Recaptcha v3: new way to stop bots
webmasters.googleblog.comI’m quite proud of GOV.UK for banning CAPTCHAs from government services completely.[1] Have you ever tried to use the ‘accessible’ fallback for ReCAPTCHA? It’s literally impossible (my team had 0% passes trying it over and over again) so by implementing ReCAPTCHA you’re completely blocking an entire set of already disadvantaged users. At the same time, even a normal CAPTCHA is already harder for some users to solve than it is for some bots and you’re lining Google’s pockets by training their ML algorithms.
While this new version potentially helps things, it feels like the users with more automated interaction methods or those who want to reduce fingerprinting efforts will still fall foul of over-zealous site owners.
At the end of the day, all a CAPTCHA is is a method to externalise business costs onto your users.
[1] https://www.gov.uk/service-manual/technology/using-captchas
I'd suggest CAPTCHA nay-sayers to come up with alternatives. The implied alternative is, by default, constant abuse, phishery, scrapping, automated login attempts, and DDoS. Which sometimes may be fine, and many times is just not acceptable.
If a CAPTCHA is the only thing keeping your site secure from abuse then I think you have larger problems.
> If a CAPTCHA is the only thing keeping your site secure from abuse then I think you have larger problems.
This is one of those pithy remarks that add zero value to a discussion.
I'm curious how you would approach blocking automated access to various parts of your site?
Well usually ReCAPCHA is usually used on sign in pages. You can rate limit login attempts, exponentially increasing rate limit (or just locking out) IPs that exceed allowed login attempts and analyze your logs to ban abusive IPs.
Yeah, that's harder than ReCAPTCHA, but I think a lot of these big companies can afford to do these pretty basic steps.
If you just want to throw some comments on your free blog and not have to moderate the comments (and honestly, how many comments does your blog get that you can't read them?) then sure, throw ReCAPTCHA on there. But there are plenty of big companies that use ReCAPTCHA.
> You can rate limit login attempts, exponentially increasing rate limit (or just locking out) IPs that exceed allowed login attempts and analyze your logs to ban abusive IPs.
Rate limiting and bot blocking are two totally different things. Rate limiting only increases the cost of a bot attack. Either they need more IP's (which are dirt cheap in the black market) or they need more time--either way it is increased cost. But it won't stop a bot. Just slow it.
Banning IP's might have worked back in 2000, but these days it is useless. Bypassing an IP block is trivially easy for even a low-sophistication attacker.
You could rate-limit at a higher limit based on username as well.
I guess a potential problem with that however is the login-blocking of high profile accounts with known usernames. Maybe only those accounts could be solved by a captcha to bypass the login-block. And if there is a solution like that, login-blocks will basically become useless & therefor also disappear.
> Bypassing an IP block is trivially easy for even a low-sophistication attacker.
Not easy for an average user though.
You're not trying to block the average user, you're trying to block the people trying to abuse the system.
The average user can solve the captcha anyway.
It probably eliminates 90% of it for 90% of websites, like off-the-shelf spamware hitting your blog's comments.
The prevention measure you create for the remaining 10% (like a moderation queue + human review if you can afford it) is likely to only work because its workload is diminished 90% by a crude measure like ReCaptcha.
Your dismissal doesn't illuminate anything. It turns out that abuse prevention is hard and costly.
> It turns out that abuse prevention is hard and costly
This should come as Tshirt or coffee mug.
Two-factor authentication, obviously, even e-mail based.
You've just lost 95% of your users.
Taking 10 minutes to solve one reCaptcha is also a good way to lose users. There are plenty of websites I refuse to use now because they have outrageous reCaptchas.
2FA requires you to be a registered user. That's a whole new level of user friction.
Same here, I HATE CAPTCHA's.
Cool, that solution works for one of the hegemonic governments of the world.
Now what about about literally every other entity in the world that has a website? The vast majority of which not being a business? Nor serving life-critical documentation to all of the country's disabled?
Recaptcha v3 explicitly bans any browser that isn't one of "the two most recent major versions"[1] of Chrome, Firefox, Safari, or Edge. I don't mean it falls back to showing you an annoying select-the-picture quiz; if Google doesn't like your browser, the recaptcha widget replaces itself with:
> Please upgrade to a supported browser to get a reCAPTCHA challenge.
There are many reasons this is bad, but for now I'll point out that creating barriers that prevent new competitors from entering an established market is the behavior of a monopolist abusing their power over a market.
It's even worse on Android. The only supported browsers are Chrome and the native Android browser.
I wouldn't be surprised if they get another fine from the EU over this.
just tested on firefox (android). no issue.
i didn't test opera nor brave, but neither should have any issues either, as they're just chrome forks at this point.
Really? They banned Firefox and Opera?
Are you sure? I was quite certain that you could install Firefox onto an android device until I read your comment.
