Interesting - Google Captcha and Onion

I'm using Google Captcha because it really fight bots well. Since I started using Google ReCaptcha, zero spammers have flooded my site with trash. So I like Google Captcha.

I also offer an onion and a few days ago I was writing a CSP for my onion and noticed some really strange behavior from Google's domains.


Why is Google forcing my users to use HTTP?



Of course I want the users to use Google Captcha over HTTPS. There's no really reason why I shouldn't. So this was part of my CSP:

img-src https://www.google.com/recaptcha/api/ 'self';
Nothing strange really. Note that this works just fine over clearnet with both HTTP and HTTPS. But what happens when I use this policy on my onion?
Hmm, why doesn't Tor Browser Bundle redirect from http://www.google.com/recaptcha/api/ to https://www.google.com/recaptcha/api/ ? HTTPS Everywhere(5.1.5) is indeed installed and should redirect to HTTPS for Google. So I fiddled around to get this to work. These are some that I tried(note that I tried every combination of the following):

None of them worked! But do you know which did work? All those with HTTP! I tried all the above combinations but with HTTP instead of HTTPS and those worked just fine!

Anyway, I tried with Google Chrome(canary, 51.0.2696.0) with FoxyProxy and got this result:

Strange I thought so I added the upgrade-insecure-requests and it worked fine in Chrome. Great! One step closer to success!

It was still not working in Tor Browser because it does not (yet) support CSP 2.0 so I changed my source code so that it pointed to https://google.com. I was a little bit closer, now I got this:

Hmm... I can't change my source code because I already did, I can't rely on HTTPS Everywhere because that clearly didn't work and I can't add upgrade-insecure-requests so what should I do?

When using Google captcha the user fetches this:

That is 6 pictures and 2 Javascript-files. I searched through the Javascript-files but did not find any instances of http://. I also searched through the generated source code. Of course it should be there somewhere but I just can't find it.


Why is this a problem?



Good question, why should we care that a user is getting resources via HTTP? Well, that's not a question really because getting them over HTTPS is an option and there should be no trouble if you decide to use HTTPS.

But there's more to say. Why does only TBB-users need to get resources over HTTP? Is there a legitime reason behind this? Is this because global MITM-attacks would be possible and by global I mean at AS-level?

Probably not, but I will take no chances and I will not play by Googles rules.


Summary



HTTPS Everywhere does not give the protection it suppose it does. I thought that it would simply redirect the user to HTTPS but in this case it didn't.

If we can't rely on HTTPS Everywhere we should rely on browser standards, and yet again we can't. TBB has no support for CSP 2.0.

Changing the source code is the best thing you could do(always obviously) but unfortunately, in this case that didn't help entirely, there is still a script that is forcing the user to HTTP.

Simply blocking things with CSP is fine and you should do it. It's 2016 - you should enforce HTTPS. It's extra important that you force HTTPS on your onion if you must get sub resources outside origin.