> According to two security researchers who’ve studied reCaptcha, one of the ways that Google determines whether you’re a malicious user or not is whether you already have a Google cookie installed on your browser. It’s the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time.
I try to never be logged into my google account as a matter of principle. Maybe I'm just fooling myself thinking this will make tracking me more difficult.
I get .7 on my iPhone, I’m guessing that my liberal use of Firefox containers and the cookie auto-delete extension on my desktop will give me a much lower score and cause me to have to jump through extra hoops at websites that implement it, just like the reCaptcha V2 does.
Edit: I also got 0.7 on Firefox with strict content blocking (which is supposed to block fingerprinters), uBlock Origin, and Cookie AutoDelete. I get 0.9 from a container which is logged into Google.
I get a 0.7 on my computer on Firefox. If I use the same website in Chrome (which is signed into a Google account) I get a 0.9. I guess it's a [0,1] scale?
I'm guessing their a-listers came up with something like this:
// TODO: add impressive-looking math
if (signedin && trackedEverywhere) {
return 0.9
} else {
return 0.7
}
I think we give Google way too much credit for their talent. This is the same company that didn't feel like finishing their website for two decades and subsequently stole $75 million from their users even when Google knew [1].
The same company that somehow still doesn't reconcile amounts owed and just keeps the money when they randomly-ban users and hide behind fake support emails, but they did feel like paying $11 million to keep that away from scrutiny [2].
If I sign out of my google account in Chrome it drops from 0.9 to 0.7.
I could have sworn I'd never signed in to Chrome using my google account, but I guess I must have mistakenly signed in to gmail or something.
I use FF as my main browser, only ever drop back to Chrome sporadically, or when I really want tabs to be completely isolated (there are some annoyingly CPU/power intensive stuff I do from time to time, and I can just renice Chrome while I get on with other stuff.)
That was the last straw to uninstall Chrome from all my devices and I've been a happy Firefox user ever since. Well, except now reCAPTCHA hardly ever works.
Google consistently gives me the impression of a company that (I suppose) has tons of smart people in it, but has badly broken management & incentive structures leading them to constantly do bafflingly stupid stuff at both large and small scales, even by the standards of a bigcorp, to the point that they survive only because they've got one hell of a golden goose.
And in keeping with recent revelations on Google's manipulation of search results, I think they have really gone beyond the pale. I un-archived my old iPhone two days ago and went back to iOS after the James O'Keefe/Project Veritas revelations. I now cannot, in good conscience, use anything Google. I always knew about the tracking and all that because, after all, they are an ad company. I'm now in the process of moving all of my domains over to Fastmail, which I've used since 2002. I'm using Qwant, Startpage, and DDG for search. FF for browser with many about:config tweaks and several add-ons.
Please explain. Even without the revelations from PV, it's patently obvious Google, et al are biased. Anyone can see it. Silicon Valley is a bloody echo chamber. If the videos by PV were not damning in the least, why did 4 different companies take them down and remove the accounts of PV?
Sunlight is the very best disinfectant. People have a right to know if searches are being manipulated to one side.
The GP post's IP address or other fingerprint may be validated from other Google properties they might have visited, so I wouldn't put so much stock in the 0.7.
Honestly... if it's the same team that did ReCaptcha 2.0, this is a team that pulls out all the stops. Per https://github.com/neuroradiology/InsideReCaptcha ... they implemented a freaking VM in Javascript to obfuscate the code that combines various signals. There's a lot going on here that's likely highly obfuscated and quantized before it's displayed to us.
I get 0.1 continuously, possibly because I have resist fingerprinting enabled in Firefox. I'm not changing anything to compensate that score; it shows I must be doing something right. If I encounter a reCAPTCHA I will continue to (usually) just leave the site it's on.
Hitting the same URL over and over again is bot-like behaviour. When working with reCaptcha on forms I usually start getting hit after 4-5 test submissions.
With Firefox fingerprint resisting turned on and with Ublock Origin/UMatrix, I get a score of 0.1. And I'm not even on a VPN; I'm sure on my home network I'd have an even lower score.
To me, it feels like Google's entire strategy behind reCaptcha is to make it harder to protect your privacy. We've basically given up on the idea that there are tasks only humans can do, and to me V3 feels like Google openly saying, "You know how we can prove you're not a robot? Because we literally know exactly who you are." I don't even know if it should be called a captcha -- it feels like it's just identity verification.
I don't think this is an acceptable tradeoff. I know that when reCaptcha shows up on HN there's often a crowd that says, "but how else can we block bots?" I'm gonna draw a personal line in the sand and say that I think protecting privacy is more important than stopping bots. If your website can't stop bots without violating my privacy, then I'm starting to feel like I might be on the bots' side.
I get the exact same score no matter what browser I use, despite uBlock Origin & Privacy Badger & Decentraleyes, even in private mode and with a VPN connection from a country I normally don't use. Hmmmmm...
When I just keep reloading, I get either 0.9 or 0.1. I get 0.1 more often. Interesting.
Maybe some browser extension can monitor the score and tell me what it currently is on each page load, when reCaptcha is used on some website. I'd just keep reloading, until it's good, and then try the captcha.
> it feels like Google's entire strategy behind reCaptcha is to make it harder to protect your privacy
For the irony, I'm still logged into GMail and it still works perfectly, as basic HTML, even with google.com forbidden to run scripts. But it's the flippin' reCaptchas all over the place that make me temp-allow google.com, and then a reload later, temp-allow gstatic.com and reload again. Only then I get to use someone else's site normally, and I can disallow again... it's irritating. And then, this.
BTW that page plainly says the scores are samples and not related to reality. Refresh a few times and watch it change. 0.3, 0.7, and 0.9 seem to be my lucky numbers. I see everyone else getting those and 0.1.
Please stop reading things into it oh it's too late. Maybe they suddenly started seeing this page hundreds of times in the referrer and added that bit afterward, I don't know.
Dunno if it's changed recently or if I just didn't refresh enough before, but I'm now seeing basically random numbers as well.
If anyone wants a fun weekend project, I would love for there to be a few public sites I can reliably check my production score on.
I'm not sure it matters though, since I'm just ignoring most sites that use reCaptcha now. For sites I can't ignore, I've taken to emailing them with my requests instead -- recently I tried to use Spotify's internal data export tool and it wouldn't let me past. If you're not going to let me use a website to manage my existing account, then your support team can do it for me.
Your privacy isn't nearly as important as you think, and as long as you continue to overvalue it, you'll continue to be unwilling to trade it for convenience.
First try in Vivaldi's private mode got me still a 0.3 . Then I tested it while being logged into Google and it went to 0.9 . However, when I tried it again in private mode, I got 0.9 there too. Temporary fingerprints show quite the effect.
It didn't load for me and I couldn't figure out why.
Then I remembered that I put this in my /etc/hosts a few weeks ago and forgot about it.
127.0.0.1 google.com
127.0.0.1 www.google.com
[Edit] So if nothing shows up for you on that page, check for that. Also I just generally recommend it. Google has some unethical practices and duckduckgo.com is pretty good.
I too got 0.1 even though I'm not on a VPN, and have a stock FF installation with just uBlock addon. I think my ISP may have some part in it but still 0.1 score is 100% bot right?
I'm also logged into google and fb which also doesn't affect my score. Only shows how broken their algorithm is :(
edit: just tried it with chrome and my score jumped to 0.9! So definitely not my ISP. It's just my browser that Recaptcha doesn't like. If you put two and two together that's really evil shit, even for Google!
Really? I don't think so. I get a 0.9 on Google Chrome, and a 0.7 on Firefox. I heavily use Chrome and I have not used Firefox apart from maybe testing some local websites. Despite this I still got 0.7 on there. I expected lower since I don't use the browser.
I was being sarcastic - high score on captcha probably means G knows too much about you. That said, I don't think the scores are reliable. It is possible (probable even) that G is still running experiments.
interesting my score is 0.9 if I allowed google to track me using cookies, if I block the cookies it goes to 0.7 and if I enable content blocking in Firefox it drops to 0.1
What is most odd is I get 0.7 on iOS Safari which I use for 100% of my purposeful mobile browsing, but I get .9 on iOS Chrome, which is only used when I accidentally click on links from gmail (so very, very rarely).
Not really odd at all - if you're using the gmail app, there's a shared authentication cookie in all Google apps - including Chrome, so Google knows who you are in Chrome.
