The captcha URL check is the fast per-session defence against phishing clones. The PGP verification is the slower per-rotation defence. You do both.

How it works

The WeTheNorth login page renders a captcha image server-side with two things baked in: the puzzle you have to solve, and the current onion address printed in small text along one edge of the image. Both are generated in the same file that the browser downloads.

Reader instruction

Every session, before typing the password: glance at the small text at the bottom (or wherever) of the captcha image. Compare to your URL bar. If they match, proceed. If they do not, close the tab.

Why this defends against clones

A phishing clone that scrapes the WeTheNorth login page gets a captcha image with the real WeTheNorth address baked in. If the clone displays that image unchanged, the address in the image does not match the address in the URL bar, and the reader can spot the difference in under five seconds.

The clone could regenerate the image with its own address baked in, but that requires implementing captcha generation server-side, which is more work than most clones do.

Why every session

Because bookmarks can be poisoned. A bookmark you saved months ago may point at an address that has since been rotated out. If a phishing clone happens to notice the retirement, they can spin up a clone on the retired address. The captcha check catches this pattern on the first attempt.

The check is not optional

It takes five seconds. It catches the median phishing attempt. Every session, before typing the password. Make it a habit.