IMPORTANT: changes to reCAPTCHA SSL API (api-secure.recaptcha.net) on April 11

24,531 views
Skip to first unread message

reCAPTCHA Support

unread,
Mar 8, 2011, 3:35:56 PM3/8/11
to reCAPTCHA
Hi reCAPTCHA users,

In April, we will begin to turn down the legacy URL for reCAPTCHA's
HTTPS API. If your site uses reCAPTCHA over SSL, you will need to
make a minor code change before April 11.

If your site does not load the reCAPTCHA challenge API over SSL, you
do not need to make any changes. You can tell if you’re using SSL by
looking at the source of your page(s) which contain reCAPTCHA and
seeing whether you use "https://api-secure.recaptcha.net" anywhere.

The transition involves a very simple change to your code. Any time
between now and April 11, you need to replace all instances of:
https://api-secure.recaptcha.net/XXX
with:
https://www.google.com/recaptcha/api/XXX

If you don’t make the change before April 11, your users might see SSL
certificate warnings when visiting your site. (However, the CAPTCHA
should still load normally, unless the user has restrictive security
settings.)

Most commonly, this shows up as a call to the reCAPTCHA challenge API
on the page that contains reCAPTCHA, such as:

<script src="https://api-secure.recaptcha.net/challenge?k=XXXYYYZZZ"></
script>

This call needs to change to something like this:

<script src="https://www.google.com/recaptcha/api/challenge?
k=XXXYYYZZZ"></script>

... everything after the /challenge can remain exactly as it was.

Another thing to look for is if you're including the reCAPTCHA
JavaScript over HTTPS. Code that looks like:

<script src="https://api-secure.recaptcha.net/js/recaptcha.js"></
script>
or
<script src="https://api-secure.recaptcha.net/js/recaptcha_ajax.js"></
script>

Would need to change to:
<script src="https://www.google.com/recaptcha/api/js/recaptcha.js"></
script>
or
<script src="https://www.google.com/recaptcha/api/js/
recaptcha_ajax.js"></script>

We're sorry for the inconvenience; please let us know if you have any
questions or concerns about making this change. We will be contacting
SSL-using site owners individually to let them know about this change;
however we wanted to post in the public forum as well, since we may
not have up-to-date contact information for all sites.

Best,
Colin & the rest of the reCAPTCHA team

reCAPTCHA Support

unread,
Apr 11, 2011, 6:30:01 PM4/11/11
to reCAPTCHA
Reminder: we will be making this change later this week -- most likely
tomorrow. If your site still uses SSL over the legacy servers (api-
secure.recaptcha.net), your users will soon start to see SSL warnings
in their browsers.

Best,
Colin

On Mar 8, 4:35 pm, reCAPTCHA Support <supp...@recaptcha.net> wrote:
> Hi reCAPTCHA users,
>
> In April, we will begin to turn down thelegacyURL for reCAPTCHA's
> HTTPS API.  If your site uses reCAPTCHA overSSL, you will need to
> make a minor code change before April 11.
>
> If your site does not load the reCAPTCHA challenge API overSSL, you
> questions or concerns about making this change.  We will be contactingSSL-using site owners individually to let them know about this change;

reCAPTCHA Support

unread,
Apr 12, 2011, 9:11:16 AM4/12/11
to reCAPTCHA
This is starting now.

Colin

> --
> You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.
>
>

--
reCAPTCHA: stop spam, read books
http://www.google.com/recaptcha

reCAPTCHA Support

unread,
Apr 12, 2011, 11:49:11 AM4/12/11
to reCAPTCHA
FYI, we are now purposely serving an expired SSL certificate for
api-secure.recaptcha.net. This is expected behavior -- we are serving
this as a "warning" to sites which are still using the legacy SSL
URLs. Sometime in the near future (roughly a week or two) it will be
"more wrong" -- most likely, you'll get the cert for www.google.com
instead of api-secure.recaptcha.net.