What does being able to install the browser have to do with it being supported for recaptcha? The link above clearly states a list of supported mobile browsers, which does not contain Firefox. (I wouldn't be surprised if it still worked, but the claim is clear and based on official Google material)
Are you sure you're talking about v3? I don't think v3 will display anything no matter what browser you're running, instead it's up to you to do that.
Regardless of version number, it's new behavior that seems to roughly align with the arrival of v3. I used to be able to pass most recaptcha, but now I get that message on some sites (which are now completely inaccessible).
This has been default behavior since at least 2016.
I hate Recaptcha.
In my experience using Firefox and not being logged into a google account results in a very long if not impossible chain of captcha challenges.
Yes, same here.
- Using Firefox with uBlock Origin
- Not logged in to Google (at least outside of Firefox's containers)
- Third-party cookies disabled + Cookie AutoDelete addon
They present me with 3-5 captchas every time
Hardly surprising considering you are removing the cookies they use to remember you already passed the test.
I highly doubt that Google relies solely on cookies to identify someone.
Perhaps not saving cookies is something bots tend to do, hence the number of attempts...
My home setup is a plain old Xubuntu installation; for browsing I'm running Firefox with uBlock Origin. Nothing fancy or too far out of the ordinary.
Lately I've experienced the same thing, often 3-4 rounds of captcha challenges, sometimes more. It's painful from UX standpoint and insulting as user. I've been trying to avoid any site that uses them, they're very user-hostile, but there's only so much you can avoid.
Thank you for avoiding them! I do the same.
If the site is important to you, you should contact the owners with an alternative (such as an open source captcha, or spam filtering).
The only way to topple the monopoly of Google is to erode it site by site.
Using TOR not logged into anything does not. Perhaps you’re not following the instructions correctly.
"Click all of the street signs"
Do I also click the poles?
"Click the traffic lights"
Do I also click the poles they're attached to?
"Click the store fronts"
If it doesn't have writing on it but it looks like it might be a store do I click it?
"Click all cars"
Do I also include trucks, busses, or just cars?
This consistently confuses me and the answer seems to vary between cases.
On the flip side, abuse exists, and wishing that anti-abuse measures went away does not acknowledge reality. Just like how I'm annoyed when I have to pay for a cup of coffee, but my annoyance doesn't really inform how things should be.
Besides, if a relatively simple puzzle is too much to ask, then maybe you didn't care all that much to begin with. I can think of various platforms where this would be a good filter even if there was no such thing as abuse. ;)
The puzzles aren’t simple if you’re blind or hard of vision. Or don’t have a US cultural background (I personally know a sidewalk is US English for a pavement, but I definitely don’t recognise all US street signs or shop hoardings, and have been caught out by that before).
> The puzzles aren’t simple if you’re blind or hard of vision. Or don’t have a US cultural background
I've lived my whole life in the US and have about 20/20 vision (used to be slightly better than 20/15), and I'd estimate my reCaptcha pass rate around 20%.
The puzzles are just badly done, it's not even a vision or knowledge thing.
> The puzzles are just badly done, it's not even a vision or knowledge thing.
Yeah. The puzzles are terrible now, and I have a strong suspicion that they're no longer testing to see if you behave like another human, but instead testing you to see if you act like their own machine vision bot.
You realize that when you're doing these CAPTCHAs, you're on the internet right? You could ask Google or DDG, "What is an XYZ?" and they would happily provide examples.
Honestly, you're kind of insulting the intelligence of most people without a US cultural background.
Except when Google blocks you from using the search engine until you've answered the CAPTCHA....
You understand that Google isn't the only search engine ... right?
ReCaptcha, of all things, has pretty good accessibility measures. Likely more than the site in which it's embedded.
Nobody is claiming it's perfect. But notice how nobody here is analyzing why people use ReCaptcha in the first place nor providing alternatives.
If you knew nothing of ReCaptcha and only read these comments, you'd wonder if it was a gag website operators put on their website for self-amusement, which is basically how I looked at homework as a kid. But I feel like this discussion is a bit more one-sided than I expected on HN, a place where I would've thought more people had experience running a website and how immediately effective ReCaptcha was the second you added a <textarea>.
No. They say they do, but neither me not any of the team that tried it was able to complete a single test of the ReCAPTCHA accessible fallbacks. 0%. This was a couple of years ago, but at that point at least putting ReCAPTCHA into a site was putting a fixed roadblock in for people with visual impairments strong enough to force them down their audio route.
When is the last time you tried? I completed the accessible fallback first try. Were you using headphones?
You're going to lose users or time/money with any abuse prevention. But you lose even more by letting things like spammers run rampant on your platform. You're stuck analyzing trade-offs, not ignoring reality.
Once again, all trails lead back to you providing some alternative solutions instead of the empty catharsis of coming up with downsides to something in an internet comment.
