Google's Captcha in Firefox vs. in Chrome(grumpy.website) |
Google's Captcha in Firefox vs. in Chrome(grumpy.website) |
misleading
I am working on a micro-payments system (based on mutual credit) that should allow to pay something like $0.001 instead of solving a captcha. If this would introduce zero extra friction, would you consider using this kind of solution over the traditional captcha?
Funny thing is I haven't used chrome in months so it should be the other way round!
If you’re primarily trying to stop bots and similar take a look at https://www.kasada.io/
Site owners can choose not to use google's recaptcha2 but it has become the de facto standard now so no one cares.
I'm not sure whether I'm glad to find out it's (also? only?) because they hate Firefox.
Also, good to see that it's a more widespread issue with these captchas too, I somehow thought that I am just bad at solving them :)
https://developers.google.com/recaptcha/docs/v3
Of course, you need to have cookies enabled.
If you do any browser in ignonito mode and/or use VPN or Tor you are going to get persona no grata treatment because it is likely your source network and IP address have caused a lot of problems before. The only way to go around is to have some permacookie on your browser saying you are a good citizen.
Has anyone posted a technical analysis of the changes? I’d love to read more about it.
maybe it's because i don't use umatrix (i only use ublock origin)? maybe because i'm always logged-in in at least one google account?
That's likely a primary reason.
Does this mean that Google knows enough about me (ie, privacy leak) that it's choosing to not having infuriating UI?
I feel like every captcha is about a street scene of some sort... house numbers, cars, motorcycles, hydrants, stop lights etc.
After reading comments in this thread, now I realize this is intentional thing against Firefox.
Damn Google. what happened to your "Don't be evil" beginnings ?
That said, it still forces you do to work for its self-driving car effort.
- is generally easier to solve (download the sound clip using curl or wget, type in the nonsense it says, done)
- does not turn me into a mechanical Turk training Google's AI
- works in 'any browser' by circumventing the browser (by using wget/curl), thereby not allowing Google to punish me for not using their dragnet/browser.
I’ve been wondering about that. Are you sure you’re not training their speech recognition AI?
I filed a bug report, only one version of it is fixed, later versions were just displaying same old pages.
It's not Firefox that's the problem; reCAPTCHA works just fine on Firefox. It's all those anti-tracking measures you installed and enabled -- they work by making your browser indistinguishable from a low-quality bot, kicking the website into self-defense mode. The slow fade is a rate-limiting measure. It's annoying to you, but it's more annoying to people trying to automate login attempts.
The site is attempting to protect your account by preventing automated attacks against it. Meanwhile your browser is doing it's best to look like a shell script, refusing to send any sort of behavioral feedback or distinguishing characteristics that might give away the fact that you're a human.
So the question is: is it really worth alienating those quirky, paranoid users who take extraordinary anti-tracking measures, just to protect your normal users from automated attacks?
Yes.
Of course it is.
If it's your bank's site, move a bank. You say "oh, it's a lot of work just for some captcha"; yes it is, but this is the only way this clowns will learn. When 1000 people leave a bank for a competing one and say "I left because your site employs captcha", it will magically disappear. I've seen it happen.
For reference I post regularly on 4chan (not compulsively but maybe a dozen comments a day on average) and if you don't have a pass you have to fill the captcha every time. I only use Firefox. I definitely experienced what this video shows on Firefox in the past (the super-slow loading images) but it felt more like a bug than anything else and it doesn't represent the typical experience. Maybe I tripped one of Google's bot filters somehow and I ended up with a reinforced captcha, or there was a bug somewhere.
The Chrome section of the video is a lot closer to what I see usually, but they make me go through two challenges in a row typically (although that might be 4chan's settings at play).
I'm all for the Chrome hate if it means that people switch to Firefox but I think we need harder data than a short video to call shenanigans on that one.
Off topic rant: the fact that a post with such lack of substance manages to reach 700 votes in 3 hours is frankly depressing, it has no place on this website IMO.
The starting level, I suspect, is heavily influenced by browser settings and many other factors. With that in mind, and assuming that
1) trust inversely correlates with anonymity,
2) people using Firefox tend to be more tech-savvy and careful about their privacy, and
3) tech-savvy people using Chrome probably won’t bother locking it down, since it “talks to Google anyway”,
I’d be disinclined to believe Google actually discriminates against browsers—no matter how compelling a narrative this may seem—until I have a complete picture of OP’s setup (from browser settings to OS and connection).
[0] Last year there was a period I was getting many captchas (either my location or AWS VPN caused me to be considered “untrusted”); I actively tried to figure out how to get past it without giving the algorithm what it wants, so I could go through a dozen of these captcha screens in one browser window. I use Safari, Firefox and Chrome routinely.
When logging into an account I needed to log into, maybe a couple years ago, they'd jerk me around in the manner of this grumpy.website example, but more. One time, it went on for several topics, for what seemed around 10 minutes. I pay money for that account.
This obnoxious annoyance is in addition to the offense of some company letting third-party code from a mass-surveillance company not only into their pages (which almost every company with a Web site does, sadly) but also into their authentication page. Much more important services on the Web do not need captchas for login to accounts that were paid for. Now, every time I get a hassle to log in to my account I pay for, plus directly leak that info to a surveillance company. It makes me regret paying money for the account, like the company are oblivious or don't care, and I won't have much loyalty when the right competitor appears.