Colin

captchatxn

unread,
Apr 12, 2011, 3:15:23 PM4/12/11
to reCAPTCHA
Hi - We missed the notice originally. This morning users of our system
were getting the ssl warning and no recaptcha. But of late that
problem seems to have gone and the users are able to see the recaptcha
widget all right and the ssl warning has gone too. Have you reverted
back to the old URL ? Also, if that is the case can you let me know
what is the 'drop-dead' date by which we need to implement the URL
change so as not to have our users encounter the ssl warning.
> >> For more options, visit this group athttp://groups.google.com/group/recaptcha?hl=en.
>
> > --
> > reCAPTCHA: stop spam, read books
> >http://www.google.com/recaptcha
>
> --
> reCAPTCHA: stop spam, read bookshttp://www.google.com/recaptcha- Hide quoted text -
>
> - Show quoted text -

reCAPTCHA Support

unread,
Apr 12, 2011, 3:40:16 PM4/12/11
to reca...@googlegroups.com, captchatxn
We have temporarily rolled back this change. However we will be
re-enabling it soon (within the next couple days.)

Colin

> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

geedubb

unread,
Apr 13, 2011, 4:05:16 AM4/13/11
to reCAPTCHA
Hi

This is far from ideal as we use the ASP.NET server control, which
appears to have the URI that is changing hardcoded into it.

Can you tell me when the .NET control will be updated as it appears to
not have been updated since Dec 14 2010?

Failing that where can I get the source code for the .NET control so
that I can make the change myself?

It will take substantial rework to out production system to use
another method, so that's not really an option.

geedubb
> >> reCAPTCHA: stop spam, read bookshttp://www.google.com/recaptcha-Hide quoted text -
>
> >> - Show quoted text -
>
> > --
> > You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
> > To post to this group, send email to reca...@googlegroups.com.
> > To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
> > For more options, visit this group athttp://groups.google.com/group/recaptcha?hl=en.
>
> --

mhalttu

unread,
Apr 13, 2011, 6:43:23 AM4/13/11
to reCAPTCHA
Hi Colin,

Is there some way for us to get notified about important changes like
this without following this whole newsgroup? Your blog hasn't been
updated in almost a year, and I couldn't find any email list to
subscribe to, either. Basically I'd like to get a heads up about any
changes that may break our system, without reading all the discussion
on the group on a daily or even weekly basis.

- Markus

Adrian Godong

unread,
Apr 13, 2011, 10:59:22 AM4/13/11
to reca...@googlegroups.com, reCAPTCHA

reCAPTCHA Support

unread,
Apr 13, 2011, 1:08:27 PM4/13/11
to reca...@googlegroups.com, mhalttu
> Is there some way for us to get notified about important changes like
> this without following this whole newsgroup? Your blog hasn't been
> updated in almost a year, and I couldn't find any email list to
> subscribe to, either.

There is a recaptcha-announce list which is only used to notify of
production changes and is therefore pretty low-traffic.

http://groups.google.com/group/recaptcha-announce

Aside from this SSL change (and a later DNS change which ought to be
completely transparent once folks are updated to the new SSL address),
we don't envision any disruptive changes to reCAPTCHA in the near
future.

Colin

reCAPTCHA Support

unread,
Apr 13, 2011, 1:48:08 PM4/13/11
to reca...@googlegroups.com, geedubb, Adrian Godong
> Can you tell me when the .NET control will be updated as it appears to
> not have been updated since Dec 14 2010?

To clarify Adrian's comment,

The .NET control from last December:
http://code.google.com/p/recaptcha/downloads/detail?name=recaptcha-dotnet-1.0.5.0-binary.zip
already used the new URLs. If you are use version 1.0.5, it should work.

Colin

Surya Metla

unread,
Apr 13, 2011, 2:10:01 PM4/13/11
to reCAPTCHA
Hi All

Is there a new java jar file available to download. The version i have
recaptcha4j-0.0.7.zip still pointed to old URL.

Thanks In advance

Suri

On Apr 13, 1:48 pm, reCAPTCHA Support <supp...@recaptcha.net> wrote:
> > Can you tell me when the .NET control will be updated as it appears to
> > not have been updated since Dec 14 2010?
>
> To clarify Adrian's comment,
>
> The .NET control from last December:http://code.google.com/p/recaptcha/downloads/detail?name=recaptcha-do...

RecaptchaGoogleGroup

unread,
Apr 13, 2011, 2:32:50 PM4/13/11
to reCAPTCHA
Just externalize the required code, something like this...