Here's one of my own: Isn't it annoying that spambots show up the second I launch a website? Ugh! Well, got that out of the way. Now I need a solution.
What's yours?
You sound irritated that people find Recaptcha irritating.
It's not about disliking anti-spam measures, it's about highlighting the woeful method that is re-captcha.
"Select all squares with street signs" shows a bunch of squares, some of them contain only part of the pole that presumably has a sign attached out of shot. So do you click that square that only has the pole? A pole is not a sign, it's a piece of steel. But it's part of the sign, so are people expected to select it or not?
Re-captcha is not a smart system.
Not to mention, you're basically providing free mechanical turk style work for google. Back when it started with digitizing books, alright sure thats helping an open initiative to do something good. When I have to click cars and trees and traffic lights in order to post a comment, Google, is having me do work for them, and I'd rather not work for them, even if its only a few seconds at a time here or there.
> A pole is not a sign
Guess we can close the file on that one.
I don't see reCAPTCHA use being limited to this sort of case at all.
On the contrary, many websites use it as an initial gate before I get to see anything.
This reminds me of the day I was told to select all taxis... took me some time to understand they meant "yellow cars" (taxis are white here)
Ummm... Huh?
Taxis are a different color everywhere, there's no "standard," even NYC has green taxis ("Boro Taxis"). Yellow is a popular color, because it stands out, but I've taken taxis every color of the rainbow (well, maybe not pink or purple), each area or company is different.
In my neighborhood two companies operate taxis, one has a fleet of red taxis and another has a fleet of blue taxis. From my observation, black is probably the second most common taxi color.
You identify a taxi by it's markings, not it's color.
I wouldn't be surprised if users have inadvertently trained the AI behind reCAPTCHA to think all taxis are yellow.
Then it's not US-centrism but NYC-centrism?
I mean you tell me to check the markings, but you know in those captchas you can't see any markings because most things look like a blurry blob.
Taxis are easy to identify - cars with a (usually lit) topper and writing all over them are taxis, the writing doesn't even have to be in a language you understand to be identifiable as a taxi - you don't need to actually be able to read the writing. Other marks like checkered patterns are common, taxis are designed to stand out.
New York City also has green taxis, so it's not anywhere-centric thing.
> a relatively simple puzzle
I'm curious where the line on "relatively simple" is.
Other people have already noted the tasks can be confusing if you're not an American English-speaker, and that the backup tasks for people with vision difficulties are nigh impossible.
But beyond that: some of the time I have to do 1-3 Captcha pages, which I would class as relatively simple. Other times, I've gotten up to 10+ pages with what I believe was perfect accuracy. (They were fairly simple tasks like "click the stoplights", not the sometimes-ambiguous ones like "click the storefronts".) That's usually when I'm traveling, so it's correlated with slow internet. I don't know what the upper limit is, because there are very few pages I care about enough to push through 10+ rounds of Captcha, but I'd argue that "spending 3 minutes studying traffic photos with no end in sight" is way past my definition of 'simple'.
As a site owner I know captchas are vital in the battle of not being overwhelmed with spam, but as a user I hate Recaptcha with a passion.
Every time I’m asked to identify the motorbikes or traffic lights I feel like google should be paying me a few cents each time for helping train their machine learning algorithms.
And on mobile the experience is even worse. Depending on the placement of the captcha box half to a third of the tiles might be off the edge of the screen, making it impossible to solve. Seriously, how can Google not have a mobile version in 2018?
> Every time I’m asked to identify the motorbikes or traffic lights I feel like google should be paying me a few cents each time for helping train their machine learning algorithms.
Over and over again, too. It's completely overdone. I have had screen after screen of images to click on before the Recaptcha is finally happy that I'm human / I've provided enough training data for whatever object they're currently trying to get their cars not to run into.
I wouldn't really object to "of these three pictures, which is a motorbike", but when I'm on my 4th or 5th screen of 9 images each I'm getting pretty annoyed... And they're so slow to fade in, too!
The "deep telemetry" nature of this doesn't sound like a good idea. It's already been annoying with v2 thinking that I clicked a checkbox "too fast" to be human, to worry about every action taken in a site/app being compared to some weird AI model for "humanity".
That's even before other panopticon questions of who all this added telemetry even benefits.
Websites that want to prevent automated bots from attacking them benefit immensely.
That goes without saying, and isn't an interesting answer in this case.
When I mentioned panopticon benefits, I was more directly implying the complex "cui bono?" question of whether or not this data continues to entrench Google's behavioral analysis arms that use such data to sell our every behavior to advertisers for the purpose of buying our attention. It's not the websites using reCAPTCHA that benefit from all that extra advertising information stored on Google's servers, and it's not necessarily the individuals like you or me using those websites that's benefitting from all that extra information on Google's servers.