On FireFox with uBlock on and logged into my corporate gmail I get 0.9, switching to a private tab I get 0.7. This is with every privacy setting turned on in the FF options.
This looks like a RNG: I got 0.7, 0.9, and 0.1 successively. It can't make up its mind whether I'm almost certainly not a bot (0.9) or almost certainly a bot (0.1)?
Might very well be. I also get errors on hacker news about "can't process requests that fast". When asking about it (initially because I thought votes didn't work randomly), the limit is a few requests per second. Turns out I click faster than that, either by reading a whole comment thread and making up my mind whose comments were most helpful (to upvote all at once) or by navigating too fast.
That would be a useless site, but that's not how I read it. I understand it as "this is not that Google thinks your account is a bot, it's that this request might be made by a bot. And since you didn't use this site as a normal website, it also doesn't score your type of traffic, just this one request". You might be right, but it really does seem to be doing a request to their API.
Documenting requests' format and their return values is documentation and doesn't require an interactive site that looks totally real and makes you expect a real (rather than a dummy) answer. Which is not to say it's impossible, but it would be weird/unlikely. Usually when there is an example api request in documentation, it's a real (live) request, too, and this isn't even a documentation page.
Come on, how is everyone in this chain so blind. It's literally in bold and the single largest block of content on the page:
NOTE:This is a sample implementation, the score returned here is not a reflection on your Google account or type of traffic. In production, refer to the distribution of scores shown in your admin interface and adjust your own threshold accordingly. Do not raise issues regarding the score you see here.
I get .9 in Firefox on my MBP with UBlock Origin installed. I wondered if it was because I was logged in to Google, so I tried Incognito and got .7. In a never-before-used container I also get .7.
Seeing what everyone else has posted I'm very suprised that I've received a 0.3 using Chrome on Android. I'm logged in to Google and most of my browsing is via Chrome or Chrome based webview. At least on my phone I've never cleared my cookies or done anything special.
I got 0.7 on FF, 0.3 on Opera and Chrome, all in incognito mode.
Maybe they have just a few values and return it based on AND OR logic of 2-4 variable.
Or maybe they are just playing around trying to gather some stats, for some "Don't be Evil" purpose!
Contrary to the results here, using Firefox + uBlock with DNT and tracking protection enabled, I get a score of 0.9. In private browsing mode it's 0.7.
I wonder how many people here are using a VPN or accessing from a non-western country -- I'd bet those are much bigger factors
Stock Qutebrowser 0.7, FF w/ all the usual extensions (ublock origin) 0.7. Don't know if it matters but I'm rolling Arch. Just adding another point of data for those curious.
With desktop Chrome I get a 0.3. My browser sends Do Not Track, has PrivacyBadger extension, and has that useless google-profile-in-the-browser feature disabled.
Google is putting a number on us, is honestly some Minority Report level dystopia. Google is already using this to make life hell for anyone who cares about their privacy, we need to do something about this before they finish putting up their iron curtain over the web. Would it be possible to sue website owners for requiring such invasive measures? I'd love to see this ruled as monopoly power and Google broken up but that's probably not very realistic so we would probably do better to make using Google captchas more expensive in court costs alone than just building their own solutions to fight bots.
So, I still have to whitelist Google in uMatrix and allow cookies for this to work. Even after doing so, I get a 0.1. I reloaded the page to check for variation as some other users mentioned but get the same score each time. I guess Google is saying I shouldn't be allowed to use the internet.
This is total bullshit. My score of 0.1 in firefox shoots up to 0.9 if I change my user agent to ChromeOS. No other changes - same set of ghostery/ad blocker/fingerprinting prevention, etc. What a scam.
Ding ding ding ding, Google's way of killing the other browsers in the market for good, kill off the adblockers manifest, literally become the entity which monitors the internet as much as the NSA...
I get score of .7 in Safari. .3 in Chrome if not logged in/paused, but a .9 if logged in. Always hate that in non-logged in chrome browsers I have to fill out those picture questions a 100 times seemingly endlessly.
Google's captcha system is overkill for most websites. If I want to filter out bad actors (on a simple straight-forward site), there are other more simpler and easier to solve captcha systems out there. They might not have the rigour of Google's system, but they do the job, and well.
I would however use Google's system if the site is massive and there is the possibility that someone is using a script or some program to algorithmically bypass the (simple) captcha, and register accounts en-masse and trying to create a psyop[0], or disinformation campaign, or even a sockpuppet army.
There are diminishing returns once a CAPTCHA gets past a certain point. Bad actors can (and do) just humans to fill out captchas all day. We get some spam submissions on our sites that I'm 99.9% certain are people in developing countries copy/pasting spam templates and filling out captchas by hand.
I disagree. Adding Google's captcha is a 15 minute exercise. If i remember correctly, you copy/paste a snippet then add a callback in your own code. Whereas rolling your own captcha implementation would take much longer and be worse.
And it is this very convenience that has countless sites using it. As I said, there are other systems which are just as easy to implement as Google's and which are not overkill and also more privacy friendly (Google's CAPTCHA is known to fingerprint the user using heuristics like mouse movements, screen resolution, etc).
There are many easy to use libraries specific to different languages(like https://www.phpcaptcha.org/ for php) and frameworks. These are not as secure as recaptcha, but in most cases does the trick.
There are also services similar to recaptcha like solve media and hcaptcha. I believe hcaptcha is a drop-in replacement(https://hcaptcha.com/docs).
> trying to create a psyop[0], or disinformation campaign, or even a sockpuppet army
That's not a viable reason. Anyone doing so is going to have a budget and human reCAPTCHA solving is less than $0.01 per CAPTCHA. It costs very little for mass account creation, reCAPTCHA or not.
The other tradeoff is you're giving Google an extraordinary amount of power to decide who is allowed and not allowed on your website with no transparency on how this decision was made. Not sure what company is willing to blindly trust Google with that power.
Plenty of small companies/private website owners might make a simple cost/benefit calculation - 15% less users but in return X reduced false accounts/traffic/...
What is there to regulate? Bots are already illegal and "the market" has decided it does care, which is why reCAPTCHA exists and is widely used. Those companies aren't rejecting legitimate users/customers out of spite.
The last thing the internet needs is "government regulation". If that were to happen, you could kiss everything you love about the internet goodbye. Governments do a horrible job regulating basically everything else other than critical, necessary services, and the jury is still out even on that one. Why would they suddenly do such a better job regulating something we're still all trying to figure out?
Unfortunately, the answer is (basically) all of them. Combined with CloudFlare, even websites that aren't explicitly making that decision are still opting their users into both CloudFlare and Google's tracking.
I use Tor fairly regularly and it's a complete nightmare. I sometimes spend 5-15 minutes solving reCAPTCHA (since your Tor circuit changes every 10 minutes this can result in having to solve the reCAPTCHA several times).
I can't help but wonder if that's because of the nearly unique user-agent-string + user-agent-feature-detection combination, allowing it to identify you as belonging to a very small group of people.
1. Download Tor Browser Bundle
2. Connect to the Tor network
3. Download a user-agent switcher in the plugin store in TBB
4. Change user-agent to "windows, chrome"
> It’s great for security—but not so great for your privacy.
For individual users, security and privacy frequently go hand-in-hand. But for site operators, user privacy makes security a lot harder. The more you know about a user, the easier it is to figure out if they're an adversary.
add this to the list of how Google's open source engines work!
ex how they treat captcha in other browsers ( easier captcha/validations for chrome users and beating the crap out of Firefox users)
There are a lot of sites that are totally unusable on Firefox regardless how much you use ff.
I do all my mobile browsing on FF yet when I try to use some websites I always get this Recaptcha failed error(1) while it works flawlessly on chrome though I never use it often. Try it, maybe it will happen for you too.
Same happens on most sites which show you that "checking your browser" page via cloudflare too.
The web is very unusable unless you're using chrome because of such antics.
I have the same experience, some pages don't work on FF but fine on Chrome. I like to apply Occam's Razor, but with so many users it seems to me as if that's either by design, or certainly there is little desire to fix the issue.
Worst part is my chrome installation is 100% fresh with no browsing history and FF has cookies and history older than an year ago.. still google trusts Chrome more than FF?
The signals aren't documented (for obvious reasons), but I'd be surprised if Google Analytics were a signal. These things are usually kept separate, and Analytics is a lot less user-specific under GDPR as the anonymizeIP flag is now very common.
That said, I've no evidence one way or the other!