Replace

ReCaptcha captcha =
ReCaptchaFactory.newSecureReCaptcha(recapConfig.getPublickey(),
recapConfig.getPrivatekey(), false);

with

ReCaptchaImpl recaptcha = new ReCaptchaImpl();
recaptcha.setIncludeNoscript(false);
recaptcha.setPrivateKey(recapConfig.getPrivatekey());
recaptcha.setPublicKey(recapConfig.getPublickey());
recaptcha.setRecaptchaServer("https://www.google.com/recaptcha/api");

or pick code from

http://code.google.com/p/recaptcha/downloads/detail?name=recaptcha4j-0.0.7.zip&can=2&q=

and create your own jar, replacing the HTTPS URL.


-Sam

tjengine

unread,
Apr 13, 2011, 3:19:46 PM4/13/11
to reca...@googlegroups.com, captchatxn
Hello,
 

This is an extremely painful change that I hope you will reconsider.  Our software serves thousands of nonprofit organizations with millions of users. We implement reCAPTCHA on our donation forms for security, and an invalid certificate warning means our nonprofit clients are losing donations because donors won’t enter credit card information on an unsecure page. 

 

We are in the process of updating all versions of our software, but it is unreasonable for us to upgrade thousands of clients “within the next couple days”, especially if we don’t even control the servers they’re running on.  I would strongly encourage and appeal to you to extend the “rollback” for a period of 3-6 months (or longer) in order to give us a chance to properly fix, test, and update our products, and give our clients time to apply those updates.  

 

tjengine

Adrian Godong

unread,
Apr 13, 2011, 3:26:16 PM4/13/11
to reca...@googlegroups.com, reca...@googlegroups.com, captchatxn
AFAIK the change has been announced since late last year. 

---
Adrian Godong
--

PJH

unread,
Apr 13, 2011, 3:31:23 PM4/13/11
to reca...@googlegroups.com
Not even that late - it was announced June 30th 2010.

<http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d13ac3dcf5/a51be72cd56c1461?hl=en&lnk=gst&q=and+is+now+available+from+#a51be72cd56c1461>

It's not as if it should be a complete surprise to anyone.

If 9 months is insufficient time to roll out this sort of thing, I'm failing to see how a further "3-6 months" is going to help.
--
PJH


TG

unread,
Apr 13, 2011, 3:58:52 PM4/13/11
to reCAPTCHA
Hi All

recaptcha4j-0.0.7.zip present at the location (http://code.google.com/
p/recaptcha4j/downloads/detail?name=recaptcha4j-0.0.7.jar&can=2&q=)
still contains the URLs of the following format like "http://
api.recaptcha.net", "https://api-secure.recaptcha.net", "http://api-
verify.recaptcha.net/verify".
Its still not updated.

Thanks
TG

On Apr 13, 3:31 pm, PJH <pauljherr...@gmail.com> wrote:
> Not even that late - it was announced June 30th 2010.
>
> <http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d...
>
>
>
> It's not as if it should be a complete surprise to anyone.
>
> If 9 months is insufficient time to roll out this sort of thing, I'm failing
> to see how a further "3-6 months" is going to help.
>
> On Wed, Apr 13, 2011 at 7:26 PM, Adrian Godong <adrian.god...@gmail.com>wrote:
>
>
>
>
>
>
>
>
>
> > AFAIK the change has been announced since late last year.
>
> > ---
> > Adrian Godong
>

Adrian Godong

unread,
Apr 13, 2011, 4:02:06 PM4/13/11
to reca...@googlegroups.com, TG
Looks like v0.0.7 is updated way back in 2008. Might be easier to get
the latest source, change the URL, and build it yourself.

I don't think anyone created that library is still maintaining it.

--
Adrian Godong
adrian...@gmail.com

tjengine

unread,
Apr 13, 2011, 4:02:45 PM4/13/11
to reCAPTCHA
That post mentions nothing about the old URL's being deprecated. On
the contrary, it says, "All the old http://recaptcha.net URLs should
automatically redirect to the new URLs."

Other people on this post have expressed surprise and frustration with
the lack of communication as well. I'm just trying to give a real-
world example of how this change is impacting a lot of people, an
impact which can be significantly minimized by simply maintaining the
current environment for a few more months. I imagine everyone who uses
reCAPTCHA does not monitor this thread to be notified, but they were
all notified in the last 48 hours when their sites started raising
invalid cert warnings to their users.

