I'm not sure how well this will actually work against a determined attacker. The browser challenge takes less time and money to automate than the already existing captcha solving services that use actual humans to enter the captchas.
Although I'd certainly prefer something like this being the default approach over hostile measures like Recaptcha v3, which just outright deny a subset of your users access.
If this is essentially a hashcash, what prevents them from swapping that out for a cryptominer after getting an established user base (if they aren’t already mining)?
This is not a quick process, even for legitimate users. I am on a quite-capable computer, and it takes long enough that I am all but sure it will harm conversion rates.
I question the assertion that this is expensive for spammers. The whole premise is that a spammer would not consider this worth the cost, and do something else with the computing power instead. Why? It completely depends on what the captcha is being used for.
Yeah, thats the same state of affairs as traditional captchas. There are sites where you can pay under a cent apiece to have real humans solve your captchas. This is just shifting the cost from human capital to compute, it will suffer the same limitations.
Not in my experience on large websites. If "all it takes" is round tripping the audio component through speech-to-text, then it's apparently annoying enough at scale to stop the vast majority of spam.
Also, automating something in a browser extension is basically the easiest place to automate something because it's just done once per user, with their cookies/sessions/ipaddr, very infrequently.
So that a browser extension exists for something doesn't mean it's trivial at larger scale. I doubt Google cares about the usage pattern that Buster gives people since it alone is not abuse, just normal people filling out the someodd <form>.
Gave up after a full minute of waiting on a 2014 low-end phone. I thought the idea was to be LESS annoying than Google. This is a valiant effort, but it will drive away poor people while only incrementally impacting efficiency rates for bots.
Honest I think this is worse than ReCaptcha. At least with ReCaptcha I know I am helping someone somewhere labelling their data and possibly used for autonomous driving.
With this captcha I feel like I'm just wasting world's energy on useless computations.
ReCaptcha is terrible. They gaslight you into thinking you got answers wrong just to make you annotate more training data for them. Secondly they are entirely ineffective against spam. Right now I am just using a browser extension that automatically solves them for me and it works almost every time.
Google doesn't care about fighting spam they just want to exploit people for free labor in the name of 'security' just like they are going to kill ad-blocking and fingerprint protection in the name of 'privacy'.
Sometimes, I get some North American food items in recaptcha in India, which I'm quite sure not many have heard in this part of the world; I wonder what decision process went through in selection of food images.
Any effort you put into solving it can do one of two things: prove you are human, or help label data. It can't do both.
The only way to have it do both is to make you put twice the effort into it. If you are thinking one comes as a byproduct of the other, though, you haven't really thought it through.
Other idea: Something like Proof-of-Elapsed-Time.
A click on the verify button requests a token from the server. The server performs the action if the token is old enough.
-> No battery drain; equal waiting times for all users.
Because a bot can request multiple tickets in a row, then submit them rapidly as they expire. Proof of work means the bot did the work for each request.
It's hard to build this to have a good user experience on a multitude of devices. Having human challenges like ReCaptcha has its own weeknesses, but the world is like one big GAN when it comes to this approach.
An atypical use of the term as commonly understood, but I don't think it falls entirely outside of the definition since it is an automated test that is attempting to distinguish humans.
On an Intel Celeron B820 @ 1.70Ghz laptop, it took more than 40 seconds to complete and consumed 1% of battery in the meantime. The "complex equations" you are doing will not work on low-horsepower devices like phones or low-to-medium level laptops.
Just performed several trials on my OnePlus 6T. It took 4, 14, 1, 1, 5, 3, 8, 4, 19, and 24 seconds for an average of 8.3 seconds over 10 trials. That's more than comparable to the time it takes me to solve one of Google's monstrosities.
Tried on my Blackberry Keyone just to see, and it was well under a minute. Timed it after refreshing the page, and even my 2017 mid-range is under 10 seconds.
Granted, Google Apps are disabled, so it may have been one less thing eating up CPU cycles in the background that made others so slow?
I tried out of curiosity, and it doesn't even load on one of my machines (in two different browsers). And no, I am not inclined to debug their product for free.
I left the page after about a minute of waiting on my phone. Making my users wait isn't a realistic solution, and bots have _far_ more CPU horsepower at their disposal than most smartphones, especially if they're operating from a botnet as many tend to do. Even if this did stop bots, it's also going to piss off real users, which is exactly what it appears to be designed to prevent.
I don’t like being used, I’m already doing you a service by jumping through these hoops. Being asked to train your neural network or provide other computing resources is a perfect way for loosing me as a customer.
There's no accounting for niche preference of course, but at less as far as understanding the feasibility of an approach like this: I don't think most people have the "cut off their nose to spite their face" impulse that you're describing here: if a captcha is more usable for the user _and_ helps the company, most would just see that as a win-win.
You do use your computer power to solve math but it doesn’t benefit us in any way. We don’t use it to train any AI or anything like that. We don’t even store personal information. Just aiming to be a simple one-click tool so it has to be computationally difficult.
54 comments
[ 3.4 ms ] story [ 99.4 ms ] threadAlthough I'd certainly prefer something like this being the default approach over hostile measures like Recaptcha v3, which just outright deny a subset of your users access.
For example, CoinHive shut down.
Also, automating something in a browser extension is basically the easiest place to automate something because it's just done once per user, with their cookies/sessions/ipaddr, very infrequently.
So that a browser extension exists for something doesn't mean it's trivial at larger scale. I doubt Google cares about the usage pattern that Buster gives people since it alone is not abuse, just normal people filling out the someodd <form>.
With this captcha I feel like I'm just wasting world's energy on useless computations.
Google doesn't care about fighting spam they just want to exploit people for free labor in the name of 'security' just like they are going to kill ad-blocking and fingerprint protection in the name of 'privacy'.
The only way to have it do both is to make you put twice the effort into it. If you are thinking one comes as a byproduct of the other, though, you haven't really thought it through.
Granted, Google Apps are disabled, so it may have been one less thing eating up CPU cycles in the background that made others so slow?
Just to calibrate a little, I did it on my (midtier, six month old) phone just now and it took three to four seconds.
https://wehatecaptchas.com/load.php?name=captcha-worker.js
Proof of work is trivially parallelizable, and 2^(5*4)=1048576 options are super easy to go through for spammers.