My understanding is that it comes down to information they can read about your browser (does this look like a bot environment?), and heuristically how the user has behaved since the JS has been loaded (mouse movements, time between actions, etc).
I'm not sure what the link is meant to show, but "cookies on the page" is very different than the years worth of user history and cookies that GP mentioned.
If they looked for identifying information in cookies or browsing history people would be even more upset and spammers would just simulate it with browser bots... which is why I believe it takes a black box approach to each detection regardless of external state. Besides obviously the cookies set within the iframe of the recatcha.
This of course doesn’t help explain why Firefox is so heavily targeted by what’s supposed to be a neutral utility like Google Analytics...
I've heard that being signed into your Google account can make the challenges simpler, presumably reducing things like the noise and the slow-fade load animations.
That too could be isolated to a single reCAPTCHA session, keeping within the scope of a single iframe or page load.
The idea of tracking your history across multiple reCAPTCHA loads across multiple domains to build a user profile is what sounds like a giant privacy red flag, even though it's entirely possible given the current implementation.
Additionally asking hosts to include JS directly onto their domain which sets 3rd party cookies/data across every page in addition to tracking referring domains is equally a bad idea. reCAPTCHA 2/3 does require loading 3rd party JS directly on page, which I'd imagine is necessary to create callbacks in the frontend upon verification (as iframe content messaging is very awkward):
Ideally the JS simply loads an iframe of the captcha HTML and handles the callbacks from events in the iframe. That's it. It shouldn't be touching anything else on your website. I'd be curious to see a reverse engineering to see how much the JS really does...
I know if I was running a mechanical turk or bot farm, I'd be using a Chrome user agent via puppeteer. I'm not sure WTF they are doing other than being malicious against non-chrome.
It's even worse when you're running a VPN (especially one of the major public ones).
When I see reCAPTCHA I basically give up as sometimes I have to go through 6 or 7 full sets to be let into a site. It's the evil of the internet this.
reCAPTCHA on VPN is difficult, but on the Tor network, they are downright impossible. I've never been able to get past it, even after a few dozen painful attempts. That means Google services are entirely off-limits over Tor, even Search, which is a disgrace.
I'm assuming you are not logged into a Google account during this? What happens if you create a throwaway Google account while on Tor? Or is that also impossible?
I find they don't want a phone number if you sign up to youtube and opt to create a new gmail address instead of providing an existing email addr. Whether this works consistently, though ...
> That means Google services are entirely off-limits over Tor
If only it was Google services alone. CloudFlare loves serving up a ReCAPTCHA for Tor users before they can even passively read site contents. That hugely expands the damage done.
Install the PrivacyPass Firefox or Chrome extension. It was developed by Cloudflare, Firefox, and Tor in partnership. It has you answer a ReCAPTCHA and using some crypto magic, generate a bunch of CAPTCHA bypass tokens that can't be traced to your specific computer.
The plugin requires "privacy passes". Those passes can be obtained by solving captchas, but when trying to do so, one is greeted with this message about being blocked: https://i.imgur.com/qXJfl6J.png
This sort of breaks tor though, doesn't it? Tor works really well if you stay on the same circuit for a while since it reduces the chances you have a compromised circuit. If you start getting recaptcha to block every exit node except those you control, you essentially have amplified your effective strength on the tor network.
This sounds pretty good, but you still have to pass a captcha in order to get a pass, and sometimes that is impossible (or at least I just give up because I lost interest after 20 puzzles).
If it was developed in conjunction with Tor, how come it doesn't come bundled with the Tor browser or Tails?
So if you're running the wrong combination of addons/VPNs/browser you're denied access to half the web because Big G says so? And now they're aggressively pushing sysadmins to install silent data harvesting scripts on every page of their sites? WTF more will it take to get people interested in breaking up these monopolies?
From what I've seen (and most of it's anecdotal) things do appear to be changing. There are already people who won't go anywhere near Facebook now for personal ethical reasons, and even concerns that it might hurt future career prospects.
Tor users don't want to be running reCAPTCHA at all. There's a few privacy problems for people who run that or other ambitious cross-site snooping. Usual stuff (requests, cookies, JS fingerprinting, etc.), behavioral fingerprinting, and very detailed monitoring of what information you were accessing/reading and possibly even entering.
>You can hardly blame anyone for blocking Tor traffic.
Yes I can and do. It's bad enough that some websites won't let you do certain things over Tor, but preventing access to the website entirely is unacceptable. I made this account and comment entirely over Tor.
I don't see how it's okay to block Tor. That generic claim is made, but how are your spam measures doing if you couldn't handle Tor spam?
>You might not be using it for abuse but a large volume of abuse originates from it.
There is infinitely more ''abuse'' coming from Google, and yet it seems most every page I visit contains Google malware.
On principle, I hold the idea that Tor should be a first-class citizen and not disadvantaged in any way. Notice that Google's ''HTTP/3'' is over UDP, which Tor doesn't work with; I don't find that a coincidence.
> like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.
Somehow I doubt most Tor users are really just in it for privacy for general browsing, especially since it's so slow and limited. You can get a VPN for that. Unless you're a total privacy purist, there's not much incentive to use Tor unless you're buying drugs/something else illegal or just curious to look around the dark web.
Tor is slow if you're used to browse with a 50 MB internet connection speed.
My own connection doesn't go over 1.6MB download speed, and only if the weather is clear and I have the wind in the back.
You can now achieve a 500KB or more speed in most Tor connection, which is enough to have a confortable browsing experience, imo.
The real downside is the google captcha, which happens sometimes to even denie you to solve a captcha in the first place for web pages where there is no user input.
Tor is free with no signup / cc required. This makes a huge difference, especially for younger users. Did for me back then, at least.
Initially it was slow, yes. But totally fine the last few years for normal browsing and reasonable downloads. Speedtest.net, speedtest.googlefiber & fast.com just now gave me 5, 6 & 10Mbps for whatever server in Ghana i got. Only the high ping causes loading times to still be a bit annoying.
But right now the biggest reason not to use Tor for anything "legit" is the many services blocking you, since indeed most current Tor users are not what those services want and the race to the bottom of Tor will continue, if we haven't reached it already.
> "If you have a Google account it’s more likely you are human"
So, in the future if we don't keep signed into our google account(and let google know every article we read and every website we browse), we'll be cut off from the half of the internet or even more.
The amount of control a handful of companies have over the internet is suffocating to know!
Funny enough I had to wait on the 5 second Cloudflare check to access that image. However I am using Chrome. That check I have found to be rather annoying. I assumed it would do it once, but it seems I have to go through it daily on sites I use regardless of which browser or device I use.
Same with Brave: I'm logged in into a gmail account and a custom domain hosted on gmail, yet every time there's a reCAPTCHA widget on the site, I have to do it 2 or 3 times before I'm let in.
One trick that seems to help fool that awful piece of tech: click slowly on the images, as if you were thinking a second or two before each click. Maybe click a wrong image and deselect it again. In other words, behave like a slow human, and it seems to work better than if I solve it as quickly as possible.
I also have the feeling that making mistakes — selecting an image that looks like a traffic light but isn’t — sometimes results in faster admittance than being surgically accurate.
Again, being slower and more error prone seems to be rewarded.
I don't even know what the right answer is in a lot of cases. There's a bit of the traffic light casing at the edge of a square, does that count as a traffic light, or only the lamp itself?
I prefer to see the silver lining in this. If Google wants to break the web for Firefox, fine. I'll keep using (and evangelising) FF, and the sites that are broken won't get FF traffic. I believe that FF is doing the right thing far users, and Google, while in a powerful position is currently on the losing side of history with respect to privacy. Apple is taking that fight to them, and putting budget behind inte convincing average internet users that privacy is cool, and Google abuses your privacy.
The walled garden approach worked for a while for Microsoft, and it's working for now for Google, but eventually, it stops working. Once people leave, walled gardens keep them away.
Only the majority of the Internet isn't a walled garden is it? It's more like a minefield because you don't know whether a site is going to use recaptcha and block/hinder your access.
You can't just opt out of using half the Internet because you value privacy, and nor should you have to. This requires legislation to stop.
As long as government sites don’t use it, it’s fine. You don’t need legislation for every single offense, perceived or otherwise. If you don’t like ReCaptcha, block it with an ad blocker and if a site requires it, don’t use it and let them know why. Also let all your friends and random strangers on the internet know why.
That's odd. I never had issues with it on Firefox. Most of the time I just check the box and it's happy, sometimes I have to do an image puzzle. And that's with ublock origin. Maybe it depends on country or isp? My work place has its own /16.