On Apr 13, 3:31 pm, PJH <pauljherr...@gmail.com> wrote:
> Not even that late - it was announced June 30th 2010.
>
> <http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d...
>
>
>
> It's not as if it should be a complete surprise to anyone.
>
> If 9 months is insufficient time to roll out this sort of thing, I'm failing
> to see how a further "3-6 months" is going to help.
>
> On Wed, Apr 13, 2011 at 7:26 PM, Adrian Godong <adrian.god...@gmail.com>wrote:
>
>
>
>
>
> > AFAIK the change has been announced since late last year.
>
> > ---
> > Adrian Godong
>
> PJH- Hide quoted text -

Adrian Godong

unread,
Apr 13, 2011, 4:03:08 PM4/13/11
to reca...@googlegroups.com, TG
Or use v.0.0.8 instead SOL

--
Adrian Godong
adrian...@gmail.com

RecaptchaGoogleGroup

unread,
Apr 13, 2011, 4:08:26 PM4/13/11
to reCAPTCHA
At last found the JAR here.......recaptcha4j-0.0.8.jar

http://code.google.com/p/recaptcha4j/downloads/list

-Sam



On Apr 13, 4:03 pm, Adrian Godong <adrian.god...@gmail.com> wrote:
> Or use v.0.0.8 instead SOL
>
>
>
> On Wed, Apr 13, 2011 at 13:02, Adrian Godong <adrian.god...@gmail.com> wrote:
> > Looks like v0.0.7 is updated way back in 2008. Might be easier to get
> > the latest source, change the URL, and build it yourself.
>
> > I don't think anyone created that library is still maintaining it.
>
> > adrian.god...@gmail.com
>
> --
> Adrian Godong
> adrian.god...@gmail.com

Recapthaxx

unread,
Apr 13, 2011, 6:57:22 PM4/13/11
to reCAPTCHA
Does the following URL also need to be changed ?

api-verify.recaptcha.net

If so, what would be the URL ?

Thanks,
Ind


On Apr 13, 4:08 pm, RecaptchaGoogleGroup <sambonig...@gmail.com>
wrote:

PJH

unread,
Apr 13, 2011, 7:00:21 PM4/13/11
to reca...@googlegroups.com
On Wed, Apr 13, 2011 at 10:57 PM, Recapthaxx <sam.in...@gmail.com> wrote:
Does the following URL also need to be changed ?

api-verify.recaptcha.net

Yes.
 
If so, what would be the URL ?



--
PJH


Recapthaxx

unread,
Apr 13, 2011, 7:20:03 PM4/13/11
to reCAPTCHA
Will the URL "api-verify.recaptcha.net" be completely shut down /
inaccessible within 2 or 3 days from today ?
The reason we ask is, we ping the above URL and if we get the response
back, only then we show the recaptcha else we by-pass it.

Just wanted to know if the above URL would be accessible ?


Thanks,
Ind




On Apr 13, 7:00 pm, PJH <pauljherr...@gmail.com> wrote:
> On Wed, Apr 13, 2011 at 10:57 PM, Recapthaxx <sam.india...@gmail.com> wrote:
> > Does the following URL also need to be changed ?
>
> > api-verify.recaptcha.net
>
> Yes.
>
> > If so, what would be the URL ?
>
> From the URL I provided<http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d...>for

Juan Vera

unread,
Apr 14, 2011, 2:56:21 AM4/14/11
to reCAPTCHA
I have created my own jar replacing all the URL (compiled with java
1.5). I can send it to anyone who likes.

Juan.

On 13 abr, 20:32, RecaptchaGoogleGroup <sambonig...@gmail.com> wrote:
> Just externalize the required code, something like this...
>
> Replace
>
> ReCaptcha captcha =
> ReCaptchaFactory.newSecureReCaptcha(recapConfig.getPublickey(),
> recapConfig.getPrivatekey(), false);
>
> with
>
> ReCaptchaImpl recaptcha = new ReCaptchaImpl();
> recaptcha.setIncludeNoscript(false);
> recaptcha.setPrivateKey(recapConfig.getPrivatekey());
> recaptcha.setPublicKey(recapConfig.getPublickey());
> recaptcha.setRecaptchaServer("https://www.google.com/recaptcha/api");
>
> or pick code from
>
> http://code.google.com/p/recaptcha/downloads/detail?name=recaptcha4j-...

