That technique hasn't worked for years. Try setting up a vanilla WordPress installation with the most popular forms plugins. The only anti-spam measure that works is reCaptcha v. 3.
If people have to request to be able to contact you, it is not a public inbox anymore. This is the way most walled gardens work, you have a separate step before you can interact, so it works, but it lacks some of the affordances of the public inbox model of email or blog posts, such as allowing anonymity.
better yet, get rid of the comments all together. having no comments saves you from having to moderate them and it's just not worth it. if you're writing anything tech related and worthwhile you can just proxy the discussion to HN ;)
Not really a great option. People only really see stuff on HN that's relatively fresh so anyone coming in after the initial wave of engagement dies down won't see any discussion.
For WordPress there are plugins like Akismet (a service), Antispam Bee (local), etc, that are pretty good at filtering spam without the need to display annoying captchas.
that's just a tell that you value ease of moderation and selling your potential community members out to G more than inviting new members to your community. certainly telling of the person running the blog.
i've had success with bayesian filters and shadowbanning myself, but it does require some effort.
Is that particularly surprising though? Coming from a TOR exit node where a bunch of spam also comes from and blocking tracking so it looks like you're appearing on the site from no where... Both of those are pretty suspicious and reasonable things to crater your humanness score.
Except solving reCAPTCHA shouldn't be necessary in order to read a website. I get (though still don't like) the justification for any modification actions, but GETs shouldn't ever trigger a reCAPTCHA check.
Of course, the Tor folks told the CloudFlare folks about this many years ago and CloudFlare still acts as a giant censorship machine and continues to block anonymous users from reading content on the internet. Not to worry though -- you can install their extension[+] to "protect your privacy" to bypass the reCAPTCHA that CloudFlare themselves erected in front of other people's websites! It's definitely not in any way comparable to an arsonist selling fire insurance as a side gig -- at least with fire insurance you actually got something out of the exchange!
[+] Which does have a paper that explains the security of the cryptosystem, but a single paper does not make a protocol secure by default. I'm not a cryptographer, but the Tor folks did raise some concerns in the issue where PrivacyPass was discussed, and there's no doubt that combining Tor with a system that is nowhere nearly as battle-tested should be a major point of concern.
Let me present an alternative framing: A business doesn't have to allow you to access and use it's content in any way you would prefer to access and use it. Part of the bargain of the web is you get a lot of content for free at your fingertips because someone else is paying for the servers. Right now that's mostly ad money because it's simple to add and doesn't require companies to change their content much. Ad blocking, tracking blocking, and anonymizers are all circumventing the funding model that makes a lot of the web possible.
Do I wish there was an alternative to aggressive ads and tracking? Hell yes. Do I want to pay every website individually for what I view? Nope, and companies don't either because it would massively hurt their growth for people coming in new.
I don't know why you're talking about online advertising. People use Tor for a wide variety of reasons, many of which are completely unrelated to whatever business model the target website has. In addition, my comment was about CloudFlare (a MITM) putting reCAPTCHA on other people's websites -- I don't see how advertising is even slightly related to that topic.
I would argue a "better" framing designed to emotionally manipulate would be "why are you trying to block people in oppressive regimes from being able to read about the outside world and organise themselves, putting them in danger of being murdered by their government"? But it would be dishonest to make the discussion about "why do you want to kill people", just as it is dishonest to make the discussion about website business models.
CloudFlare isn't just going around randomly putting their caching/filtering in front of websites they're choosing to have it there though. The sites are choosing it.
Advertising is related here because recaptcha's use of tracking, primarily used for advertising, as a factor in determining their score for users and also because blocking ads/tracking is part of the cause behind people's issues with recaptcha.
Many site operators try to spend the absolute least amount of money on servers, so it's common for simple "GET request spam" DDOS attacks to take down a website (especially on dynamic, DB-driven sites). CF in this situation is helping these site owners take the easy road and recaptcha DDOS attacks instead of scaling up servers or having to implement smart caching strategies.
I've had the picture ones once it twice this year and it only took a couple seconds. The pictures don't take much longer than the text did for me but I wonder if it gets worse on certain configurations (I've heard recaptcha is super bad if you use TOR).
I've found that breaks things in subtle ways. I have a Plex server connected to my terrestrial antenna to watch TV and the TV guide was showing everything an hour out and I couldn't not for the life of me work out why. Turns out that "privacy.resistFingerprinting" makes your JS timezone UTC, whereas I'm BST.
I'm not sure why they bother, since I'd find it more suspicious if say someone is coming from a Russian IP address but has UTC set and not a Russian timezone...
You absolutely should open an issue about this on FF's issue tracker. Assuming you're not hiding your IP this indeed is actually privacy.helpFingerprinting and should be fixed.
I get the puzzles quite often, pretty much every time I deal with a captcha. Private mode browsing, logging in from my pc, firefox vs chrome... I'm not even particularly tracking sensitive. I don't even have extensions more extreme than ublock origin and a strict popup blocker on firefox.