Other than the occasional reCAPTCHA gaslighting (which does occasionally block some service if it gates logins behind it) that we're all familiar with, I have completely excised Chrome from my life and am able to go to most any website without issue. That's with uBO and Privacy Badger running
Wouldn't reCaptcha V3 also make things much more difficult for Google competitors, assuming that site owners place it on every page? I'm guessing it will block any sort of scraper (since scraper access patterns don't look human) with some sort of whitelist for Google's scrapers.
They typically won't completely deny access, but only disallow certain actions (posting a comment etc). All out denying access will likely get site owners into trouble, at least in the EU - you need to be able to access privacy information, publisher info etc. I'm also not sure whether non-opt-in usage of recaptchav3 is GDPR compliant.
I hate the v3 reCAPTCHA. On FF, I usually KNOW I am answering correctly and it says I failed. I always have to go through it multiple times. It's maddening. It often leaves me second guessing myself... is that sliver of car counted? is a crossing signal a street light? What about those streetlights way off in the distance, do I select those two in addition to the ones front and center? That RV looks sort of like a bus, should I select that too?
It's not really about getting the questions right. The challenges they present aren't that hard for modern computer vision systems. It's more about verifying that you consider the question for a "human" amount of time, make your mouse move like a human might, etc.
Captchas are hell on the blind and vision impaired. There are add-ons for this, but they mostly suck. Things like Webvisum exist but they are invite only.
You're thinking too hard, reCAPTCHA is made for regular users who won't sit there thinking if they're right or not. I always make sure to select a few wrong squares out of principle and after 6 or 7 attempts I'm usually allowed into whatever site I was visiting. Nobody knows the exact algorithm, so trying to please it, or worse - agonising that you answered wrong - is completely foolish. Just click a few squares that seem right and roll the dice. Beating yourself over not solving reCAPTCHA correctly makes the terrorists win.
I intentionally get a few wrong (to subvert their harvesting of manually labeled training data).
It still either lets me through, or doesn’t even manage to display images for me to click on because it doesn’t like my browser settings. (The latter is more common than the former these days...)
I wonder how much legitimate traffic bounces because of reCaptcha. Can sites even measure this?
Disabling browser API that adblockers/privacy protectors use. Fingerprinting users with adds at stackowerflow. Now collect information how user navigate webpage. This is a scary trend.
And I am not speaking here about how Android and Android apps (which is allowed by Google) track users.
So this is probably a bit off topic, but why don't more site owners just create their own unique anti-spam system? In my opinion, if they were simpler, yet all unique, there would be less bots that could mass spam and privacy would be improved.
Even something as simple as a question: "How many legs does a spider have?" ____
And then cycle through different types of free form questions of things that most people should know. Perhaps block the IP after {n} failed attempts for an hour.
One possible reason: the site owners nowadays use the likes of Foursquare/wix/whatnot which means reCaptcha etc are just a checkbox item. Custom anti-spam may be beyond their technical capabilities or interest levels.
Most sites use reCAPTCHA to protect against bot registrations, sometimes targeted to their specific registration system. Any simple solution would defeat the purpose of a CAPTCHA.
Would it though? If each system was unique and rotated through different types of challenges, the bot would have to be custom tailored to handle every challenge type.
i.e. free form questions, count the gray dots (vision impaired friendly), math questions, play tic-tac-toe and get a stalemate, ascii hang-man ... I could think of hundreds of different challenges. The bot would have to constantly adapt and the bot developer would have to really love puzzles. The bot consumers would have to update constantly and would have to learn all the challenges of each site owner.
As a bonus, google the all knowing, is less knowing and no longer a gate-keeper.
I would be honored to help them feed their families. It would be a fun game of cat and mouse. Based on discussions here, it sounds like people have already automated Google captcha. I will go ahead and work on a few of my own and see what happens.
Looks like you have a great business plan at hand. Beat Google with a potentially superior product and help employ some people in developing countries!
Yeah, but you won't build a business on that, you'll add GPS trackers, make renters show you their drivers licenses etc. A captcha isn't "wrong" in general in my mind, it's just not something you add and you're all done, and it shouldn't be your first line of defense. It can be part of a multi-pronged anti-abuse strategy, but it's a very tricky part: it doesn't offer a lot of protection but creates a lot of friction for actual, legit users. Running a DNA test on somebody can be a good way to verify their identity. But asking for their ID card and looking at the picture is a lot quicker, cheaper and less intrusive.
I don't see captchas a lot, because I'm not frequenting sites that use them. A friend of mine apparently does, so often that he pays for a captcha solver while he's sitting in front of his computer. He just can't be bothered to play Google's mind games, so he'd rather pay a few cents a day to not deal with it.
We've come to the point where humans are paying for services that were created for bots so they can bypass technological hurdles that were meant to tell humans from bots.
This is the answer. It seems that most website owners are somehow super scared of a targeted attack, since it is indeed trivial to bypass (and they realize that), even if nobody will take the time.
I've heard stories from people that own small sites and still have someone targeting the site with custom scripts, but never anyone I know (not even a friend of a friend, only ever random people on the internet). But there is also the (much larger, from what I can tell) group of people that never had these issues. But people don't like risks, and installing a tracking captcha from google is made very easy. "Everyone does it, that ought to work!" (Meanwhile I hear of a 90% success rate from a recaptcha browser plugin, but who cares about that right?)
I've had received attacks from custom scripts to post spam in a blog that nobody read. I changed my custom robots tests a couple of times, and each time it took a few days for the bots to adapt. At the end I removed the comments section, so there was nothing to attack.
This is exactly the kind of story I'm taking about. I'm sorry about your experience, I don't doubt that you're real, but this is the kind of confirmation/hindsight bias that makes people misjudge risks. I expect you are an outlier, but I have no idea.
Might be interesting to poll random people that have websites with <100 unique visitors a month for this sort of thing to get us any sort of idea of how necessary an invasive CAPTCHA like Google's is.
XRumer (forum spamming) software had a feature over a decade ago that would reload a /register page on different proxies to generate a list of these sorts of questions. You'd run it for a moment, feed an answer for each question into XRumer, and then continue on your merry spammy way.
These ReCaptcha topics on HN really illuminate how few people have dealt with any real spam, much less targeted human or botnet attacks.
Can you teach it to play hangman? I'm thinking about digging out and dusting off my old perl cgi games. It might even keep humans out that don't have my sense of humor.
Forum software like vBulletin and Invision often has this feature built in, and I've used it on a forum I help run. Unfortunately, after writing four or five custom questions, I soon found server logs showing spam bots blowing through the questions in seconds -- I suspect that since this is a common enough strategy, it's worth their time to pay someone $0.10 to pick the correct answer, then save the question and answer pair in a database somewhere for future use.
I don't remember what forum software it was, but they'd render a number or word using all periods (kind of like ASCII art) and ask you to enter it in a text field. I wonder how well that worked.
Here is a rough silly first pass using figlet. [1] It just displays a word. Next I need to accept a post of that word and do something. Maybe another version will use a game.
Smells a lot like using Google's virtual monopoly on bot detection as a way to push users into using one of their other products. Likely not a wise idea when the government is itching for an excuse to bring an antitrust case against you.
Google is trying to kill the competition by purposely introducing weird bugs here and there, taking advantage of the fact that they own the most visited sites on the web.
I guess another question is why we really need captchas. What are we trying to protect against that can't be accomplished with rate limits, voting systems, or other ways to regulate meaningful use of a website?
Ultimately why does it matter if the user is a human or bot, as long as they are being a valuable user? What's wrong if a bot buys some of your inventory, pays for it and everything? What's wrong if an NLP bot responds to discussion threads with scientific facts and citations?
Indeed, if they need to pay, there is no need for a CAPTCHA. As for responding to discussions, sure, you'd ban any human that posts spam the same as any bot. However, bots can spam your site faster than your human moderators can keep up with, so by using a CAPTCHA, only humans can post (ideally, of course), and thus moderators can keep up.
As a security consultant, it is not uncommon to recommend a CAPTCHA for things like successive, three failed login attempts from a single IP address within a certain time period. But I do agree that CAPTCHAs are used too frequently, and some security people recommend them for just about everything. As someone who blocks a lot of tracking and feels the pain of these tracking monsters (that's what CAPTCHAs are these days, more than the Completely Automatic Public Turing test they're supposed to be), I always think very carefully whether a CAPTCHA is the only option, and I'm sure to recommend CAPTCHAs that fit the situation but are less invasive than a third-party one.