Allen G

unread,
Apr 14, 2011, 9:11:29 AM4/14/11
to reCAPTCHA
Ind,

I'll take a stab at this.

I did not see anything saying it's going to go dead. I'd imagine it
will at some point. The problem that you'll have is regarding the
certs. Well, technically, you won't have the problem. You're code
will seem to work fine. The issue is that some users browsers or
security software won't like the difference in certs and either prompt
the user and ask them if they want to proceed or it simply won't pull
in the recaptcha javascript from google and you're form won't have the
recaptcha field on it.

In short, unless you do some good paranoid coding for this sort of
scenario or you're users take detailed notes + screen shots, this is
the sort of problem you won't be aware of but will really piss off the
few users being affected by it.

--Allen

reCAPTCHA Support

unread,
Apr 14, 2011, 9:29:52 AM4/14/11
to reca...@googlegroups.com, Recapthaxx
> Will the URL "api-verify.recaptcha.net" be completely shut down /
> inaccessible within 2 or 3 days from today ?
> The reason we ask is, we ping the above URL and if we get the response
> back, only then we show the recaptcha else we by-pass it.
>
> Just wanted to know if the above URL would be accessible ?

The above URL will be accessible just fine, because it's not an SSL
URL. This change *only* affects places where SSL is being used. For
the 95%+ of sites which don't use SSL, everything will function just
fine.

The old URLs are not going away; it's just that at some point in the
near future, we will no longer be able to serve an SSL certificate for
api-secure.recaptcha.net.

Colin

reCAPTCHA Support

unread,
Apr 25, 2011, 11:10:04 AM4/25/11
to reCAPTCHA
Hi all,

We will be pushing this change live again on Wednesday morning (April
27). If you're using SSL and haven't updated your site to use the new
URLs yet, it will break again on Wednesday.

Colin

Allen G

unread,
Apr 27, 2011, 10:43:40 AM4/27/11
to reCAPTCHA

It doesn't look like the re-roll out has occurred yet. I take it that
by "Wednesday morning" they didn't mean overnight, eh?

--Allen

reCAPTCHA Support

unread,
Apr 27, 2011, 1:53:50 PM4/27/11
to reCAPTCHA
This is starting now.

Brett Carter

unread,
Apr 27, 2011, 8:17:06 PM4/27/11
to reCAPTCHA
FYI:

I've patched the ruby-recaptcha gem linked from
http://code.google.com/apis/recaptcha/docs/otherplatforms.html to use
the new urls.

My forked copy is here:
https://bitbucket.org/zbskii/ruby-recaptcha

Thanks,
-Brett

Kedar Mhaswade

unread,
Apr 27, 2011, 9:36:50 PM4/27/11
to reCAPTCHA
Perhaps this is water under the bridge now, but I'd have preferred if
the expired cert being presented were more recent than the one having
an expiry on 05/04/2009.
That expiry date gives an impression to the visitor that the site
admin is not paying attention to this for quite a while ...

Regards,
Kedar

On Mar 8, 1:35 pm, reCAPTCHA Support <supp...@recaptcha.net> wrote:
> Hi reCAPTCHA users,
>
> In April, we will begin to turn down the legacy URL for reCAPTCHA's
> HTTPS API.  If your site uses reCAPTCHA over SSL, you will need to
> make a minor code change before April 11.
>
> If your site does not load the reCAPTCHA challenge API over SSL, you

Scott Penrose

unread,
Apr 27, 2011, 11:27:44 PM4/27/11
to reca...@googlegroups.com
We did not receive any notification for this. It is just luck that we had someone report they were no longer able to register. No idea how many customers we have lost without registration working !

Did you notify everyone with old accounts, or only those that moved to using their Google Accounts.

You could have so easily added content into the javascript HTML generation to warn users and developers. But instead by changing the certificate you just outright broke it. On Safari, Firefox and Chrome you just don't get a recaptcha box, so the user doesn't even know what is broken. On IE it warns you and you can click to accept.

I am pretty disappointed in this approach to a service that is depended on by many important commercial companies.

Scott

Adrian Godong

unread,
Apr 27, 2011, 11:37:53 PM4/27/11
to reca...@googlegroups.com
This has been notified/reported/announced two weeks ago and roughly
8-ish months ago. If you're using one of the libraries, you should get
the new URL since last year and no change is required from your part
(other than the actual update).