To offer a counter-experience, I don't remember the last time I actually HAD the "click once" captcha. It's always "click the buses/traffic lights/store fronts" etc.
Your experience will differ based on how much Google tracking you block. If you're not letting them surveil your every move, they're less convinced you're human by default (or perhaps spite).
I imagine it's partly because I don't block cookies (I whitelist sites that get to store them across sessions and everything else is then session only).
I have a hard time assigning malice to the recaptcha more blocking = lower score because while it's a fun conspiratorial position it's also true that the more you block the less you look like the average user who doesn't. Also the less info they can pull from to determine how likely it is you're an actual person so of course people without a trail are going to be more suspicious.
Wow this makes sense now. I switched to Firefox as my primary browser 7-8 weeks ago and enabled strict blocking; and as of the last ~week, I've been greeted with reCAPTCHAs on a ton of websites which previously just let me in.
Try using Tor for a day or two, you'll get reCAPTCHAs on almost every website and in many cases you need to fill multiple out with increasing levels of distorted images. The best one is CloudFlare which can not only ask you to solve a reCAPTCHA once -- but several times when trying to load a single page. And sometimes Google will even refuse to give you a challenge at all because your exit IP is "especially dangerous"!
If 10% of web developers used Tor on weekends, no website would use reCAPTCHA because they'd realise how painful it is to certain users. I run a Tor relay (non-exit) at home, and now I get more reCAPTCHA even though there's no possible reason to assume my home IP is "bad". I'm still going to run my Tor relay -- I just think it's interesting to note that users are being punished by a giant MITM-as-a-Service company for trying to help other people use the internet anonymously.
CAPTCHA is a divisive topic on HN, so you'll get a lot of people suggesting it's vital, and a lot saying it just isn't, depending on their own experiences.
"You probably don't need ReCAPTCHA" [0] is an article discussing techniques that has had decent discussion [1] on HN before.
The title mentions reCAPTCHA v3 but then the article goes on to rant about the challenges you have to solve. reCAPTCHA v3 is completely automatic, there are no challenges at all. Of course, it's not perfect either, because occasionally actual humans fail the challenge too.
> reCAPTCHA v3 is completely automatic, there are no challenge at all.
Yeah, if you're signed into Chrome and Google has enough information to know who you are (yes, I know the new one is score-based…this just means that anyone who isn't the above is going to get a poor score and be blocked.)
You can actually set the minimum score requirements to whatever you want. The default is 0.5, but there's nothing stopping you setting it to 0.0 and letting everyone through.
Isn't the author talking about recaptcha v2? My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.
What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.
> My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.
Yeah, that's the one where you're supposed to put it on every page of your website so that Google can collect more information on your users. If they can't, they'll return a low score that you'll use to mark users as "bots".
> What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.
I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.
> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.
I do wonder why though. For a long time, I assumed it was a rate limiter, but then another HN commenter pointed out to me that time is more valuable to humans than bots. Bots can work on multiple captcha's in parallel.
My thoughts exactly. A bot doesn't care if it takes 2 seconds to fade the images out and in for another challenge round, but a human viewing it perceives it as a frustrating delay.
I've become accustomed to just closing any page that presents me with a v2 reCAPTCHA.
Unfortunately one of those pages was the Equifax settlement. And other similar “important” sites. I never seem to come across them when it’s a service I could easily quit or avoid.
Why would anyone protect an "unimportant" site with a captcha? The value of the information, to someone, in bulk, is exactly why some throttling is needed.
This might not be so sinister. It so happens that "important" operations, like a class action lawsuit settlement, are also the type of thing you'd particularly want to protect from bots.
Why? Maybe Google hopes that if reCAPTCHA is sufficiently annoying and prevalent that users will disabled any and all tracking extensions they've enabled?
Probably neither explicitly as a human judgment, but both constructively - some A/B experiments noticed favorable numbers went up by doing the crappy thing, and so it has been decided.
I'm waiting for the day when it pops up "find the humans" and there's someone clearly wearing CV-camouflage. For anyone that doesn't get it: you let that human hide, because it could be you in twenty years.
The bot is delegating what it presents to the human, though. So just present the human with images that have already faded in (and if no image has finished fading in, switch to the images from the other captcha).
Edit: Unless, it occurs to me now, Google is monitoring how the user responds to the fade in. When in the fade process do they click the square, for instance.
Still seems like it wouldn't be all that helpful, though.
If you have strict privacy features enabled in firefox they block recaptcha and force you to do hard puzzles. It really sucks, but I'm not disabling the privacy features.
> I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.
Maybe this is to prevent adversarial learning? If the images reload immediately, then the bot can learn (via a neural network) whether its solution was good or not. If there's a delay, it's the same, but the learning is slowed down by the same factor.
No idea if this is true, it just popped out of my head.
As I said below, this is what I thought too, but another HN'er pointed out that a bot could load up a thousand captcha's in parallel and just switch between them while waiting for the fade in.
Sure, they can, but putting a small delay forces an arms race on how big a cluster you need to operate those parallel bots and how cheaply you can offer a cracking service.