Edit: oh, right, credit cards are common in many countries and banks set chargeback limits. It's still crazy to me that your 'public key' is also the only thing needed to withdraw money from your account, thereby necessitating a chargeback system. I guess for credit cards a CAPTCHA might be useful too.
Sure, I know credit cards exist and that the numbers are stolen because they're so trivially easy to abuse, but payment systems are not very related to my work. I very rarely come across a product where I have to test payment features, and when I do, it's out of scope. Either the payment is handled by some third party (the usual case), or it has already been tested years ago and they're now asking to test some new feature (all other cases).
More typical projects are testing traffic filtering solutions (firewall-like), blockchain startups (those are the worst), back-end (no payment) or b2b (contract-based payment, not online) applications... Even in the months that I was consulting at a bank, I never touched any sort of money system, there were a thousand other applications, services, websites, infrastructure things, and mobile apps to test. To give you a random example, they wanted to give people advice when buying a house through an app (where the final screen goes "and that's where $bank comes in: we can finance all this!"), so they had some external company prototype an app that was riddled with bugs in the login system. Or some internal service that POSTs data from one system into another. Or some API endpoint used for statistics. Etc.
So the cases that I see are as a consumer, where I pay either by bank transfer (logging into my own bank's website), via iDeal (which also redirects you to your own bank's website to complete the transaction, but that one is instant instead of having to wait a working day), or sometimes via PayPal if that is the only option (I guess paypal do their own bot detection? No idea). So from my perspective, when I paid for something, the money is in the hands of the merchant and only customer support or a lawsuit would get it back.
> What's wrong if a bot buys some of your inventory, pays for it and everything?
100% of the time, a bot buying things from a store is doing so to test a database of stolen credit cards the bot's owner has purchased/stolen. Accepting those sales means you'll get hit with chargebacks a few weeks later as the real owners of those cards see their statements. Then your store gets shut down for exceeding the maximum 1% chargeback ratio mandated by Visa and MasterCard. So preventing this scenario matters a lot, and when someone targets one of my stores for testing like this, enabling a CAPTCHA on the payment page is one of several, often-essential mitigations. Blocking IPs, blocking whole countries, including a nonce in the form, etc are on their own insufficient most of the time: the readily-available tools for this kind of attack already handle rotating IPs, retrieving a new form nonce on each try, spoofing the proper referrer, etc.
In practice it is a major pain to keep up to date, and bots slip through all the time, at least on the subreddit I help moderate. It's a lot of manual volunteer work.
maybe this is related to some other heuristic they're using for determining whether or not to show recaptcha (although this is in a no-extension Chrome on a residential IP address).
Right, they have that at registration but it's either superfluous or it only catches the really easy stuff because they rely on an army of human moderators who spend all day cleaning up after bad actors able to click buses.
I had problems with my spinner at first. However, this is one of the things that is really annoying about using captchas instead of passwords.
It is possible to create a secure account for something useless without using the system and you probably won't get spammers anymore.
What a dumb idea, you would want to implement it yourself, because the people working and maintaining the system(s) will all have some way of doing that already.
I don't know how much the government can take away from a site like this as well. But it's a bit like trying to ban a kid because the kid got an old friend on their facebook because his parents were "bad".
So, even though you have a big idea about voting systems, it would be a better option to require a system that only exists to be able to be used for good reasons.
> What's wrong if a bot buys some of your inventory, pays for it and everything?
In the book "Spam Nation" (Brian Krebs), a group of students try to fight fake online pharmacies. To do this, they created an army of bots and placed thousands of fake orders every day. The goal was to create so many fake orders that the human processors (many fake pharma stores were not fully automated) had to spend a significant amount of time clearing out the fake orders before getting to the real orders.
Now imagine this on a legitimate website. Not every website is automated, not every organization has the same resources that Amazon does. CAPTCHA's are a great way to ensure orders are coming from real people. They could still be faked, but the bar is a bit higher.
Don't think bot; think botnet. Ratelimits do not work against botnets since they appear to be independent actors. e.g. if you think it's fine for everyone to do something 1-3 times, then you are letting a botnet of 10k hosts do something 10k-30k times.
[edit]
Also, NAT means that there could be hundreds or thousands of individual users on the same IP address (many dorms at smaller colleges are setup this way), so you don't want to rate limit by IP address either.
About 10 years ago it was somewhere around 10 million bot computers. Obviously the distribution isn't uniform there, but that gives you an idea of the order of magnitude.
Also that was 10 years ago, before smart fridges and tvs. So, possibly more now?
I don't think "just block all the bots" is a feasible solution here.
The nets themselves take resources (time, effort) to set up and maintain. Presumably they're engaged (at least for the purposes of generalised website defence, though specific niches such as targeted commerce fraud may not apply) in systematic behaviour, which leaves signatures.
Systemic cross-site collaborative detection. -- essentially what Google's CAPTCHA systems are, though there are others, such as CZ.NIC's Turris project -- could identify these, and via network-based domains of authority (ASN and CIDR assignments) assign reputations and target anti-fraud or anti-abuse countermeasures.
Durable, privacy-respecting reputation tokens might be another approach.
Present systems are far more primitive and reflect an earlier world-state.
Are there potentially more effective ways to combat this? I'd rather combat malicious behavior than stereotype bots as malicious.
That's almost like saying laws don't work against [members of certain race] or [members of certain religion]. Rather we just need some combination of better education and better enforcement strategy instead of stereotyping.
There are government services, such as the USPTO, that rely on Google reCAPTCHA. The new reCAPTCHA has made it difficult for me to access documents, and sometimes they think that I'm a bot and thus deny me access entirely.
Does the government realize the consequences of this? Both that it pushes users to use Chromium-based browsers, and that they're helping to solidify a company that already has a near monopoly in the browser space?
Further, this quote is very creepy:
> To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on all of the pages of their website, not just on forms or log-in pages.
With AMP, Google Ads, and reCAPTCHA, Google now has access to pretty much everything that people do on the web.
Makes me wonder if this could cause those sites to run afoul of the ADA? (I'm admittedly not very familiar with the requirements, but thought it was interesting to consider).
It's been quite a while. At some point in the last year maybe with google blocked, it became impossible to register for a DMV appointment. Filling in the forms and pressing submit ended up with an unhelpful "Server Unavailable" and "Call xxx-xxx-xxxx during business hours"
To be fair, government at all levels did the same for Adobe by mandating that things be done in the PDF file format. Consistency of government operations sometimes requires that certain private companies be preferred vendors, and of course there's going to be a snowball effect there as big players get increasingly larger shares of available funds. Every government in history has had a government-industrial complex with winners and losers - some of this boils down to human nature.
> Consistency of government operations sometimes requires that certain private companies be preferred vendors
In which case those private companies should now be deemed an extension of the government and fall under all rules a government organization has to abide by. If they do not like it they can forbid the government from using their software/products and can sue if the government does not abide.
I was amused that Elizabeth Warren's campaign site wouldn't display the content for me unless I permitted scripts from google.com (w/ umatrix) since she is promoting breaking up google.
The belief these days is that when someone does something wrong everyone must shun them and not do business with them. Her website didn't have to use Google services as there are many alternatives.
It's typical of politicians not to run their own organizations in the same way as they say the world should be run; campaign organizations are a bit fly-by-night, and political platforms are more or less flexible by necessity.
I think it comes from the sad fact that, generally, ambitious politicians create organizations to get themselves elected, rather than previously-existing and purposeful organizations presenting candidates that represent that organization's values to a larger audience.
I do wonder what these government offices can do otherwise to prevent spam - I can run `curl` on the Georgia DDS appointment listing page and I get back all available slots. Assuming there isn't a captcha later in this process, it would be trivial to build a bot that books fake appointments for the next 5 weeks.
I'm much more worried about ideological persecution than targeted advertising. It's very easy to think you are doing the right thing, everyone thinks that.
I had to test a simple contact form implementation with reCAPTCHA yesterday on an office worker's PC that was running Chrome.
I spent all day clicking on sidewalks ans traffic lights! Or buses. No idea what they want the clicks on buses for.
I actually had problems upstream of the CAPTCHA. This was on a Wordpress site and I was patching up the Contact Form 7 implementation on there.