> --
> You received this message because you are subscribed to the Google Groups
> "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to
> recaptcha+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/recaptcha?hl=en.
>

--
Adrian Godong
adrian...@gmail.com

PJH

unread,
Apr 28, 2011, 3:26:04 AM4/28/11
to reca...@googlegroups.com


On Thu, Apr 28, 2011 at 3:27 AM, Scott Penrose <sco...@dd.com.au> wrote:
We did not receive any notification for this.

Notification was sent out on Jun 30th 2010. <http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d13ac3dcf5/a51be72cd56c1461?hl=en&lnk=gst&pli=1>


Did you notify everyone with old accounts, or only those that moved to using their Google Accounts.

Anyone interested in reCAPTCHA by joining the group was notified. I believe reCAPTCHA/Google would be accused of spamming if they simply emailed anyone who had ever signed up for an account on the website, especially by the likely vast majority of those who are no longer using it/simply signed up out of interest.


You could have so easily added content into the javascript HTML generation to warn users and developers.

Which would have, no doubt, gone as ignored as the initial (and subsequent) announcements about this.

I am pretty disappointed in this approach to a service that is depended on by many important commercial companies.

For someone complaining about professionalism, I find your own somewhat under question if you cannot even be bothered to subscribe to those places where such announcements are likely to be made, or if you have, you do not bother to read them.

I'm sure the likes of Facebook and other large commercial companies who use reCAPTCHA have updated their systems in good time.

As a user of a free service, it is your responsibility to keep up to date with changes to the service. If you were paying for it/had a contract, you would no doubt have cause for complaint; but that is not the case.

--
PJH


PeterWoz

unread,
Apr 28, 2011, 2:04:25 PM4/28/11
to reCAPTCHA
Google reCAPTCHA Team,

I would like to discuss how the notifications for the reCAPTCHA image
URL change was handled.

My understanding is that a notification regarding the URL change was
posted on the reCAPTCHA forum. I would like to make the argument that
that type of notification is insufficient for a change with this level
of impact and that an email notification system is needed.

The forum posting stated: “We will be contacting SSL-using site owners
individually to let them know about this change . . “, but I was never
contacted and my information is up-to-date.

I am a member of the forum and I have recently visited the forum and
even logged several entries. However, I did not see the notice.

One could make the argument that I should have “subscribed” (via
email) to forum postings. Well, I did that last night and I already
have received eighteen emails. Four have to do with ASP.net, which I
don’t use, and ten have to do with PHP, which I also don’t use. It is
my understanding that the forum was for users that are having trouble
with reCAPTCHA and not for important announcements. As you can see
announcements can quickly get lost as trouble postings inundate the
forum. I have been using reCAPTCHA for more than three years now; I
think the expectation that users should monitor the reCAPTCHA forum
everyday just in case there may be an announcement is not realistic.

An argument was also made by a user that as a subscriber to “a free
service, it is [my] responsibility to keep up to date with changes to
the service.” I agree with that statement. It is how the notification
was handled, that I don’t agree with.

The reCAPTCHA service is a free service that Google provides. However,
it is a “you scratch my back, and I’ll scratch yours” arrangement.
Books are being digitized by this service, are they not?

A rather thin argument was made regarding the use of subscriber’s
email addresses. The user stated: “I believe reCAPTCHA/Google would be
accused of spamming if they simply emailed anyone who had ever signed
up for an account on the website, especially by the likely vast
majority of those who are no longer using it/simply signed up out of
interest.” I must say that I am ardently in disagreement with that
statement. I believe it is a safe assumption that users that sign up
for the service are interested in the service. Announcement emails
could contain instructions on how to be removed from the list (as
emails of that type normally do).

I see now that there is a “reCAPTCHA Announcements” forum, which is a
big step forward, but how are users suppose to find out about this
forum unless they stumble across it as I have (after the incident)?

If Google really was interested in good customer service, they could
take the extra step of allowing users a method to register their email
addresses for certain categories of announcements regarding reCAPTCHA.
This is certainly not an extraordinary request, but rather a method of
communication that is widely deployed across the web. (I think Google
would be able to handle it.) I don’t think I would be accused of
encroachment by saying that such a method of communication would be
greatly appreciated by the user community. For example, there was
recently a change to the reCAPTCHA audio challenge for which I was
caught unaware. That change was never posted in the forum. Users could
be properly informed of such changes via a subscription system.