That's correct. ReCAPTCHA v2 is the one where if your opaque, invisible ML humanity score is below a threshold it makes you squint at weird little photo squares and try to figure out whether the part of a bumper at one edge is enough to count as a car. ReCAPTCHA v3 is the one where if your opaque, invisible ML humanity score is below a threshold the website just breaks in unpredictable ways until you either give up or (for highly technical users) notice that ReCAPTCHA is at fault and interact with enough Google services to raise your score before trying again.
I delete all cookies outside of a few whitelisted domains every time I close a tab, which is why reCaptcha is so annoying to me in the first place. Still, at least for me, the audio fallback is always there and much less annoying.
Never happened to me. I've been getting "point out the hydrants" over 5 times in a row sometimes because of the amount of anti-tracking I have set up, but the audio option was always there letting me on the first try.
ReCAPTCHA v3, the version I was referring to in what you quoted, doesn't have an audio CAPTCHA or any kind of fallback option at all, which is part of what makes it so much worse than v2. (The other part is the privacy implications of adding thorough behavioral tracking to every part of a website.)
Curious. Do you have any example of a site using it? I noticed that reCaptcha has become much, much worse recently and I assumed that this must be this v3, but I've never encountered one that would actually have no fallback and prevent me from using the site.
With some of these I'm left debating what is a traffic light. Is the pole itself a traffic light? I really don't know.
Also when it asks to select all the cars. Is a bus a car? Is a truck a car? I really don't know what it is expecting and I must pick wrong as I often fail.
Perhaps that's Google's intention. They are using your human intelligence to make educated guesses, rather than using AI. Your choices will be added to their dataset.
It's very frustrating that there's no "your AI is an idiot, there isn't one" button. I saw an example of one that said "click the tiles containing the bus" where it was clear what the AI thought was a bus, but it definitely wasn't.
This reminds me of Janelle C. Shane's work on AI[1]. Computer vision's been learning based on the photos that people take, not the visions that people see, and this is giving AI a preference for photogenics instead of reality.
People generally don't take pictures of rolling green hillsides. But they very often take pictures of rolling green hillsides with sheep on them. So if you ask the robot to draw a picture of rolling green hillsides, it will include sheep. Or, if you ask it to draw a picture of the savanna, it will want to include giraffes.
Now you're being asked to find a bus in a photo without a bus because it's a street scene, and every street scene has a bus in it.
I haven't read her book, yet, but her Twitter[2] is often full of amusing anecdotes like this.
> People generally don't take pictures of rolling green hillsides. But they very often take pictures of rolling green hillsides with sheep on them. So if you ask the robot to draw a picture of rolling green hillsides, it will include sheep. Or, if you ask it to draw a picture of the savanna, it will want to include giraffes.
Don't humans do this too, though? If I asked someone to draw a picture of rolling green hills, they may well add sheep as an additional detail.
Well, personally, I had the "bliss" image from the Windows wallpaper collection in my head while I was writing this. But I'm cognizant that most of the photos of hillsides I took in Ireland had sheep in them.
I wonder if that would still be true, though, if "bliss" wasn't a default Windows wallpaper. In other words, you're still referring to common pictures, you're just particularly biased to one in particular that you've seen a lot.
I haven't done the experiment, but I'd posit that if you walked up to a group of 8-year-old children, gave them crayons, and asked them to draw pictures of "rolling hills", a significant portion would add sheep, cows, flowers, or some other details—even though a majority of rolling hills in the world don't have any of these features.
I wonder if you ran into something I deliberately mislabeled as a bus.
Your goal shouldn't be to answer the question earnestly, but to confirm the machine's biases. Going with the flow is expedient, as well as giving Google less support.
In this case, it was obvious what it wanted someone to do.
It gets more frustrating when it's less clear. Is "click the hills" with a picture of a mountain a mistake, or a trick? Should I click all the tiles that contain a bus, even if it's only one pixel, or should I only click the ones that mostly contain a bus? etc.
That is, they assume the vast majority of the population is indistinguishable from their AI. I believe that view also informs their customer service procedures.
I actually thought I experienced that this morning. But then I looked closely, and there were actually photos containing sections of what I was left to assume were actually bridges. So I think you're technically wrong, but the spirit of your comment is correct!
I always see complaints about recaptcha like this, but I've never experienced this struggle, certainly not to such a degree as to be outright frustrating. It's always seemed pretty obvious to me what the right answers are. My personal take to your examples are that that a traffic light's pole is not a traffic light, but any part of the box that contains the lamps/leds is (even if facing away from the camera), and that neither large trucks nor buses are cars, but would include vans, pickups, and SUVs.
Hopefully these rules of thumb will help someone reading this find these captchas less frustrating.
Does anyone knows a recapthca2-like service/software, that would help solve such tasks (OCR, object recognition..) on a custom provided dataset ?
It could provide an alternative to recaptcha, and a "Mechanical Turk"/crowdsourcing for universities, institutions or companies to help solve some of their repetitive tasks.
