Google recaptcha firewall exception options

Google reCAPTCHA firewall options articleWe’ve implemented Google recaptcha in one of our web apps which is nice and works fine on our local machines. When we deploy to our dev server however we were hit by outbound firewall rules so .Net threw an exception along the lines of ‘Unable to connect to the remote server

Google reCAPTCHA firewall options

Upon investigating what firewall exceptions we would need for our various environments, we noted that Google recommends opening up the relevant port (80 if http is fine, 443 if the web app will run with a secure certificate/https) to outbound connections. This is highly insecure and most likely unacceptable to most network administrators. That option was therefore not a runner for us.

The best practice and more secure approach would be to create rules which are restrictive as possible using only specific IP addresses. We looked into this, however from researching online it seems that Google’s IP addresses change regularly which obviously creates a problem for maintainability and for the reliability of the application. One comment from April 2015 on the ‘How to access reCAPTCHA servers through a firewall‘ recaptcha wiki page in particular worried us:

Hi guys, we are using the Recaptcha solution for almost half a year now, and in this time we had to change the firewalls four or five time already, just to find out today that they have changed again..

We also noted similar comments such as the below:

Yesterday it worked fine once we configured the firewall to allow requests for the IP address that was causing the problem.  But today it’s requesting using a DIFFERENT IP address, which isn’t configured.  Not only is this a problem for us right now, but it makes me uneasy.  What happens if it changes IP addresses again?  More broadly, what is the issue, here?  Why did it use one IP yesterday and another today?

Additionally the ‘How to set up reCAPTCHA‘ wiki page also mentioned that IP addresses can change. One way to mitigate the risk of IP addresses changing might be to catch the exception that is thrown when the app attempts to communicate with http(s)://www.google.com/recaptcha/api when the firewall is blocking such communication. The catch block could then perhaps bypass reCATPCHA, considering the request to come from a human and also email IT support who can then verify if in fact IP addresses have changed. Of course this still isn’t a runner for most enterprise applications.

In the end it seems the best Google reCAPTCHA firewall approach for most will be to allow outbound requests on port (80 or 443) based on the hostname google.com. Using DNS allows us to abstract out any changes to the underlying IP addresses. Unfortunately however I believe this approach may not work for everyone as some firewalls will not support this configuration, furthermore I believe configuration of such rules is more complicated than the IP address based approach.  That being said it does provide reliability and is certainly more secure than just allowing all outbound connections on port 80 or port 443 so this would be the approach I would recommend.

What Google reCAPTCHA firewall rules are you guys using to enable use of this tool in your applications?