The “monitor forum” approach for announcements is a “pull”
arrangement, whereby the user must be diligent (and spend valuable
time). An email notification system would be a “push” arrangement
that would better serve the user community.

Adrian Godong

unread,
Apr 28, 2011, 2:11:53 PM4/28/11
to reca...@googlegroups.com
Hi Peter,

Out of curiosity, what platform/plugin are you using and what version it is?

Thanks,

PeterWoz

unread,
Apr 28, 2011, 2:19:13 PM4/28/11
to reCAPTCHA
Hi Adrian,

I'm using Java/JSP with a custom theme. I am not using a plug-in.

- Peter
> > For more options, visit this group athttp://groups.google.com/group/recaptcha?hl=en.
>
> --
> Adrian Godong
> adrian.god...@gmail.com- Hide quoted text -

reCAPTCHA Support

unread,
Apr 28, 2011, 3:40:01 PM4/28/11
to reCAPTCHA
Hi Peter,

> The forum posting stated: “We will be contacting SSL-using site owners
> individually to let them know about this change . . “, but I was never
> contacted and my information is up-to-date.

We attempted to contact site owners where we could. However there are
many reasons why emails might not have gotten through:

1) We didn't see any SSL traffic from your site during the timeframe
that we were sending out notification emails
2) Our email was spam-filtered or otherwise failed to reach you
3) We didn't have a valid email address (either something invalid was
entered originally, or the account no longer exists)
4) The website was set up by a contractor or someone else who is no
longer paying attention
5) Probably a few other reasons I'm not thinking of

There are hundreds of thousands of sites that use reCAPTCHA, so we
couldn't simply email *all* site owners (most sites don't use SSL),
nor could we individually verify that every single site owner
successfully read to our email and took appropriate action. Counting
emails to this group and to our support email address, we've received
less than 100 complaints about this change so far; out of the hundreds
of thousands of sites that use reCAPTCHA, this is actually better than
I expected.

We tried to give as much time as we could before breaking things; new
versions for all of the officially-supported modules (and most of the
community-supported modules) have been available for over half a
year. Unfortunately one problem with web apps/APIs in general is that
there's no way we can "push" updates to you -- you have to keep track
of your software's dependencies and manually update to newer versions
of the modules. I understand that this sucks, but unfortunately
there's no general solution to this problem for web apps.

> One could make the argument that I should have “subscribed” (via
> email) to forum postings.

FYI, the correct group to join for announcements is the recaptcha-
announce group. This group only has announcements of changes to the
API, and is therefore very low-traffic.

https://groups.google.com/group/recaptcha-announce

> I see now that there is a “reCAPTCHA Announcements” forum, which is a
> big step forward, but how are users suppose to find out about this
> forum unless they stumble across it as I have (after the incident)?

I agree that we should do a better job of advertising this forum.

One "problem" is that we've simply never had to make a backwards-
incompatible change to our APIs before, in the 4 years that the
service has been available. On the one hand, this is a better record
than most other software; on the other hand, it means that people
aren't used to checking regularly for updates.

> If Google really was interested in good customer service, they could
> take the extra step of allowing users a method to register their email
> addresses for certain categories of announcements regarding reCAPTCHA.
> This is certainly not an extraordinary request, but rather a method of
> communication that is widely deployed across the web. (I think Google
> would be able to handle it.)

This is what the recaptcha-announce list is for. Any changes to the
API will be announced there. (However, for security reasons, changes
to the specific image or audio CAPTCHA distortions generally are not.)

Colin

Scott Penrose

unread,
Apr 28, 2011, 6:50:20 PM4/28/11
to reCAPTCHA
Good morning

Thanks for all those who reply. PJH you seem to put lots of effort in
to writing replies, thanks.

Just to answer your questions here...

> Notification was sent out on Jun 30th 2010. <http://groups.google.com/group/recaptcha/browse_thread/thread/7a4839d...
>
> Anyone interested in reCAPTCHA by joining the group was notified. I believe
> reCAPTCHA/Google would be accused of spamming if they simply emailed anyone
> who had ever signed up for an account on the website, especially by the
> likely vast majority of those who are no longer using it/simply signed up
> out of interest.