Try using Tor with one of those captchas -- you will get a whole load of puzzles and picture matching goodness (usually having to solve multiple in a row). It can easily take me several minutes to pass a reCAPTCHA challenge when using Tor. And even then, sometimes Google will even refuse to give you a challenge at all!
That article aside, what are everyone's experiences with reCAPTCHA? We are using it to secure one of our contact forms and get a lot of spam through it. Upon research (googling) I found that reCAPTCHA is "broken", e.g. https://threatpost.com/uncaptcha-googles-recaptchas/140593/
We use it to stop bots from opening thousands of trial accounts. We don't have bots anymore, but instead we have humans who open hundreds of trial accounts hourly. I guess it's an improvement.
An email provider. Interestingly enough they don't even send anything. They just... sit there. And who knows why. Not really doing anything harmful afaik, but obviously fradulent so our support still kills them in bulk just in case they were a proper threat waiting for the activation.
Perhaps – but I'm pretty sure there's some that don't even receive emails either. It's as if someone was just creating a "standing army" of accounts in preparation to unleash something. Spooky :)
Companies should just use bogofilter and not submission blocking on contact forms if they're annoyed about receiving spam all the time. That and then just go through the detected spam once in a while (once per week perhaps).
Basically the same they'd do with e-mail.
Several times I was prevented from complaining about something to a company that didn't have a public e-mail address, but only a contact form with captcha, just because that day, google decided they'll fail all my recaptcha attempts, and tell me "sorry we think your computer is sending automated queries" and wouldn't even allow me to try any futher.
It really doesn't help if I'm in a negative midnset about the company already. I've completely stopped using shipping companies that put tracking info behind recpatcha, for the same reason, although that's a different thing from contact forms and a bit harder to manage. But contact forms should not be blocked with recaptcha.
Outright blocking communication is a poor taste. Accept all communication and use automated mechanisms to filter through it on your side.
BTW, this is even worse for users that block re-captcha via adblocker or something, because you often lose the entire text you were about to send. So the next attempt you're even angrier.
Well, it's only invisible if all pages / tabs you visit share the same cookie / session store. With browsers implementing more and more of privacy-focusing features this becomes less and less frequent.
If I use Safari private mode (each tab has its own cookie store) or Firefox with containers and cookie auto delete extension every tab I open, every page I visit gets a brand new Google session. Obviously, Google treats my like a bot.
Yes, I thought the article would be about privacy concerns. Instead it was a rant about v2, not mentioning v3 at all (except for mistaking v2 for v3). Ultimately there was little substance here.
A lot of articles posted on hacker news are by people who don't really understand what they're talking about, but use a lot of emotionally charged language. A lot of times this is fine, because it's articulating something that bothers a lot of people and wastes their time. But in this case it's absurd. I don't think he understand just how much crap bots were/are putting out there, especially before we had good services like cloudflare and the whole web hosting cloud to filter it. It's not Google's fault every small/medium sized company decided to put important customer services on a web portal which could be easily abused, they just capitalized on it. Sys admins can't stop random executives from making crap decisions like having an inherently insecure system, but at least they can pitch on reCaptcha to fix it a tiny bit. But they wrote an article where they used a lot of CAPS LOCK, so they must be an authority.
> A lot of articles posted on hacker news are by people who don't really understand what they're talking about, but use a lot of emotionally charged language.
This seems to be the best strategy for getting to the top of the front page these days. Even better if the target of the emotionally charged language is Facebook, Google, or Amazon.
The article really should have focused on this, it's the only valid concern. There's no proof or references behind the later claims like "THE AVERAGE TIME IS OVER 30 SECONDS!" and " It doesn't matter if you're logged into your Google account and allowing all manner of cookies.", not even anecdotal or personal videos of trying to solve a recaptcha like this post[0] had from two months ago.
> I don't think the author knows the difference between v2 and v3
The author doesn't seem to have ever visited google.com/recaptcha to know what Google refers to as different versions of its service. The author instead is talking about "versions of bot detection", ie. The "detect human mouse movement" was v2, "scan your Google history to see how human-like your activities are" is v3, and the author envisions "v4" as doing the silly things from the latter half of the article.
Google moved puzzles from interviews onto random Internet users ;-) There must be some sophisticated internal metrics registering increase of puzzle takers somewhere, with a hidden goal of increasing general intelligence levels, adversarial-style. It's the only scientific explanation! :D
In Firefox, log out of your google account, block cookies and enable the anti-fingerprinting features. Or just browse with Tor Browser.
You will start getting challenged more often, you'll find you're asked to solve several multi-select challenges in a row even if you get them right, the multi-select challenges will replace tiles after you select them, and the tiles will start fading in and out very slowly.
The most insidious thing about this two-tiered surveillance society is that its effects are invisible to people in the "good" class, and they insist on remaining ignorant of what happens if you're not in that class.
Google still has plenty of other tracking points on you. And of course reCAPTCHA looks reasonable to a prospective developer - it wouldn't be adopted otherwise!