What shocked me was how naff Wordpress is. After however many years it does not come with a contact form built in. Comments yes, but a contact form, no. Then the fairly de-facto Contact Form 7 would not work with Google Captcha 3 and the latest V5 Wordpress. So there must be hundreds of sites out there with contact forms that do not work. Then there are people cussing ReCaptcha when there is this hideous mess of bloat going on.
The Contact Form 7 didn't even use HTML5 form validation and styling it was a nightmare.
I eventually went to CAPTCHA2 with the box you tick. Having the v3 box in the bottom right of the screen on every page was not what the client wanted. Plus it didn't work with this kludge known as Wordpress.
I think the issues raised in the article are not that big a deal. If you have logged in to Chrome and you are on your normal device and IP address then you can get a free pass. Why not?
I seriously advise anyone to test their implementations on a non-logged in PC, it is an eye opener. And a time consumer. But forms have to be made to work. You can't have people locked out.
There is a lot to be said for backend validation based on form data, I like to make forms unique with a hidden timestamp in it that is MD5 encoded. You can then see if someone has spent long enough on the form for it to be 'real'.
565 comments
[ 3.2 ms ] story [ 365 ms ] threadI try to never be logged into my google account as a matter of principle. Maybe I'm just fooling myself thinking this will make tracking me more difficult.
I get .7 on my iPhone, I’m guessing that my liberal use of Firefox containers and the cookie auto-delete extension on my desktop will give me a much lower score and cause me to have to jump through extra hoops at websites that implement it, just like the reCaptcha V2 does.
Edit: I also got 0.7 on Firefox with strict content blocking (which is supposed to block fingerprinters), uBlock Origin, and Cookie AutoDelete. I get 0.9 from a container which is logged into Google.
The same company that somehow still doesn't reconcile amounts owed and just keeps the money when they randomly-ban users and hide behind fake support emails, but they did feel like paying $11 million to keep that away from scrutiny [2].
[1] https://www.businessinsider.com/google-emails-adtrader-lawsu...
[2] https://www.searchenginejournal.com/adsense-lawsuit/248135/
I could have sworn I'd never signed in to Chrome using my google account, but I guess I must have mistakenly signed in to gmail or something.
I use FF as my main browser, only ever drop back to Chrome sporadically, or when I really want tabs to be completely isolated (there are some annoyingly CPU/power intensive stuff I do from time to time, and I can just renice Chrome while I get on with other stuff.)
Chrome 69 tricked users into signing into the browser, myself included - https://lifehacker.com/how-to-disable-chromes-automatic-sign...
That was the last straw to uninstall Chrome from all my devices and I've been a happy Firefox user ever since. Well, except now reCAPTCHA hardly ever works.
And in keeping with recent revelations on Google's manipulation of search results, I think they have really gone beyond the pale. I un-archived my old iPhone two days ago and went back to iOS after the James O'Keefe/Project Veritas revelations. I now cannot, in good conscience, use anything Google. I always knew about the tracking and all that because, after all, they are an ad company. I'm now in the process of moving all of my domains over to Fastmail, which I've used since 2002. I'm using Qwant, Startpage, and DDG for search. FF for browser with many about:config tweaks and several add-ons.
Sunlight is the very best disinfectant. People have a right to know if searches are being manipulated to one side.
Honestly... if it's the same team that did ReCaptcha 2.0, this is a team that pulls out all the stops. Per https://github.com/neuroradiology/InsideReCaptcha ... they implemented a freaking VM in Javascript to obfuscate the code that combines various signals. There's a lot going on here that's likely highly obfuscated and quantized before it's displayed to us.
EDIT: non-paywall link for [1] in the parent post: https://outline.com/aA7HS5
I get a 0.7 on Chrome with no account logged in and uBlock Origin installed.
Same browser, same plugin but incognito it's 0.1.
Papa google needs my data to trust me. Makes complete sense but still interesting that you can affect your score by giving in.
Privacy Badger and ABP on my work (less-locked-down) Mac.
To me, it feels like Google's entire strategy behind reCaptcha is to make it harder to protect your privacy. We've basically given up on the idea that there are tasks only humans can do, and to me V3 feels like Google openly saying, "You know how we can prove you're not a robot? Because we literally know exactly who you are." I don't even know if it should be called a captcha -- it feels like it's just identity verification.
I don't think this is an acceptable tradeoff. I know that when reCaptcha shows up on HN there's often a crowd that says, "but how else can we block bots?" I'm gonna draw a personal line in the sand and say that I think protecting privacy is more important than stopping bots. If your website can't stop bots without violating my privacy, then I'm starting to feel like I might be on the bots' side.
Maybe some browser extension can monitor the score and tell me what it currently is on each page load, when reCaptcha is used on some website. I'd just keep reloading, until it's good, and then try the captcha.
[edit] tried in a private window and got the same score.
In my main FF window with UBlock + Resist Fingerprinting, logged into a ton of Google accounts, I also got 0.1
Going to guess that without fingerprinting data they are probably going to give you a 0.1.
Changing the FF content policy from Standard to Strict appears to have no impact on the score.
Opening in a Private window drops it to 0.7 for me. I have a bunch of add ons allowed in Private Browsing, so not surprised it only dropped a little.
Of course, if you have 3rd party frames and scripts disabled globally via uBlock, it doesn't even load.
For the irony, I'm still logged into GMail and it still works perfectly, as basic HTML, even with google.com forbidden to run scripts. But it's the flippin' reCaptchas all over the place that make me temp-allow google.com, and then a reload later, temp-allow gstatic.com and reload again. Only then I get to use someone else's site normally, and I can disallow again... it's irritating. And then, this.
BTW that page plainly says the scores are samples and not related to reality. Refresh a few times and watch it change. 0.3, 0.7, and 0.9 seem to be my lucky numbers. I see everyone else getting those and 0.1.
Please stop reading things into it oh it's too late. Maybe they suddenly started seeing this page hundreds of times in the referrer and added that bit afterward, I don't know.
If anyone wants a fun weekend project, I would love for there to be a few public sites I can reliably check my production score on.
I'm not sure it matters though, since I'm just ignoring most sites that use reCaptcha now. For sites I can't ignore, I've taken to emailing them with my requests instead -- recently I tried to use Spotify's internal data export tool and it wouldn't let me past. If you're not going to let me use a website to manage my existing account, then your support team can do it for me.
The problem is that they aren't trying harder for users who aren't logged in.
That's on you, not Google.
so why are they having you solve image puzzles if they know that they are going to fail you? even if they know that you are human...
Then I remembered that I put this in my /etc/hosts a few weeks ago and forgot about it.
[Edit] So if nothing shows up for you on that page, check for that. Also I just generally recommend it. Google has some unethical practices and duckduckgo.com is pretty good.You need not to use hosts to block it, uMatrix could do it by itself.
I'm also logged into google and fb which also doesn't affect my score. Only shows how broken their algorithm is :(
edit: just tried it with chrome and my score jumped to 0.9! So definitely not my ISP. It's just my browser that Recaptcha doesn't like. If you put two and two together that's really evil shit, even for Google!
This is essentially going to let Google gatekeep the web if you aren't using their services.
How can I get better privacy settings?
> error-codes": ["score-threshold-not-met"]
Not sure if happy or not happy with that. I will conclude happy enough.
Linux, on VPN, Firefox. Not logged into any Google services. Cleared caches (still same IP), no difference.
Using Chrome, even incognito and with uBlock I get 0.7
(╯°□°)╯︵ ┻━┻. F you, Google, this is blatant bullying, technically unjustifyable abuse of your stranglehold over the whole web platform.
On FireFox with uBlock on and logged into my corporate gmail I get 0.9, switching to a private tab I get 0.7. This is with every privacy setting turned on in the FF options.
>the score returned here is not a reflection on your Google account or type of traffic
I got random scores as well. It looks like this is just a sample of the data structure that the service returns, not the actual score.
looks like it is a demo of the API for people wanting to consume it. knowing what the payload looks like is not useless at all in this case.
Come on, how is everyone in this chain so blind. It's literally in bold and the single largest block of content on the page:
NOTE:This is a sample implementation, the score returned here is not a reflection on your Google account or type of traffic. In production, refer to the distribution of scores shown in your admin interface and adjust your own threshold accordingly. Do not raise issues regarding the score you see here.
Please see the sibling comments (that were there before yours) where this is already being discussed, before being insulting.
Did they fix the 0 day?