Especially given that in v2 it seems very clear that Google has been using reCAPTCHA as their own personal Mechanical Turk to also entrench their positions in map data and possibly automated driving image recognition, this is not an idle question.
No, no, no, no.
I do not want Google to have any more fucking data about me than it already does! "Put this blob of JavaScript on every page of your site so that we can see how users are clicking, scrolling, and browsing around. Think of the children^W spam and abuse!"
I just cannot believe that Google somehow gets away with spinning this as some sort of "guardian of the Internet" thing when it is a transparent attempt to a) make adblocking more difficult and b) force people to accept being tracked by Google or get blacklisted from the web.
Getting banned from sites or treated as a subhuman because you don't want Big Brother to follow your actions around should not be something that we're okay with. It just shouldn't be.
> I do not want Google to have any more fucking data about me than it already does! "Put this blob of JavaScript on every page of your site so that we can see how users are clicking, scrolling, and browsing around. Think of the children^W spam and abuse!"
They already do with google analytics.
This is a version of Google Analytics you can't adblock without breaking the site
You seem to subtly express the notion that we are somehow "entitled" to access a website, just because it has a public IP address and we happen to have an http client.
Well - we're not.
To put it bluntly.. I think this "just don't use it" meme needs to die. At this point in time, accessing certain websites is effectively a requirement of modern life: want to see your bills without paying for paper bills? want to apply for jobs? want to sign up for courses? submit your taxes? or even vote under some jurisdictions? Then you have to access a website. Sure, for a lot of these, there are alternatives. However, the costs will likely be much higher and you'll simply be left behind by everyone else in society.
This effort by Google, at its worst possible implementation, could break a huge number of "required" websites for users. As others have pointed out in this thread, the users who will be impeded are likely already at a disadvantage[1]. This just reinforces that, especially if everyone starts adopting this given how it is "free" for businesses/organizations.
A convenient side effect? Google gets more information about us and encourages us to view more ads.
[1] Someone mentioned smaller villages in India. The GOV.UK reference talks about users with disability. One could also imagine shared locations like public library, whose users may not have direct access to the internet.
I tend to agree that public services (in the sense of .gov) should avoid using this. But they do need protective measures. Would logging in with a futuristic Aadhaar equivalent be considered less intrusive?
If the only websites that we essentially have to utilize as competent citizens are public ones then it would be easy. We regulate the public ones and we let the private ones do whatever they want. At that point I think a bunch of people on this site will probably be content quitting the internet heh :).
The problem is that it's not that simple. As I said, for things like banks/job search, these are private entities and not public ones. Going down that line, we can find some private services that a majority of the population around you uses that you also have to use in order to keep up with everyone else because there are little alternatives (google maps comes to mind). Granted, the latter is a weaker example, but it's meant to explore how practical it is to completely ditch services that are anti-user.
Also don't get me wrong.. I'll probably be one to turn off my blocker to access some service that will provide me value even if I'm already paying for it. However, it's just a terrible state to be in.
We aren't entitled to access a site or its information, but neither are they to our personal information. This whole system has broken down as the implicit understanding or what is being given and what is being paid has been trampled on by both sides.
The website may deserve to get recompense for their content, but I deserve to know what I'm paying just as much, if not more.
If you're depriving me of something in our transaction that I'm not aware of, then at least part of what happened was theft. If doesn't matter that I didn't know about it until days, weeks, years or even decades later. If you've deprived me of something that we didn't agree upon, you've stolen from me. Even if in this case it's privacy. Especially in this case because it's privacy, because you can never get it back.
Clearly you're satirising. The very basis of the HTTP protocol, and the idea of the World Wide Web, is one of easy access to, and discovery of, information on openly accessible servers. It provides numerous mechanisms for protecting data that is deemed private.
Had to do a double take here. Not sure that this, as a blanket statement can be correct. How can anyone not be entitled to connect to any public IP address? And how, and who, would be able to enforce that?
A server can put various measures in place to limit general access, but then by those measures the IP is no longer public. T&Cs that a site may wish to enforce can only be made available after the connection has already been established.
Also, robots.txt is a standard that we agree to respect but it is not something that legally binding.
So have to disagree.
The IP is public in the sense that a pub's door is public. You're welcome to open it. The bouncer may throw you out without explanations (maybe you wore a hoodie, idk). You walk in under terms. You don't have some birthright to lurk there and harass the customers.
Exactly, though in the case of TCP/IP you can just -lock- the door entirely for certain (people|addresses) - no need for violence!
Hopefully having an ad blocker (uMatrix) doesn't cause it to flag the user like reCAPTCHA v2 does on every single site I go to. I have had to click way too many cars and street signs at this point.
It's in Google's interest to make using an ad blocker as painful as possible.
And yet comparing using one on Youtube with not using one will quickly drive the point home that Google is committed to letting you do that, and doesn't mind losing a few bucks in the process.