If someone tells you it routinely takes 30 seconds to solve, you should really just accept their experience rather than discarding it with "works fine for me!". If you still need to see it with your own eyes, go setup a TOR browser and become one of the undesirables, rather than just imagining. You just might end up adopting the marginalized view.
Try using Tor and a real website that is using reCAPTCHA (I don't think they have their actual scoring system enabled on the demo). GP posted a link to a video of someone solving a single reCAPTCHA prompt for 2.5 minutes. I also regularly have to solve several CAPTCHAs in a row, often with increasing levels of image distortion.
Before being so brazenly dismissive of other people's experiences, take the few measly minutes it would take to actually try it out. Even doing a simple Google search with Tor Browser usually gives you a reCAPTCHA to solve.
I've experienced that in the past, without using tor, but using Firefox. I go to great lengths to block anything Google. Google Fonts, Google CDNs (and I now use Decentraleyes so CDNs are mostly not even reached). I have to explicitly unblock reCAPTCHA scripts for it to even work - or use a clean and disposable browser profile. I've occasionally seen the behavior on the video when I really need to access the page (though usually I just complain to the webmaster).
I once had to request a new password for my online bank account. I ended up asking the bank manager to reset my password, pretending that reCAPTCHA is preventing me from resetting the password myself. My bank is not paying me for solving captchas for Google's benefit (this is so screwed up…).
I have noticed recently that when using Firefox the need to repeatedly spot traffic lights or fire hydrants 5 or 6 times in a row seems to have gone away. It now seems that I only need to do it once now so perhaps someone at Google fixed the glitch?
No, I'm intending to make it hard for sketchy third-party ad companies to track me. Some ad networks can't even avoid serving malware, it's not realistic to expect them to competently safeguard my data.
It just so happens that Google's method for telling if I'm a bot or a human isn't just to show me mangled text, but also to use ad-network-style tracking.
In Google's defence this is probably an attempt to deal with captcha-solving-by-humans-as-a-service or something like that. I can't imagine Google employs many privacy enthusiasts who would spot a problem like this by dogfooding.
Forget your password a few times on a site that uses it (logMeIn and its products). You'll get an endless stream of challenges. I usually just give up and try again later
> I can't imagine it actually taking 30 seconds to solve a reCAPTCHA.
It happens to me quite frequently... but I block a lot of tracking. Sometime I give up if I was browsing just for fun... but my bank sometime use reCAPTCHA.
They have been putting some users through multiple challenges with a forced delay/throttling - so you need to actually answer 4 or 5 challenges with a minimum time per challenge of perhaps 5-8 seconds etc.
These users appear to be Firefox users who sandbox Google cookies. That said, it seems to have improved a lot recently (only one challenge)
In the past, I often spent more than 30 seconds on each recaptcha. It really is a problem. That improved by allowing google cookies but now every webpage with recaptcha I visit is being tracked by Google. :(
reCAPTCHA is turning into a punishement for those who don't want to consent to full tracking by Google.
Apple is working on their SSO project (Sign in with Apple); I hope they will also consider the use-case of being able to tell a site that you're a human without sending any information.
Recaptcha is a free mechanical turk for Google. Right now they re training waymo's cars, but soon they 'll need to train other networks. Prepare for "Click on all images showing intraductal papillary biliary neoplasm". C'mon, don t be lazy
What conspiracy theory? That's what Google say it is for:
> Hundreds of millions of CAPTCHAs are solved by people every day. reCAPTCHA makes positive use of this human effort by channeling the time spent solving CAPTCHAs into annotating images and building machine learning datasets. This in turn helps improve maps and solve hard AI problems.
My payment provider (Braintree) required me to implement reCAPTCHA v3, despite the fact that I had already implemented server-side fraud checks (MaxMind). I didn't have a choice if I wanted to continue taking credit card payments.
The specifically told me to use reCAPTCHA v3. I don't know if they would have accepted another one. I didn't want to take the time to research them. Honestly, from a UX perspective I also preferred the "no user interaction" part of reCAPTCHA.
It depends what value there is in an account, but for a service I run, I just let the bots sign up accounts.
Accounts don't really cost me anything, and they get automatically deactivated if they didn't get any activity in the first 30 days anyway. Activity on my service costs money, so if someone wants to make a bot that pays me money, I have no problem with that.
The only time I'd consider implementing something like reCAPTCHA is if I was giving something away for free (e.g. a free trial) such that a signup actually had a cost for me.
If you collect email addresses, then yeah that's a concern. Then again, if you send a single activation email and never send another email unless the link is clicked, there's no value to the bot in signing up accounts, so it's unlikely to be a major problem.
I'm glad someone is talking about this and we can have a healthy discussion about it. Things like PrivacyPass[0] are a step forward, but for those who don't know about such a tool, they will continue to be 'tortured' and get repetitive strain injury from constantly having to solve recaptcha v2, at least, well if they browse under Tor heavily and will have to pass recaptcha's test multiple times, and even after proving they were not a bot countless times.