I guess this is a 0 for me then
I wonder how many people here are using a VPN or accessing from a non-western country -- I'd bet those are much bigger factors
Almost unused Chrome installation, also without addons: 0.7
FF incognito window not logged into Google account: 0.7
FF incognito window not logged into Google account through VPN: 0.3
FYI I have uBlock, pi-hole and a bunch of privacy widgets enabled
Safari macOS with the same adblocker: 0.7
Firefox macOS with a lot of adblockers: 0.1
Chrome: .9
Safari: .7
Firefox: .1
I have adblock running on all three, and I use containers on Firefox.
Brave isn't particularly "unusual", and is even based on Chromium - surely this is Google blatantly punishing non-Chrome users?
In incognito mode in chrome, I sometimes get 0.9 and sometimes 0.7 when I reload.
I would however use Google's system if the site is massive and there is the possibility that someone is using a script or some program to algorithmically bypass the (simple) captcha, and register accounts en-masse and trying to create a psyop[0], or disinformation campaign, or even a sockpuppet army.
[0] https://en.wikipedia.org/wiki/Psychological_Operations_(Unit...
Like what?
That's not a viable reason. Anyone doing so is going to have a budget and human reCAPTCHA solving is less than $0.01 per CAPTCHA. It costs very little for mass account creation, reCAPTCHA or not.
But Im not sure, since the browser sessions for some proxy users like TOR exit nodes are so short
I use Tor fairly regularly and it's a complete nightmare. I sometimes spend 5-15 minutes solving reCAPTCHA (since your Tor circuit changes every 10 minutes this can result in having to solve the reCAPTCHA several times).
And then set it to Windows/Chrome. And all those Scroogle-captchas are easy-peasy.
> It’s great for security—but not so great for your privacy.
For individual users, security and privacy frequently go hand-in-hand. But for site operators, user privacy makes security a lot harder. The more you know about a user, the easier it is to figure out if they're an adversary.
I do all my mobile browsing on FF yet when I try to use some websites I always get this Recaptcha failed error(1) while it works flawlessly on chrome though I never use it often. Try it, maybe it will happen for you too.
Same happens on most sites which show you that "checking your browser" page via cloudflare too.
The web is very unusable unless you're using chrome because of such antics.
(1) https://cdn3.imggmi.com/uploads/2019/6/27/0dd96b25707ce6e236...
That said, I've no evidence one way or the other!
My understanding is that it comes down to information they can read about your browser (does this look like a bot environment?), and heuristically how the user has behaved since the JS has been loaded (mouse movements, time between actions, etc).
Yeah, no. It certainly can read non-google cookies on the page (not httpOnly cookies, though).
This of course doesn’t help explain why Firefox is so heavily targeted by what’s supposed to be a neutral utility like Google Analytics...
The idea of tracking your history across multiple reCAPTCHA loads across multiple domains to build a user profile is what sounds like a giant privacy red flag, even though it's entirely possible given the current implementation.
Additionally asking hosts to include JS directly onto their domain which sets 3rd party cookies/data across every page in addition to tracking referring domains is equally a bad idea. reCAPTCHA 2/3 does require loading 3rd party JS directly on page, which I'd imagine is necessary to create callbacks in the frontend upon verification (as iframe content messaging is very awkward):
https://developers.google.com/recaptcha/docs/v3
Ideally the JS simply loads an iframe of the captcha HTML and handles the callbacks from events in the iframe. That's it. It shouldn't be touching anything else on your website. I'd be curious to see a reverse engineering to see how much the JS really does...
edit: also didn't try it over tor
If only it was Google services alone. CloudFlare loves serving up a ReCAPTCHA for Tor users before they can even passively read site contents. That hugely expands the damage done.
https://support.cloudflare.com/hc/en-us/articles/11500199265...
https://blog.cloudflare.com/cloudflare-supports-privacy-pass...
https://blog.cloudflare.com/privacy-pass-the-math/
https://github.com/privacypass/challenge-bypass-extension
The plugin requires "privacy passes". Those passes can be obtained by solving captchas, but when trying to do so, one is greeted with this message about being blocked: https://i.imgur.com/qXJfl6J.png
https://tb-manual.torproject.org/managing-identities/
If it was developed in conjunction with Tor, how come it doesn't come bundled with the Tor browser or Tails?
https://patents.google.com/patent/US9407661B2/en
Until software developers care -- nothing will happen.
Monopolies need to be broken up because they threaten the free market and consequently our way of life - not because employees revolt.
Juniper patented saying "No" to a client.
Yes I can and do. It's bad enough that some websites won't let you do certain things over Tor, but preventing access to the website entirely is unacceptable. I made this account and comment entirely over Tor.
I don't see how it's okay to block Tor. That generic claim is made, but how are your spam measures doing if you couldn't handle Tor spam?
>You might not be using it for abuse but a large volume of abuse originates from it.
There is infinitely more ''abuse'' coming from Google, and yet it seems most every page I visit contains Google malware.
On principle, I hold the idea that Tor should be a first-class citizen and not disadvantaged in any way. Notice that Google's ''HTTP/3'' is over UDP, which Tor doesn't work with; I don't find that a coincidence.
> like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.
My own connection doesn't go over 1.6MB download speed, and only if the weather is clear and I have the wind in the back.
You can now achieve a 500KB or more speed in most Tor connection, which is enough to have a confortable browsing experience, imo.
The real downside is the google captcha, which happens sometimes to even denie you to solve a captcha in the first place for web pages where there is no user input.
Initially it was slow, yes. But totally fine the last few years for normal browsing and reasonable downloads. Speedtest.net, speedtest.googlefiber & fast.com just now gave me 5, 6 & 10Mbps for whatever server in Ghana i got. Only the high ping causes loading times to still be a bit annoying.
But right now the biggest reason not to use Tor for anything "legit" is the many services blocking you, since indeed most current Tor users are not what those services want and the race to the bottom of Tor will continue, if we haven't reached it already.
Given that Tor is a tiny percentage of Internet traffic, most of the abusive volume out there has little to do with Tor.
> "If you have a Google account it’s more likely you are human"
So, in the future if we don't keep signed into our google account(and let google know every article we read and every website we browse), we'll be cut off from the half of the internet or even more. The amount of control a handful of companies have over the internet is suffocating to know!
One trick that seems to help fool that awful piece of tech: click slowly on the images, as if you were thinking a second or two before each click. Maybe click a wrong image and deselect it again. In other words, behave like a slow human, and it seems to work better than if I solve it as quickly as possible.
Again, being slower and more error prone seems to be rewarded.
If this reduces the world Google allows me to access, it doesn't diminish mine because of it.
The walled garden approach worked for a while for Microsoft, and it's working for now for Google, but eventually, it stops working. Once people leave, walled gardens keep them away.
You can't just opt out of using half the Internet because you value privacy, and nor should you have to. This requires legislation to stop.
... can we please get a serious antitrust investigation now?
It still either lets me through, or doesn’t even manage to display images for me to click on because it doesn’t like my browser settings. (The latter is more common than the former these days...)
I wonder how much legitimate traffic bounces because of reCaptcha. Can sites even measure this?
And I am not speaking here about how Android and Android apps (which is allowed by Google) track users.
Even something as simple as a question: "How many legs does a spider have?" ____
And then cycle through different types of free form questions of things that most people should know. Perhaps block the IP after {n} failed attempts for an hour.
i.e. free form questions, count the gray dots (vision impaired friendly), math questions, play tic-tac-toe and get a stalemate, ascii hang-man ... I could think of hundreds of different challenges. The bot would have to constantly adapt and the bot developer would have to really love puzzles. The bot consumers would have to update constantly and would have to learn all the challenges of each site owner.
As a bonus, google the all knowing, is less knowing and no longer a gate-keeper.
Maybe we can turn this into a public competition.
I don't see captchas a lot, because I'm not frequenting sites that use them. A friend of mine apparently does, so often that he pays for a captcha solver while he's sitting in front of his computer. He just can't be bothered to play Google's mind games, so he'd rather pay a few cents a day to not deal with it.
We've come to the point where humans are paying for services that were created for bots so they can bypass technological hurdles that were meant to tell humans from bots.
I've heard stories from people that own small sites and still have someone targeting the site with custom scripts, but never anyone I know (not even a friend of a friend, only ever random people on the internet). But there is also the (much larger, from what I can tell) group of people that never had these issues. But people don't like risks, and installing a tracking captcha from google is made very easy. "Everyone does it, that ought to work!" (Meanwhile I hear of a 90% success rate from a recaptcha browser plugin, but who cares about that right?)
