Ask HN: Any good FOSS alternative to Google's reCAPTCHA?
Google's reCAPTCHA is everywhere, they seem to have the monopoly of checking if the user's not a robot.
CAPTCHA systems are essentials to the web, and it seems important to me to have a (good) FOSS alternative, but I can't find any.
Are all CAPTCHA closed-source to make it harder for attackers? Am I missing something?
138 comments
[ 2.5 ms ] story [ 228 ms ] threadIt's not FOSS, but seem to be a viable alternative to give a go. So far it does the job, though the images load a little bit slower than recaptcha
Some sites that are the only source of what I'm looking for will be fine, but most I just bounce from now.
* https://github.com/Lokno/click-captcha
* https://www.phpcaptcha.org
* https://source.netsyms.com/Netsyms/Captcheck
I think this is what makes Google's approach powerful because they have the best view on IP addresses used worldwide. (Whether that's desirable is still another question).
Think: rate-limit, IP rating/scoring, your own filter on messages, etc.
It just analyse the traffic and give the site owner a score [0.0 - 1.0] on how sure they are the visitor is human.
They don't explain how they calculate the score, but from my usage it's pretty accurate. They suggest to consider at first anything higher than 0.5 to be a human.
But yeah, it's probably not common for sites to 'upgrade' to v3. Recaptchas are a feature you begrudgingly add and v3 puts the onus on the product to decided what to do when there's a low score, so its pretty different.
Announcement: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch... Discussion on HN:https://news.ycombinator.com/item?id=22812509
Firefox through a VPN and every site that uses hcaptcha throws this up and doesn't let me in.
You're the one who is responsible for this web cancer? You purposefully disable access to VPN users and then try to pass off a "privacy pass?"
Destroying people's businesses is not nice. That's why no one cares about security, "security engineers" don't test or measure the impact of their strict measures.
It almost feels like that the inconvenience of using a multi-layered system equates to the people who want to get back to eating in restaurants while in the midst of a pandemic and will then complain if they catch Covid-19...
Safe? From what? Is comment spam or increased traffic/CPU load on your server now a threat to users' safety?
> It almost feels like that the inconvenience of using a multi-layered system equates to the people who want to get back to eating in restaurants while in the midst of a pandemic and will then complain if they catch Covid-19...
Excuse me, but you seem to have forgotten that your mouth is between your other cheeks.
EDIT: In case I wasn't absolutely clear, OP is talking completely out of his/her ass and deserves to get called out on it. It's not exactly polite to compare people who don't like CAPTCHAs to public-health-endangering hypocritical idiots.
But I must give 100% points to DO support. Before leaving them I sent one last support ticket to DO with the recording my nightmare in a mp4 file and lo and behold they changed their entire login flow for me (1). I no longer see that and life is good again.
(1) https://imgur.com/a/GKJHhtT
The days of reading images as validation are going to be one of those "remember when" moments on the internet.
Or do these websites use older versions?
I swear the algorithm is:
It makes me wonder, are bots really more likely to use FF and ad blockers? Whenever I write scrapers and want to come off as human, I always use headless chrome spoofing non-headless chrome, and I never get captchas...I’m also vaguely aware of headless chrome botnets used to mine ads. They definitely don’t use uMatrix. :/
Is this anticompetitive in some way?
The algorithm simply checks to see how often you check in with Google and how "human" your actions are based on the data you send to them via things like Search, Maps Location History, YouTube, Gmail, probably Chrome Sync, etc.
If you're using a completely new Google Account and block all of Google's Trackers, choose to use FastMail for your actual email communications, and only occasionally watch YouTube, Google has every reason to believe your IP is a residential proxy that's being used by a bot or perhaps someone in a third world country working at a recaptcha farm. They can't completely prevent the latter from solving their Captchas but at that point all they need is for the farm worker to help Google tune its self driving dataset.
The problem with this new system is that it doesn't solve the problem developers wanted to solve before: preventing unauthorized signups. Most developers don't want to know how likely it is that a user is actually a bot, they just don't want bots signing up for user accounts. With the new system, Developers have to decide what to do with a threat score. Should 0.5 require some interstellar page with a v2 captcha? Does a 1 or 0.9 mean they should give them access to certain data that might be otherwise hidden from boys? It's something developers generally didn't need before.
We likely won't see the "i'm not a robot" checkbox (/invisible recaptcha[1]) go away anytime soon since v3 solves different problems, but it does mean websites might start sending you down different verification funnels depending on how human Google thinks you are with no way to solve a Captcha that proves Google otherwise.
0: https://developers.google.com/recaptcha/docs/v3
1: https://developers.google.com/recaptcha/docs/invisible
Or for example, a fixed question "What color is the sky?" or something can reduce spam by orders of magnitude relative to nothing at all.
That, or a slightly harder variation, might also have the benefit of slowing down human trolls. But the answer should be easy for any legitimate user of your site. And of course easy to check automatically.
Well, the answer is obvious:
> The sky above the port was the color of television, tuned to a dead channel.
I hope this is the good answer you support on your page.
On the other hand there is no one answer to this question, as the proper answer should begin with "it depends...". Currently, the sky is totally dark grey, storm is coming. Soon, it will be dark, so the sky will be black.
I think your "captcha" is broken.
(Edit: suggested earlier elsewhere in the thread by tyingq: https://news.ycombinator.com/item?id=23090550 )
Does the above honeypot work well with bots using headless browsers? Or is actually rendering the page not common enough for bots still?
One thing that works still is using Javascript to create a hidden field and make that field mandatory. Run of the mill bots don't run Javascript yet. However this will exclude people who have disabled Javascript in their browsers.
[0] https://github.com/ZYSzys/awesome-captcha
Add rate limiter instead and put CF infront or something similar. Way better experience then any captcha.
In case you still want it here is solid one:
https://github.com/dchest/captcha
I have a terrible / incomplete / janky proof-of-concept version at [2] that you could build from, or you could find one that was built for your CMS / language du jour.
[1] https://en.wikipedia.org/wiki/Hashcash
[2] https://github.com/007/hashcash
Looks like your repo is https://github.com/007/hashcash-js
But, cool! Thanks for sharing.
Lets say you have a comment section on your site where any user can write stuff.
More often than not a hidden field which should not be filled (the honeypot method) and a spam filter gets the job done no problem.
For registrations it can be more problematic because the spam filter does not work that well.
I have yet to find a good alternative to commercial captchas as well but rolling your own solution is possible.
And probably even the best idea because if every site has its own weird system it would make the life of bots quite hard.
In the end a dedicated attacker can always hire people to fill the captchas and circumvent any system for an astonishingly low amount of money.
Data can be used by their ddos protection scheme but that's all about it, not to be sold to advertisers or other firms.