I’ll guess it’s going to be worse: without a checkbox to check (the whole “frictionless experience” thing), I don’t see a way for the site to give you a challenge to prove you’re human if the script hasn’t loaded. Correct me if I’m wrong, but I think this means that you simply can’t use the site that requires reCAPTCHA v3 with uMatrix (or uBlock hard mode) turned on.
especially on firefox. currently I tested ublock on chrome and I was done after the first image. on firefox however with ublock I sometimes needed to try it 2-3 times until it worked.
Probably WAI.
What is the incentive for the site owner to provide a streamlined experience to an user that will consume resources but intentionally prevent monetization?
Not sure I agree with it, but it is obvious to expect that.
Hold on. Who says the sites using CAPTCHA are also the sites that have an ad based monetization model? The other day I was logging into newegg to order something and I was presented with reCAPTCHA, for which I had to solve 4-5 challenges before letting through.
Looking through the documentations for reCAPTCHA v3, it wants to load a script from Google's servers. As an end user I do not want Google to track me across the web, on other people's property. Thus I want to block this HTTP call. This discussion is pretty orthogonal to "Ad"block, given that all sorts of places have a CAPTCHA implementation.
The cynical side of me thinks that Google's doing this such that a convenient side effect is crippling the user experience for those who uses content blockers/custom user agents to impede its adoption. Even without a cynical motive, this side effect seems to be conveniently ignored, which hurts users. Suppose another non-ad based company were to create such a system, I'd imagine they would want to explicitly work around the problems of blockers/tracking such that the website owner can get a more "true" metric of "suspicious" users as this would likely lead to more sales/engagement/whatever.
Youtube doesnt seem to save settings like darkmode and languagues (defaulting to my localized option instead of my set language) with ad block from ghostery
> Who says the sites using CAPTCHA are also the sites that have an ad based monetization model?
> The other day I was logging into newegg to order something
Newegg uses ads.
> As an end user I do not want Google to track me across the web
Sure, and as a content provider, you might not want users who refuse to go through CAPTCHA. Nobody is forcing you to access the content.
> the side effect seems to be conveniently ignored, which hurts users.
It only hurts users that the content provider doesn't care about, because they don't generate any revenue.
Again, regardless of agreeing with this or not, it is clear that those are the economic incentives at play.
>> The other day I was logging into newegg to order something
> Newegg uses ads.
That's not my point. We generally understand that newegg is there to sell you something. I was using it as a convenient example and perhaps a better one could be found. Just because they use ads does not invalidate my point there.
From the HN guidelines: "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize."
> as a content provider, you might not want users who refuse to go through CAPTCHA. Nobody is forcing you to access the content.
Theoretically speaking, this is true. I can opt to simply close the page, turn off my computer, etc. However, it may not be practical to do this all the time. Some example maybe school/government institutions that you have to use deploys reCAPTCHA, or something like the CloudFlare pages that makes you fill out a reCAPTCHA for each website (which amounts to a large part of the internet).
> It only hurts users that the content provider doesn't care about, because they don't generate any revenue.
Disagreed. Perhaps in cases with ad based sites that is the case. If you're selling something and preventing me to buy from you, you're hurting users that may generate revenue. You could say that perhaps the benefit is outweighed by the cost, which maybe true from an abuse perspective. However, if everyone starts doing this, then my cynical view of Google will play out, which is the original point of my argument.
It's clear there's an economic incentive at play, otherwise Google won't develop this and people wouldn't deploy this. I just think that it's overly favored towards Google (and other ad based entities), as opposed to sites that do not rely on ads and the users.
> Theoretically speaking, this is true. I can opt to simply close the page, turn off my computer, etc. However, it may not be practical to do this all the time. Some example maybe school/government institutions that you have to use deploys reCAPTCHA, or something like the CloudFlare pages that makes you fill out a reCAPTCHA for each website (which amounts to a large part of the internet).
Sure, but what's your suggestion? Not using reCAPTCHA? Using one of those other crappy CAPTCHAs that impact far more users?
reCAPTCHA seems to only impact a small number of users with adblock (which is largely a personal choice). Seems like a fair trade-off from the content provider's perspective.
Again, what would be the economically-viable alternative?
I don't have a solution to the problem and I concur it is a difficult problem to solve. A sibling comment has pointed towards https://www.gov.uk/service-manual/technology/using-captchas, which doesn't have much enlightenment either.
That said, I'm merely pointing out the problems I see in the current "solution":
1. It is a very robotic approach to design a system: we end up treating human beings like numbers and thereby marginalizing the minority. After inconveniencing these people, we turn around and tell them: "just be normal" or "no you shouldn't think like this". If that's the type of society we would like to build, I think I have nothing else to say.