Might be interesting to poll random people that have websites with <100 unique visitors a month for this sort of thing to get us any sort of idea of how necessary an invasive CAPTCHA like Google's is.
These ReCaptcha topics on HN really illuminate how few people have dealt with any real spam, much less targeted human or botnet attacks.
[1] - https://tinyvpn.org/up/d/
They've been doing it for a while now, Tech Altar even had a video about it the other day: https://www.youtube.com/watch?v=ELCq63652ig
Along with the censorship and privacy issues, I guess it's time for them to change their payoff, "don't be evil".
They dropped that years ago, literally and effectively.
Ultimately why does it matter if the user is a human or bot, as long as they are being a valuable user? What's wrong if a bot buys some of your inventory, pays for it and everything? What's wrong if an NLP bot responds to discussion threads with scientific facts and citations?
As a security consultant, it is not uncommon to recommend a CAPTCHA for things like successive, three failed login attempts from a single IP address within a certain time period. But I do agree that CAPTCHAs are used too frequently, and some security people recommend them for just about everything. As someone who blocks a lot of tracking and feels the pain of these tracking monsters (that's what CAPTCHAs are these days, more than the Completely Automatic Public Turing test they're supposed to be), I always think very carefully whether a CAPTCHA is the only option, and I'm sure to recommend CAPTCHAs that fit the situation but are less invasive than a third-party one.
Edit: oh, right, credit cards are common in many countries and banks set chargeback limits. It's still crazy to me that your 'public key' is also the only thing needed to withdraw money from your account, thereby necessitating a chargeback system. I guess for credit cards a CAPTCHA might be useful too.
> As a security consultant
Hm? How does a security consultant not know that credit card numbers can be stolen and used by bots?
More typical projects are testing traffic filtering solutions (firewall-like), blockchain startups (those are the worst), back-end (no payment) or b2b (contract-based payment, not online) applications... Even in the months that I was consulting at a bank, I never touched any sort of money system, there were a thousand other applications, services, websites, infrastructure things, and mobile apps to test. To give you a random example, they wanted to give people advice when buying a house through an app (where the final screen goes "and that's where $bank comes in: we can finance all this!"), so they had some external company prototype an app that was riddled with bugs in the login system. Or some internal service that POSTs data from one system into another. Or some API endpoint used for statistics. Etc.
So the cases that I see are as a consumer, where I pay either by bank transfer (logging into my own bank's website), via iDeal (which also redirects you to your own bank's website to complete the transaction, but that one is instant instead of having to wait a working day), or sometimes via PayPal if that is the only option (I guess paypal do their own bot detection? No idea). So from my perspective, when I paid for something, the money is in the hands of the merchant and only customer support or a lawsuit would get it back.
100% of the time, a bot buying things from a store is doing so to test a database of stolen credit cards the bot's owner has purchased/stolen. Accepting those sales means you'll get hit with chargebacks a few weeks later as the real owners of those cards see their statements. Then your store gets shut down for exceeding the maximum 1% chargeback ratio mandated by Visa and MasterCard. So preventing this scenario matters a lot, and when someone targets one of my stores for testing like this, enabling a CAPTCHA on the payment page is one of several, often-essential mitigations. Blocking IPs, blocking whole countries, including a nonce in the form, etc are on their own insufficient most of the time: the readily-available tools for this kind of attack already handle rotating IPs, retrieving a new form nonce on each try, spoofing the proper referrer, etc.
Why is this a bot-specific thing? I abandon shopping carts as a human all the time, including especially:
* If you require a registration and login to checkout
* If your UI is too hard or clunky to use
* If shipping fees are higher than what I think is fair
* If there are additional non-upfront fees
https://i.judge.sh/Flutter/45DyMRuL.png
maybe this is related to some other heuristic they're using for determining whether or not to show recaptcha (although this is in a no-extension Chrome on a residential IP address).
I had problems with my spinner at first. However, this is one of the things that is really annoying about using captchas instead of passwords.
It is possible to create a secure account for something useless without using the system and you probably won't get spammers anymore.
What a dumb idea, you would want to implement it yourself, because the people working and maintaining the system(s) will all have some way of doing that already.
I don't know how much the government can take away from a site like this as well. But it's a bit like trying to ban a kid because the kid got an old friend on their facebook because his parents were "bad".
So, even though you have a big idea about voting systems, it would be a better option to require a system that only exists to be able to be used for good reasons.
In the book "Spam Nation" (Brian Krebs), a group of students try to fight fake online pharmacies. To do this, they created an army of bots and placed thousands of fake orders every day. The goal was to create so many fake orders that the human processors (many fake pharma stores were not fully automated) had to spend a significant amount of time clearing out the fake orders before getting to the real orders.
Now imagine this on a legitimate website. Not every website is automated, not every organization has the same resources that Amazon does. CAPTCHA's are a great way to ensure orders are coming from real people. They could still be faked, but the bar is a bit higher.
[edit]
Also, NAT means that there could be hundreds or thousands of individual users on the same IP address (many dorms at smaller colleges are setup this way), so you don't want to rate limit by IP address either.
Also: egress hygiene should be a thing. Block subnets and ASNs if toxic behaviour is detected.
About 10 years ago it was somewhere around 10 million bot computers. Obviously the distribution isn't uniform there, but that gives you an idea of the order of magnitude.
Also that was 10 years ago, before smart fridges and tvs. So, possibly more now?
I don't think "just block all the bots" is a feasible solution here.
The nets themselves take resources (time, effort) to set up and maintain. Presumably they're engaged (at least for the purposes of generalised website defence, though specific niches such as targeted commerce fraud may not apply) in systematic behaviour, which leaves signatures.
Systemic cross-site collaborative detection. -- essentially what Google's CAPTCHA systems are, though there are others, such as CZ.NIC's Turris project -- could identify these, and via network-based domains of authority (ASN and CIDR assignments) assign reputations and target anti-fraud or anti-abuse countermeasures.
Durable, privacy-respecting reputation tokens might be another approach.
Present systems are far more primitive and reflect an earlier world-state.
That's almost like saying laws don't work against [members of certain race] or [members of certain religion]. Rather we just need some combination of better education and better enforcement strategy instead of stereotyping.
Does the government realize the consequences of this? Both that it pushes users to use Chromium-based browsers, and that they're helping to solidify a company that already has a near monopoly in the browser space?
Further, this quote is very creepy:
> To make this risk-score system work accurately, website administrators are supposed to embed reCaptcha v3 code on all of the pages of their website, not just on forms or log-in pages.
With AMP, Google Ads, and reCAPTCHA, Google now has access to pretty much everything that people do on the web.
https://www.dmv.ca.gov
It will also log you in to google on the first page.
Additionally, the stations at the DMV all have tablets on stands, showing Google logins for some operations.
In which case those private companies should now be deemed an extension of the government and fall under all rules a government organization has to abide by. If they do not like it they can forbid the government from using their software/products and can sue if the government does not abide.
So I don't really see the amusement.
In this case the only "service" it appeared to be using was hosting for jquery...
I think it comes from the sad fact that, generally, ambitious politicians create organizations to get themselves elected, rather than previously-existing and purposeful organizations presenting candidates that represent that organization's values to a larger audience.
I spent all day clicking on sidewalks ans traffic lights! Or buses. No idea what they want the clicks on buses for.
I actually had problems upstream of the CAPTCHA. This was on a Wordpress site and I was patching up the Contact Form 7 implementation on there.
What shocked me was how naff Wordpress is. After however many years it does not come with a contact form built in. Comments yes, but a contact form, no. Then the fairly de-facto Contact Form 7 would not work with Google Captcha 3 and the latest V5 Wordpress. So there must be hundreds of sites out there with contact forms that do not work. Then there are people cussing ReCaptcha when there is this hideous mess of bloat going on.
The Contact Form 7 didn't even use HTML5 form validation and styling it was a nightmare.
I eventually went to CAPTCHA2 with the box you tick. Having the v3 box in the bottom right of the screen on every page was not what the client wanted. Plus it didn't work with this kludge known as Wordpress.
I think the issues raised in the article are not that big a deal. If you have logged in to Chrome and you are on your normal device and IP address then you can get a free pass. Why not?
I seriously advise anyone to test their implementations on a non-logged in PC, it is an eye opener. And a time consumer. But forms have to be made to work. You can't have people locked out.
There is a lot to be said for backend validation based on form data, I like to make forms unique with a hidden timestamp in it that is MD5 encoded. You can then see if someone has spent long enough on the form for it to be 'real'.