When reporting a bug, please include as many of these as possible:
Operating System you are using Linux x64
Tor Browser version 11.0.4
Tor Browser Security Level Safer
[removed for brevity]
Anyone else attempt to sign up for a GitHub account with Tor Browser and have problems with the registration CAPTCHA? It either gets stuck loading or passes with a green checkmark without any challenge.
Some investigation and the logical conclusion would be this is caused by some anti-fingerprinting by the CAPTCHA itself however I do not know how to investigate issues that rise from anti-fingerprinting (privacy.resistFingerprinting)
Some people may criticize using a nonfree/proprietary service like GitHub, however mentality towards information reduction means there is a minimum of metadata known about the account that is using the service. Be careful how you utilize public services and act accordingly!
If there is another venue of discussion more suited for discussing of Tor Browser anti-fingerprinting and regressions with certain websites I would be of interest.
Hi @h3xag0n! I tested and this is indeed a issue while signing up for new accounts on Github. Investigating a bit further seems like this is a issue with Github’s support for Firefox ESR (on which Tor Browser is based).
I think we can report this to their support team and/or comment about this on the forum to draw their attention to this.
Considering the support and forum website require an existing GitHub account to report issues this leaves me in a catch-22 situation since the issue is with the sign-up workflow.
I give my permission for someone else to report this issue to GitHub support and link this thread. Hopefully this is an honest bug and not any intentional issue towards anonymous users.
It turns out there is a form on the GitHub website to report sign-up issues without an account but the irony is that it requires the same CAPTCHA that is the same problem.
Thank you for taking the time to write in, and for your patience while I reviewed your message.
I can assure you we do not block accounts from being created while connected to a Tor network but, due to the nature of the system itself, it is also rather hard to debug issues caused when using it as the changing access “identity” hinders our own efforts to see what may be occurring.
That said, it looks like you’ve managed to create an account since reaching out. By setting up 2FA you also shouldn’t need to worry about device verification prompts which can also be a potential issue when using Tor.
If you are still experiencing any issues though, or if you have any other questions, please let us know and we can certainly look into this further for you
[redacted]
GitHub Support
So basically there is not much they can/want to do (looks like) about the signup issue.
(By the way, not correct that I managed to register a Github account through Tor. I created one outside of Tor, then enabled 2fa on the account. Then using the account through Tor is unproblematic for me).
It is good that you raised this issue to the attention of GitHub, however the response from them reminds of not wanting to investigate the root cause itself.
I assume this is the case but did you link this thread in the form sent?
Allow me to quote GitHub verbatim
I can assure you we do not block accounts from being created while connected to a Tor network but, due to the nature of the system itself, it is also rather hard to debug issues caused when using it as the changing access “identity” hinders our own efforts to see what may be occurring.
For starters that is probably true that they themselves do not block account creation over Tor and that exit node changes can cause issues with certain anti-abuse systems. However for purposes of investigation where anonymity is not concerned a static exit node can be pinned in a .torrc file strictly for testing. Here is post elsewhere discussing the configuration of .torrc with vanilla Tor Browser, however it is rather old and someone would need to test before recommending to others.
This should make it easier to debug such issues without having to be concerned about “identity” or exit node changes.
On a second point the JavaScript CAPTCHA was either getting stuck or passing with a green checkmark without any challenge blocking the registration flow. Seeing how this can be reproduced regardless of the exit node in use this seems to be more of an issue with Tor Browser or GitHub’s signup JavaScript instead of how GitHub handles Tor itself.
I did indeed make then aware in a follow-up email of the specific issue – green checkmark appears, then an error message after pressing Submit. They responded with this:
I’ve raised this with our engineers to learn a little bit more—thank you for raising it. I’ll write back when I have more news to share.
If there’s something I can do to debug this issue so that TB devs can take a look at it, I’m happy to do so, but I don’t know how.
We’ve reviewed more closely, and have determined that the captcha should work over Tor and that we are seeing successful traffic from Tor exit nodes. Our engineers will continue to investigate why this wasn’t working for you. I appreciate you raising it with us.
It still doesn’t work for me. But I don’t think I can press this issue further. Perhaps it is fixed for others?
Assumption is that the registration calls to the server work correctly and are not being blocked as “abuse”. The issue is probably to involve the CAPTCHA JavaScript and probable differences with Tor Browser/Firefox ESR
Appearance with the new Tor Browser update (11.0.7) is the transgression that induced the CAPTCHA JavaScript to not operate been resolved… Potential to break again still exist due to GitHub or CAPTCHA changes.