2. ultimately externalizes the cost of abuse detection to ads, which makes it very tempting for everyone to adopt it as it is "free". Even if differently motivated entity solved this problem, I'm unsure if anyone would want to pay for it given how invisible the issues it causes are to the business (as you have pointed out). This may mean that what I pointed out in (1)_will occur everywhere and I don't even think there's really a way to stop it from getting to the possible dystopia I see.
Maybe I'm just over dramatizing this and I really hope that is the case.
Sorry your citizen score is not high enough to access this website.
NYPL pulls this bullshit if you're blocking scripts. Funnily enough, your IP gets whitelisted if you access the URL from a different browser.
That would be a government doing that (I wish we could say just one, but when it comes to restrictions based on "citizen status", it's really not just China), not Google, a private company.
But the big point is Google is not the Chinese state. In fact, one might say, quite accurately, that they're not very friendly.
Private companies have had citizens before [1], it's not unreasonable to suggest they might have citizens again. (It's a common Cyberpunk trope to have corporate-controlled principalities replace nation-states. It's a common sci-fi trope in general to have places like space colonies run under corporate rule of the company that built them.)
> Since reCAPTCHA v3 doesn't interrupt users, we recommend adding reCAPTCHA v3 to multiple pages.
Frictionless user interfaces arr great, but could this be a ploy to get websites to add Google-property tracking JS on more pages?
... in trade for a valuable service.
I mean, you must hate cloud software if you've got problems with this. Surprise ! Almost all software, from steam to windows, to fusion360, to fastmail, to github, office, ... is cloud software. Just naming some random examples. All have the same problem, most without providing any service (hat off to fastmail and github though, who provide service, like Google, in trade for cloud. And poeh ! to MS, for having office be cloud software for no good reason whatsoever)
I was just pointing out the fact that reCaptcha v2 was only on a few pages by design, and now Google wants us to put it on many pages. It's fundamentally changed its purpose from being a gatekeeper of spam/abuse on forms to a "Citizen Score" reporting "agency". I won't even engage with your troll-like point that I must hate cloud software.
It's still deceptive.
German contract law has the notion of "unexpected clauses", especially for terms of services. Certain ToS clauses have been invalidated by courts even if the customer agrees to the contract that includes those ToS, because the clauses have been deemed "too unexpected". The basic idea is that people should not be expected to read the entire ToS before agreeing to them.
To me, this is sort of the same: When I visit github.com, my mental model says that GitHub will know about this and be able to run scripts in my browser. However, it would be "unexpected" in this sense, and therefore IMO deceptive, that visiting github.com causes my browser to run code from google.com.
If this is how it works, enforcing this ... would end the web. How much thought was put into that ?
I use Firefox with maximum tracking protections and a VPN, so I'm first in line to claim frustration about being forced to solve reCAPTCHAs.
But on the other side, it needs to be understood just how important having a CAPTCHA is. The amount of destruction to user experience that bots can cause is sometimes far worse than the pain the CAPTCHA causes.
The long chains of reCAPTCHAs annoy me to no end, and I hope a middle ground can be reached, but bots are a very serious problem.
I do wonder if maybe computational challenges are a feasible alternative in some scenarios, or perhaps as an alternative choice you could give to the users.
What exactly do you mean by computational challenges? That seems like the exact kind of thing a bot would be much better at compared to a human.
The idea is that you'd need to make the computational challenge more expensive to solve than any profit that success would have. This is what some DDoS protection services do (e.g. the "checking your browser" messages you might see).
In some scenarios such as spam, the profit per bot action isn't high at all, so this might be feasible. If it's a ticket bot, that wouldn't work at all.
Of course, you're hurting users without good devices, which just sucks.
I haven't really thought too deep into the economics of this, I don't know if it'd work at all. Just a thought.
Edit: Meant to include mobile in there, I don't know how if this would or wouldn't work with this scheme for mid-end+ Android devices or iPhones.
HashCash had the same idea and failed for the same reason: bad actors aren't using their own machines. They have access to the cheapest compute in the world: botnets and the compute of honest actors.
Add in the mobile-device issue and you quite literally have a solution that's lose/lose.
The thought is that a single user isn’t inconvenienced by a small amount of computational work to access a site, but a scraper is tarpitted into uselessness by it. Unfortunately this completely ignores the fact that the majority of site accesses are on battery power now.
While we hate Google for the privacy invasion in advertising, reCAPTCHA is one the areas that is a definite positive. Google has the data and the unique position to make the web safer. I wish they did more.
Need to give them credit for fighting: hurting malicious websites by not sending them traffic, keeping search results relevant against SEO abuses, cutting down email spam effectiveness, ... and reCaptcha.
All of this becomes very relevant when you run our own online business like I do. You can lament that google knows you're shopping for a new car, but my users lose real dollars if a scammer gets on my website - and google provides the tools to combat this.
And, no you can't implement your own captcha. No matter how smart you think you are, you don't have the data that Google does.