You will find the Google ecosystem is more joined up than you realise. If you use the DNS it will make the search engine results more personal, if you block everything to do with google at the firewall level, you will find recaptures don't actually work, you can spend an hour before it comes up with a web page where you have reached the end of all the recaptures you could possibly do. If you use Firefox, and write addons, you will find the addons don't work, their website api's, analytics, absolutely everything to do with Google is joined up so the internet is one giant Google Panaopticon. Don't believe me, try it for yourself, lock everything down at the firewall and see for yourself.
> If you use the DNS it will make the search engine results more personal
Google claim not to use DNS in this way:
> Is any of the information collected stored with my Google account?
> No.
> Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?
The problem with PrivacyPass is that it is a (not nearly as peer-reviewed as Tor) privacy-related cryptosystem that lets you bypass the reCAPTCHA that CloudFlare put in your way in the first place.
Using it with Tor is almost certainly not a good idea because it changes your own behavior from other Tor users thus compromising your anonymity (and the Tor folks are not in favour of PrivacyPass, because they think the solution is that CloudFlare shouldn't be putting the reCAPTCHA in the way in the first place). And that's assuming that the cryptography is actually solid and there is no way to distinguish between different PrivacyPass users. Tor has decades worth of research put into it -- what level of scrutiny does PrivacyPass have? How many people actually use it and how many have tried to break it?
> When 80% of traffic from an IP is malicious and the other 20% is regular traffic, but both sources look like the same traffic (impersonating browser headers, sometimes running headless chromium), what else can you do? Cookies and stateful cookie-like objects, such as privacy pass.
I agree that reCAPTCHA (all versions) are terrible. (At least, sometimes it is possible to avoid the problems by selecting the audio CAPTCHA, which tends to work better as far as I can tell.)
Instead, use the protocol-independent CAPTCHA. It is a SASL mechanism, which sends a challenge with plain ASCII text (and may include line breaks), and then accepts a single response of plain ASCII text, and then the server decides whether or not the response is acceptable. The similar thing can also be done with a simple HTML form, but using SASL would then allow working with any protocols and work with command-line interface just as well as HTML interface, too.
289 comments
[ 1902 ms ] story [ 1157 ms ] threadThe proposed solution would replace captcha entirely, but to my knowledge nobody has tried it.
i've had success with bayesian filters and shadowbanning myself, but it does require some effort.
I would happily pay a monthly fee to get around these ridiculous captchas, even though it's absurd to have to do so.
Of course, the Tor folks told the CloudFlare folks about this many years ago and CloudFlare still acts as a giant censorship machine and continues to block anonymous users from reading content on the internet. Not to worry though -- you can install their extension[+] to "protect your privacy" to bypass the reCAPTCHA that CloudFlare themselves erected in front of other people's websites! It's definitely not in any way comparable to an arsonist selling fire insurance as a side gig -- at least with fire insurance you actually got something out of the exchange!
[+] Which does have a paper that explains the security of the cryptosystem, but a single paper does not make a protocol secure by default. I'm not a cryptographer, but the Tor folks did raise some concerns in the issue where PrivacyPass was discussed, and there's no doubt that combining Tor with a system that is nowhere nearly as battle-tested should be a major point of concern.
Do I wish there was an alternative to aggressive ads and tracking? Hell yes. Do I want to pay every website individually for what I view? Nope, and companies don't either because it would massively hurt their growth for people coming in new.
I would argue a "better" framing designed to emotionally manipulate would be "why are you trying to block people in oppressive regimes from being able to read about the outside world and organise themselves, putting them in danger of being murdered by their government"? But it would be dishonest to make the discussion about "why do you want to kill people", just as it is dishonest to make the discussion about website business models.
Advertising is related here because recaptcha's use of tracking, primarily used for advertising, as a factor in determining their score for users and also because blocking ads/tracking is part of the cause behind people's issues with recaptcha.
Picture captcha every time.
I'm not sure why they bother, since I'd find it more suspicious if say someone is coming from a Russian IP address but has UTC set and not a Russian timezone...
I imagine it's partly because I don't block cookies (I whitelist sites that get to store them across sessions and everything else is then session only).
If 10% of web developers used Tor on weekends, no website would use reCAPTCHA because they'd realise how painful it is to certain users. I run a Tor relay (non-exit) at home, and now I get more reCAPTCHA even though there's no possible reason to assume my home IP is "bad". I'm still going to run my Tor relay -- I just think it's interesting to note that users are being punished by a giant MITM-as-a-Service company for trying to help other people use the internet anonymously.
So I wish them luck while hoping that they’ll go die in a fire.
Manifest v3, tracking everything, this... Only validates my decision to scrap all Google services 2 years ago.
"You probably don't need ReCAPTCHA" [0] is an article discussing techniques that has had decent discussion [1] on HN before.
[0] https://kevv.net/you-probably-dont-need-recaptcha/
[1] https://news.ycombinator.com/item?id=20158386
Yeah, if you're signed into Chrome and Google has enough information to know who you are (yes, I know the new one is score-based…this just means that anyone who isn't the above is going to get a poor score and be blocked.)
No, I'm not joking.
What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.