Yes and I am now. To be completely honest I had missed that this group
existed. As a developer I am part of literally 100s of services like
these. And I had missed that it had gone to a google group, or google
at all :-)

> You could have so easily added content into the javascript HTML generation
> > to warn users and developers.
>
> Which would have, no doubt, gone as ignored as the initial (and subsequent)
> announcements about this.

Of course not. But you could argue silly points like this forever. All
I object to is that changing the certificate did not provide a
'warming' as it just stopped working. It is equivalent to turning off
the site altogether, as browsers (unless your a developer and look
into it) just don't load the content. Only one browser (IE) warned the
user and allowed them to continue. Other methods could have shown up
as a warning but still not broken systems. Then once a few weeks,
maybe a month passes of warnings, turn off the system and everyone
really has been warned.

> I'm sure the likes of Facebook and other large commercial companies who use
> reCAPTCHA have updated their systems in good time.

Oh if only I had their resources. Not really a good comparison,
comparing a large company with a small one. Of course a large company
has the resources to be part and aware of everything going on :-)

Thanks for your reply.

Scott

Zeromeg

unread,
Apr 28, 2011, 10:21:31 PM4/28/11
to reCAPTCHA
Has anyone updated .NET? Looking for instructions on how to do it?
Original developer is no longer available and I need to update a site
using this that has stopped working...
> > - Show quoted text -- Hide quoted text -

Adrian Godong

unread,
Apr 28, 2011, 10:51:41 PM4/28/11
to reca...@googlegroups.com, reCAPTCHA
Grab the dll, recompile, and redeploy.

---
Adrian Godong

Jacob Isreal

unread,
Apr 29, 2012, 8:06:54 AM4/29/12
to reca...@googlegroups.com
I just downloaded the dev version off drupal.com and I find that IE is giving me a security error when I send a recaptcha over ssl page.
How can I make this error go away so my users don't have to see insecure content on this page and stop them from getting this error?  I am new to this, but not new to editing code.  Please help!

Jacob

PJH

unread,
Apr 30, 2012, 3:49:18 AM4/30/12
to reca...@googlegroups.com
The dev versions at http://drupal.org/project/recaptcha appear to be using the right recaptchalib.php.

Are you sure you're using the https version of recaptcha on your site? From a quick search of their source code it's expecting a variable called 'recaptcha_secure_connection' to be set to true (e.g. http://api.drupalhelp.net/api/recaptcha/recaptcha.module/function/recaptcha_captcha/7)



--
You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
To view this discussion on the web visit https://groups.google.com/d/msg/recaptcha/-/DTJa117iFNsJ.

To post to this group, send email to reca...@googlegroups.com.
To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.



--
PJH


marc...@gmail.com

unread,
Aug 21, 2013, 4:26:51 AM8/21/13
to reca...@googlegroups.com
Juan,

You can send me a jar for java with new URL (java 1.5 it is perfect!)
thanks,
Laia

El dijous 14 d’abril de 2011 8:56:21 UTC+2, Juan Vera va escriure:

Ankush Malhotra

unread,
May 13, 2014, 7:31:56 AM5/13/14
to reca...@googlegroups.com, sup...@recaptcha.net
Hi Team,

Recently I am facing issue in recaptcha verification, I am getting invalid-request-cookie response every time. Even I am sending the correct private key,remote address and captcha challenge. Can you please help me out.

Looking forward for your positive response.

Best Regards,
Ankush Malhotra

Vasu T

unread,
Sep 17, 2014, 10:01:42 AM9/17/14
to reca...@googlegroups.com, sup...@recaptcha.net
cpatcha Hi All,

I have configured cpatcha for SSL in the server with beolw configuration

captcha.engine.recaptcha.url.script=https://www.google.com/recaptcha/api/challenge?k=
captcha.engine.recaptcha.url.noscript=https://www.google.com/recaptcha/api/noscript?k=
captcha.engine.recaptcha.url.verify=https://www.google.com/recaptcha/api/verify

during cpatcha verification , i always get NoRouteToHostException

this looks like proxy issue, but we added proxy settings in tomcat setenv.bat

still the same. any idea on this

thanks in advance

vasu
Reply all
Reply to author
Forward
0 new messages