the less user friendly your experience will be. It's a tradeoff you have live with.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...