Yes.
> My understanding of recaptcha v3 is, that it just gives you a score for how well google can track you and then leaves it up to the site operator to block users who aren't transparent enough.
Yeah, that's the one where you're supposed to put it on every page of your website so that Google can collect more information on your users. If they can't, they'll return a low score that you'll use to mark users as "bots".
> What I really hate about recaptcha v2 are those artificial delays before loading the next image (which it can happen to several times on a single card). And then in the end you frequently fail, despite answering everything correctly.
I think this is just what Google does when it thinks you're a "bot": i.e. they don't know who you are.
I do wonder why though. For a long time, I assumed it was a rate limiter, but then another HN commenter pointed out to me that time is more valuable to humans than bots. Bots can work on multiple captcha's in parallel.
I've become accustomed to just closing any page that presents me with a v2 reCAPTCHA.
I'm waiting for the day when it pops up "find the humans" and there's someone clearly wearing CV-camouflage. For anyone that doesn't get it: you let that human hide, because it could be you in twenty years.
Edit: Unless, it occurs to me now, Google is monitoring how the user responds to the fade in. When in the fade process do they click the square, for instance.
Still seems like it wouldn't be all that helpful, though.
Maybe this is to prevent adversarial learning? If the images reload immediately, then the bot can learn (via a neural network) whether its solution was good or not. If there's a delay, it's the same, but the learning is slowed down by the same factor.
No idea if this is true, it just popped out of my head.
There's more saleable data to be collected tracking people's interactions in a website, under the guise of predicting who's a bot.
Or, for absolutely everyone: pretend you're blind and click on the audio captcha option. It takes seconds to solve and is trivial 90% of the time :)
Can't think of a "normal" website using it.
It just scores you and the dev can punish if needed
https://developers.google.com/recaptcha/docs/v3
Also when it asks to select all the cars. Is a bus a car? Is a truck a car? I really don't know what it is expecting and I must pick wrong as I often fail.
People generally don't take pictures of rolling green hillsides. But they very often take pictures of rolling green hillsides with sheep on them. So if you ask the robot to draw a picture of rolling green hillsides, it will include sheep. Or, if you ask it to draw a picture of the savanna, it will want to include giraffes.
Now you're being asked to find a bus in a photo without a bus because it's a street scene, and every street scene has a bus in it.
I haven't read her book, yet, but her Twitter[2] is often full of amusing anecdotes like this.
[1] https://aiweirdness.com/
[2] https://twitter.com/JanelleCShane
Don't humans do this too, though? If I asked someone to draw a picture of rolling green hills, they may well add sheep as an additional detail.
I haven't done the experiment, but I'd posit that if you walked up to a group of 8-year-old children, gave them crayons, and asked them to draw pictures of "rolling hills", a significant portion would add sheep, cows, flowers, or some other details—even though a majority of rolling hills in the world don't have any of these features.
Your goal shouldn't be to answer the question earnestly, but to confirm the machine's biases. Going with the flow is expedient, as well as giving Google less support.
It gets more frustrating when it's less clear. Is "click the hills" with a picture of a mountain a mistake, or a trick? Should I click all the tiles that contain a bus, even if it's only one pixel, or should I only click the ones that mostly contain a bus? etc.
Hopefully these rules of thumb will help someone reading this find these captchas less frustrating.
Does anyone knows a recapthca2-like service/software, that would help solve such tasks (OCR, object recognition..) on a custom provided dataset ?
It could provide an alternative to recaptcha, and a "Mechanical Turk"/crowdsourcing for universities, institutions or companies to help solve some of their repetitive tasks.
I switch services whenever it is possible and I see a reCAPTCHA prompt.
(I am a human.)
And because I value my time you risk simply not having me contact you if you use any kind of captcha.
Basically the same they'd do with e-mail.
Several times I was prevented from complaining about something to a company that didn't have a public e-mail address, but only a contact form with captcha, just because that day, google decided they'll fail all my recaptcha attempts, and tell me "sorry we think your computer is sending automated queries" and wouldn't even allow me to try any futher.
It really doesn't help if I'm in a negative midnset about the company already. I've completely stopped using shipping companies that put tracking info behind recpatcha, for the same reason, although that's a different thing from contact forms and a bit harder to manage. But contact forms should not be blocked with recaptcha.
Outright blocking communication is a poor taste. Accept all communication and use automated mechanisms to filter through it on your side.
BTW, this is even worse for users that block re-captcha via adblocker or something, because you often lose the entire text you were about to send. So the next attempt you're even angrier.
If I use Safari private mode (each tab has its own cookie store) or Firefox with containers and cookie auto delete extension every tab I open, every page I visit gets a brand new Google session. Obviously, Google treats my like a bot.
Sadly, I don't think the author knows the difference between v2 and v3. The article is definitely not talking about v3.
This seems to be the best strategy for getting to the top of the front page these days. Even better if the target of the emotionally charged language is Facebook, Google, or Amazon.
