International Captcha (China)

SplitIce

So it was recently revealed that the domains used in recaptcha are blocked in China. That got me thinking, is google api's? e.g ajax.googleapis.com

What other domains commonly without forethought used on the global web might be blocked? BootstrapCDN? JSDelivr?

Anyone researched this? Other countries of interest?

poisson

Great thread. I think it is important to get the information out so that we can better assess how service providers should react.

sonic

I see many Crypto sites using this http://www.geetest.com/first_page

SplitIce

@sonic paid Captcha services are a hard sell for most webmasters to accommodate one country's idiosyncrasies don't you think?

pike

@SplitIce said:
[...] to accommodate one country's idiosyncrasies don't you think?

Yeah, one country of 1.4 billion people.
Also china isnt the only country censoring the internet. Russia, India, Iran etc. also might block such services at any time.

hiphiphip0

JSDelivr is the best, their CDN has node inside mainland China.

EveNeko

Recaptcha IS available and launched in China with domain www.recaptcha.net. Replace domain in the document to www.recaptcha.net and you are ready. Document reference: https://developers.google.com/recaptcha/docs/faq#can-i-use-recaptcha-globally

You may DM any China-related problem with www.recaptcha.net to me. It's my duty job to make sure it perfectly works in China actually.

Note: if you are using CSP headers, besides domains mentioned in the document, also include:

script-src https://www.recaptcha.net/recaptcha/, https://www.gstatic.cn/recaptcha/
frame-src https://www.recaptcha.net/recaptcha/

PS: recaptcha.net is owned by Google:

Domain Name: recaptcha.net
Registry Domain ID: 741154962_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2019-12-04T02:39:26-0800
Creation Date: 2007-01-05T21:37:18-0800
Registrar Registration Expiration Date: 2020-01-05T21:37:18-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: Google Inc.
Registrant State/Province: CA
Registrant Country: US
Admin Organization: Google Inc.
Admin State/Province: CA
Admin Country: US
Tech Organization: Google Inc.
Tech State/Province: CA
Tech Country: US

webdev

just search gfwlist

SplitIce

@webdev That's really not helpful. For example gfwlist lists recaptcha.net and api.repcaptcha.net while @EveNeko (and others) claim Recaptcha works fine. Conflicting information is rife unfortunately.

pike said: Yeah, one country of 1.4 billion people.

A country that for the most part uses domestic resources and services. Therefore represents a minority to the rest of us.

For most people US & Europe is "the majority". Anybody else is "the minority", that definitely includes us in Australia.

While for some sites/services who have actively large number of chinese users or customers paying for a specific solution makes sense. For the vast majority of people, i.e a webhosting forum that uses Recaptcha on it's signup page it's a very hard sell to say that they should spend $50/month for non-vpn China support.

MikeA

@poisson said:
Great thread. I think it is important to get the information out so that we can better assess how service providers should react.

Why should providers react though? If a government is out to disrupt and block internet access from their citizens, any way to get around it is just going to be temporary if the service is actively used in China.

@SplitIce said:
Conflicting information is rife unfortunately.

Well, specific regions of China implement their own GFW blocks.

hzr

SplitIce said: That's really not helpful. For example gfwlist lists recaptcha.net and api.repcaptcha.net while @EveNeko (and others) claim Recaptcha works fine

Banned sites differ by city.

poisson

@MikeA said:
Why should providers react though? If a government is out to disrupt and block internet access from their citizens, any way to get around it is just going to be temporary if the service is actively used in China.

I don't mean all providers, but those who intend to aggressively corner the Chinese market will need to figure this part out. Many providers are uninterested but there are those who are.

EveNeko

SplitIce said: @webdev That's really not helpful. For example gfwlist lists recaptcha.net and api.repcaptcha.net while @EveNeko (and others) claim Recaptcha works fine. Conflicting information is rife unfortunately.

That's kind of another story. Google domains launched in China are only resolved to China IPs if resolvers are inside China. Otherwise, they will be resolved out of China and blocked. Most people using gfwlist are also likely using global resolvers like 8.8.8.8, 1.1.1.1 or something like that.

The best way to determine if a Google service work in China is to use https://tools.ipip.net/dns.php like things, and see if the domain is resolved to Chinese IP address.

raindog308

It would really just be easiest if China would formally split off from the rest of the Internet and then we wouldn't have to worry about this nonsense.

intelpentium

SplitIce said: What other domains commonly without forethought used on the global web might be blocked? BootstrapCDN? JSDelivr?

It keeps bothering me why so many websites use these in production. Can't they just include libraries on their own domain?

SplitIce said: Anyone researched this? Other countries of interest?

If I'd be interested in China traffic I'd serve everything from my own domain. That seems like the most reliable solution.

For example, you might need to disable HTTPS just for China, and CDN might not support HTTP.

There are many great libraries for making your own captcha, as well as plugins for popular CMS software.

SplitIce

intelpentium said:

It keeps bothering me why so many websites use these in production. Can't they just include libraries on their own domain?

Convenience and Speed. The CDN behind most of the JS & CSS CDNs is superior to anything you will get at a low end price bracket.

intelpentium

SplitIce said: Convenience and Speed. The CDN behind most of the JS & CSS CDNs is superior to anything you will get at a low end price bracket.

For me these always increased website loading speed. It's additional DNS request, additional TLS connection.

Thanks to HTTP/2 additional CSS/JS requests on the same origin are basically free.

Either you can download CSS/JS from official website, or your programming language package manager does that automatically for you. Why waste someone's else server bandwidth?