Their recaptcha is broken and causes a lot of pain especially when you're on an ISP that may have had some bad apples (pretty common in India where ISPs don't care about spam or piracy). It's like the whole neighborhood is paying the price of someone else's crime and it feels like the digital version of being racially profiled.
Worst part is even after solving dozens of images (which keep refreshing by the way to no end) you still sometimes get we don't believe you're human comment and no way to go forward.
Cloudflare and this recaptcha can really break the internet for some people, esp in small Indian cities.
I'd be surprised if recaptcha uses IP reputation. That being said, a classifier is not "broken" for introducing false-positives. If you read the post, you see that's one of the issues v3 tries to address.
It certainly does use IP because switching from broadband to 4G (hotspot) fixed the issue even when I didn't clear the cache/cookies.
The captcha is broken because at least in my case even after solving dozens of images (which keep refreshing now btw) it still can't be convinced I'm human.
I got hit by "Distributed Spam Distraction" recently.
It works by having a bot signup on thousands of websites at once with your email. The purpose is to flood your email with hundreds of welcome message emails every minute so you will miss the real security message emails (such as someone resetting your password).
What makes this attack so evil is that these are real sites you have to individually unsubscribe after the attack is over. This includes many sites from countries without email unsubscribing laws. So to this day, I still get hundreds of emails everyday from these sites who think I have signed up for their newsletter/product/etc.
I would not be against enforcing a captcha on every site out there just to prevent these kinds of attacks.
How would that be enforced if you can’t even enforce confirmed opt-in?
In addition to the problems already mentioned (Google collecting more data, Google making ad blocking harder), let me share another issue I have with this: Google is becoming a de-facto gate keeper to your website, turning bots away.
Do you get it? A company whose business model is based on their bots ability to crawl the web will now have more power over other bots.
Brilliant.
The language used seems alarmist, particularly given the extent to which Google use bots themselves.
For example, "the new way to stop bots", "alert you of suspicious traffic", "identify the pattern of attackers", "pages are being targeted by bots", "stay ahead of attackers and keep the Internet easy and safe to use (except for bots)"
Many companies have built valuable services by automating HTTP requests. One might even think that Google would like them to stop.
Two things that particularly worry me about this are a) encouraging sites to apply captchas to pages that have nothing to do with authentication and form inputs, and b) the hint of requiring two-factor authentication and phone numbers to proceed. [edit] will Google be offering to handle this on behalf of sites?
> Many companies have built valuable services by automating HTTP requests. One might even think that Google would like them to stop.
Exactly this. Note that reCaptcha v3 is meant to be placed on every page, not just forms, and returns a "bot score" which the site can use for any purpose. I can see any new web search engine being horribly muffled by the (mis)use of reCaptcha v3.
But you can't seriously expect site owners to just deal with the amount of spam bots can generate because it'd be 1% more equitable to users (that would be driven out by those very bots reCaptcha protects you from btw)
And who pays for those costs ? Who eliminates the tons of spam posted ?
You seem to think that I'm against spam protection mechanisms, which I'm not. I am concerned that this will be used to 'protect' GET requests rather than POST requests, so to speak.
Can someone explain to me why CAPTCHAs are used all over the place for sites that don't have user interactions?
I understand it for account creation. I understand it a bit less for login (seems like a lazy way of preventing automated attempts).
But for simply accessing a site? What gives?
I'm increasingly starting to find that only tech blogs, the odd big site I'm logged in on like Amazon, and sites like HN are usable lately, because anything else seems to require a 1 minute + gateway of CAPTCHA + GDPR + whatever else before I can actually get to the site.
Is it some way of filtering out users the sites don't want without expressly having a "403 Forbidden" or whatever?
It's people afraid of others crawling their content.
Slightly creepy, they want to track users around your site to see if they go page to page like a human or like a bot. (Instead of just checking before form-submit or some other action.) But if you already have Google Analytics you're probably not giving up any more information by adding this.
I can block GA with uMatrix and things continue to work.
If I block this with uMatrix, I'm likely permanently gated from whatever I'm trying to access. If Gitlab updates, I won't be able to access my repos, because they (for some reason) make me solve a reCAPTCHA before doing anything on my own repos.
Great. That means that if you're after a specific piece of information, and you don't waste time clicking on "ooh shiney" stuff on your way to find that piece of information, you get flagged as a bot and treated as hostile.
Why do we want this version of the web again?
Abuse exists, so there is then demand to prevent it.
Your anger would be better directed at the bad actors who ruin things for you, like how you need to buy a lock for your door. How much time in your life has been wasted by slotting a key into a hole? Ugh, doesn't anyone know this isn't the world I asked for?
Gotta feed the machine right?
Just so you know, the more you protect your privacy, the more websites, everywhere, will have Recaptcha requires that you work for Waymo even though you do not want to work for them (you know, describing road signs, identifying potholes, finding traffic lights, etc).