> I don't think the author knows the difference between v2 and v3
The author doesn't seem to have ever visited google.com/recaptcha to know what Google refers to as different versions of its service. The author instead is talking about "versions of bot detection", ie. The "detect human mouse movement" was v2, "scan your Google history to see how human-like your activities are" is v3, and the author envisions "v4" as doing the silly things from the latter half of the article.
0: https://news.ycombinator.com/item?id=20158386
I can't imagine it actually taking 30 seconds to solve a reCAPTCHA. That needs a citation.
You will start getting challenged more often, you'll find you're asked to solve several multi-select challenges in a row even if you get them right, the multi-select challenges will replace tiles after you select them, and the tiles will start fading in and out very slowly.
See https://www.youtube.com/watch?v=en5KSZSpDFY for an example video.
These are (AFAIK) intentional features deployed Google - you just don't see them if they can already track you via something like your Google account.
Took me all of 5 seconds to solve
Google still has plenty of other tracking points on you. And of course reCAPTCHA looks reasonable to a prospective developer - it wouldn't be adopted otherwise!
If someone tells you it routinely takes 30 seconds to solve, you should really just accept their experience rather than discarding it with "works fine for me!". If you still need to see it with your own eyes, go setup a TOR browser and become one of the undesirables, rather than just imagining. You just might end up adopting the marginalized view.
Before being so brazenly dismissive of other people's experiences, take the few measly minutes it would take to actually try it out. Even doing a simple Google search with Tor Browser usually gives you a reCAPTCHA to solve.
?? I did try it exactly as was requested of me. I didn't know where to find a recaptcha so I went to the demo page.
It's possible the video is the result of a bug and not normal behaviour. I wouldn't know as I don't often browse with tor.
I once had to request a new password for my online bank account. I ended up asking the bank manager to reset my password, pretending that reCAPTCHA is preventing me from resetting the password myself. My bank is not paying me for solving captchas for Google's benefit (this is so screwed up…).
The biggest offender is CloudFlare for me.
Well, now you do (though I was a bit of an asshat in my parent comment, sorry about that):
> Even doing a simple Google search with Tor Browser usually gives you a reCAPTCHA to solve.
You can get the Tor Browser from [1].
[1]: https://www.torproject.org/
It just so happens that Google's method for telling if I'm a bot or a human isn't just to show me mangled text, but also to use ad-network-style tracking.
In Google's defence this is probably an attempt to deal with captcha-solving-by-humans-as-a-service or something like that. I can't imagine Google employs many privacy enthusiasts who would spot a problem like this by dogfooding.
It happens to me quite frequently... but I block a lot of tracking. Sometime I give up if I was browsing just for fun... but my bank sometime use reCAPTCHA.
These users appear to be Firefox users who sandbox Google cookies. That said, it seems to have improved a lot recently (only one challenge)
Apple is working on their SSO project (Sign in with Apple); I hope they will also consider the use-case of being able to tell a site that you're a human without sending any information.
> Hundreds of millions of CAPTCHAs are solved by people every day. reCAPTCHA makes positive use of this human effort by channeling the time spent solving CAPTCHAs into annotating images and building machine learning datasets. This in turn helps improve maps and solve hard AI problems.
https://www.google.com/recaptcha/intro/v3.html (under "Creation of Value - Help everyone, everywhere - One CAPTCHA at a time.")
Accounts don't really cost me anything, and they get automatically deactivated if they didn't get any activity in the first 30 days anyway. Activity on my service costs money, so if someone wants to make a bot that pays me money, I have no problem with that.
The only time I'd consider implementing something like reCAPTCHA is if I was giving something away for free (e.g. a free trial) such that a signup actually had a cost for me.
[0] https://privacypass.github.io/
Google claim not to use DNS in this way:
> Is any of the information collected stored with my Google account?
> No.
> Does Google correlate or combine information from temporary or permanent logs with any personal information that I have provided Google for other services?
> No.
https://developers.google.com/speed/public-dns/faq
Using it with Tor is almost certainly not a good idea because it changes your own behavior from other Tor users thus compromising your anonymity (and the Tor folks are not in favour of PrivacyPass, because they think the solution is that CloudFlare shouldn't be putting the reCAPTCHA in the way in the first place). And that's assuming that the cryptography is actually solid and there is no way to distinguish between different PrivacyPass users. Tor has decades worth of research put into it -- what level of scrutiny does PrivacyPass have? How many people actually use it and how many have tried to break it?
> When 80% of traffic from an IP is malicious and the other 20% is regular traffic, but both sources look like the same traffic (impersonating browser headers, sometimes running headless chromium), what else can you do? Cookies and stateful cookie-like objects, such as privacy pass.
Instead, use the protocol-independent CAPTCHA. It is a SASL mechanism, which sends a challenge with plain ASCII text (and may include line breaks), and then accepts a single response of plain ASCII text, and then the server decides whether or not the response is acceptable. The similar thing can also be done with a simple HTML form, but using SASL would then allow working with any protocols and work with command-line interface just as well as HTML interface, too.
Hmm, if only I could read Bengali, I could tell if this were a storefront or not.