Want some privacy? OK, waste 2-3 minutes every 10 articles and work for Google. Don't want to work for Google? OK, disable all privacy protection and you're good to go.
Paying a subscription to the website will, often, not even prevent Recaptcha from popping up.
That's dystopia, both feet in, but somehow it's OK because some "guys" are abusing the system o_0
I can enumerate why anything in the world is suboptimal. It's not a very strong point on its own.
But notice that you haven't suggested an alternative. You're just lamenting one of the few, generalizable, cheap resources a website operator has to avoid abuse in a world where it's only getting easier and easier for bad actors.
Your analysis is just as thorough as "but somehow it's OK to put locks on every door because some guys are abusing the system o_0?!" Food for thought: Is everyone encumbering their life with keychains for the fun of it? How do the trade-offs look? Do locks play any role beyond feeding the locksmith industry? What other options do people have and how do they compare with buying a $17 lock for their front door and installing it with a few screws?
The alternative is simple: decentralize the Internet, regulate Google for abuse of dominant position. Its size and power makes it completely unavoidable now and force users to work for them. One cannot have basic access to Internet websites and services without providing Google with personal data or work for them. If Google wasn't so big and did not collect/treat such a huge amount of personal data, we would a choice between multiple providers.
To read some articles, I am required to help Google improve its self driving company (Waymo "identify cars in the picturs", its OCR algo (Google Books, "write the two words"), its Maps service ("find house numbers" on Street View), etc. This free work makes Google increasingly competitive vs the alternatives, so Google can continue offering "free" services (like Recaptcha) and further compel users to work for them. You simply don't have a choice.
Is the current situation with reCaptcha v2 really all that bad?
"Don't blame the police state for the random beatings you receive, blame the 'bad men' they're here to 'protect' you from!"
Recaptcha is a horrible experience if you block tracking. Sometimes I fill in literally 10 pages of CAPTCHAs and it still can't work out if I am a bot or not. It's not even clear to me why having tracking cookies is even a sign that a client is not a bot.
Fidor Bank uses recaptcha. WTF, I don't want google to know when I access my bank!
The interesting thing about this type of heuristic is you probably don’t need Google to do it for you. Does anyone know of any open source software that is capable of doing something like this?
I block Google domains on my main browser profile, and JavaScript by default.
I noticed if I encounter a recaptcha on a website, I just tend to abandon and seek information elsewhere. Last time I was presented with a recaptcha when setting a search filter on a website. No, thanks. This is too much of a pain to unblock everything and answer a recaptcha. I'll pass.
When I do answer a recaptcha in despair, this is a pain to do.
Let's say that we're a small startup and we need a reliable captcha service. What are the alternatives of using reCAPTCHA?
https://siftery.com/recaptcha/alternatives
Not affiliated with the site or any or the alternatives.
anyone remember the blog from the late 90s or maybe early 00s who just ripped apart every bespoke captcha that existed on major web sites? It was really entertaining/interesting/informative to me at the time. Can't find it anymore...
Related: a guaranteed unbreakable captcha by Scott Aaronson. https://www.scottaaronson.com/writings/captcha.html
Any time I see their stupid image captcha to find all buses or shop fronts I immediately close the tab. It's never worth the effort of solving 5x image captcha to read see some stupid website.
Is that the case for you, the captcha shows up when you’re browsing a website? For me, it shows up for my more essential services like logging into an e-commerce site, or my Stripe account. If you had no choice, what would you do?
Another thing which can be gleaned from the progression of ReCAPTCHA from v1 - enter street names and house numbers into this box please - through v2 - identify images with street signs, shop fronts, buses, cars - to v3 - only Chrome/Firefox/Edge/Safari users welcome is that Google Maps (and related units) no longer needs ReCAPTCHA users to read those street names and house numbers as that task is now reliably performed by software, nor does it need help to separate shop fronts from normal facades or traffic signs from billboards. Now that these tasks can be handed over from mechanical Turks to the server farm ReCAPTCHA can be turned to other purposes like giving Chrome an extra boost.
I don't like any version of recaptcha either. A server-side text-only CAPTCHA is better.
What are the most common use cases for captchas?
What do HN users use them for?
What do we think about hcaptcha.com ?
Just checked the website and it looks like a mimic with payout. I hate them all the same no matter whether I am asked to click on all the buses or cats.
I really thought they would realise how fucking stupid this was and roll it back, but I guess they really don't care at all. I feel sorry for anyone who has opted out of the Google ecosystem so far and is now going to be penalised by not being able to access many websites
The problem with this reasoning is the alternative. If there was no reCaptcha but a low-quality broken captcha (like almost all of them), you would not be visiting those sites. They'd all be the sort of abomination that ebay is these days.
BUY ! BUY ! BUY ! Penis enlargement pills ... sorry to put it bluntly, but it's either that or reCaptcha.