On a different note, this also makes it difficult to use such websites if you block google domains in your adblocker for non-Google sites.
I honestly think this was the reason why Captcha's bot was so passive-aggressive :D
It’s because Google can’t read as much about you in more privacy based browsers, so you have to prove yourself.
Not saying it’s right, but that’s the reason. It needs to be changed.
We've seen this before. We'll probably see it again.
Here's an extension to use those services in the browser so you never have to solve one again: https://addons.mozilla.org/en-US/firefox/addon/recaptcha-sol...
That's assuming you can't get Buster to work.
But in fairness to Google, the promise of their new Captcha system is that it uses all of your previous browsing history across the web to determine how likely you are to be a bot. You can't do a fair apples to apples comparison unless the browsing history and behavior is the same across both browsers.
1) https://www.onlineaspect.com/2010/07/02/why-you-should-never...
I keep seeing reCAPTCHA installed on very low security sites that don't seem like targets for automated bots. I'm wondering if they have some external incentive to install it.
And btw I hate reCaptcha. Is it really only option to fight with spam? When I see it on sites, like dhl parcel tracking, I get mad. I always ask why? Can they just block suspicious traffic, or at least not display captcha on first attempt.
I get the first few selections right, so the algorithm knows I'm trustworthy. Then I purposefully get the last ones wrong. This way, I'm still validated by the captcha and I get to show the middle finger to Google.
Now I smile every time I'm faced with reCaptcha :)
Highly recommend. It does take some time to figure out the patterns (when to get it right and when to get it wrong), but once you do, it just works.
This is why Google should be broken up -- it should be forced to spin off Chrome into a separate company with a business model similar to what Firefox has.
If you're a developer, please consider replacing reCAPTCHA on your site with an alternative. reCAPTCHA discriminates against people with disabilities and those who seek privacy, and it gaslights you into thinking you did not solve the challenge correctly, which is plain cruel.
Here are some reCAPTCHA alternatives: https://www.w3.org/TR/turingtest/
All of the "interactive stand-alone approaches" from that page can be beaten with run-of-the-mill OCR (other than perhaps the 3d challenge) and with almost any mobile phone speech recognition engine (and, if the attacker has the money, can send it off to Google's cloud speech-to-text).
All of the non-interactive approaches from the page require this constant tuning and upkeep to make sure bots aren't able to sign up/abuse systems. There's also not \that\ secure if your website is targeted and scripts are made specifically to avoid your anti-abuse methods.
Sure great, but when I see behavior like the above, I just hit back and add the site to my routers firewall black list. If its this much of a PITA to "solve" a captcha, CORRECTLY but I keep getting the middle finger I don't give a crap anymore. Your site isn't worth going to if I have to spend literally minutes "solving" captchas for googles stupid ai which is treating me like prove i'm a bot even when I prove i'm not.
Just realize by using recaptcha this is what you're forcing some users to deal with. And I deal with it by making sure I never come back to your site ever again when you've wasted minutes of my time just to try to get to your page. Even if its googles fault for being jerks, I don't care. You choose to implement it.
Ok rant mode off and stepping off my personal soap box.
Why make me solve a Captcha to see static content?
Why make me solve a Captcha to log in when I've already completed one to register?
Why make me solve a Captcha to pay utility bills? Is there some underground group of deviants going around surreptitiously paying other people's utility bills? The monsters.
Ironically, Google has committed at least $75 million and likely hundreds more of fraud, via stolen refunds and stolen banned-account balances!
https://www.businessinsider.com/google-emails-adtrader-lawsu...
There are also ways to reduce the damage reCAPTCHA causes, such as keeping it out of the default UX path. Discord for example will show a reCAPTCHA challenge on the login page only if you are signing in from a new location.
reCAPTCHA cannot effectively defend sites against targeted attacks either.
You're posting this in response to an automated recaptcha solver. Clearly recaptcha also has trouble staying ahead of bots.
It seems to me that any simple automated test at the entrance is inevitably going to be easy to solve by bots, especially when it's a one-size-fits-all test like recaptcha, so bots have only a single target to aim at. A small-scale unique test will be more successful simply for that reason.
But it seems to me that the better way than to ban bots together with humans who fail to pass your Turing test, is to check for the behaviour you want. If you don't want spam, have a system to recognise spamming behaviour, rather than traffic lights.
My only problem with recaptcha is when audio doesn't work (google decides I'm spamming their network… sure…). Because their audio validation seems to use only one rule that says "letters where typed". So I'm not sure how being able to beat it with voice recognition makes it worse.
Create a dozen models based on different things. Street signs, cats, houses, cars, etc. Then show the user a random selection of images generated from different models and say "select all the cats" and they get it right if they choose the images generated from the cat model.
additionally, lots of schools now require their students to use google services.
I hope there is a privacy lawsuit in the future to stop this sort of nonsense.
"Your computer or network may be sending automated queries. To protect our users, we can't process your request right now".
Is there a solution for this?
Though Google may block your access to the audio challenge regardless of the browser or extensions you use, see more details here: https://github.com/w3c/apa/issues/25
I actually do a lot of automated queries from my computer.
I like to scrape and save content that may disappear. Just recently one psychology website I liked years ago where I put a lot of effort to comment on, silently deleted all 60k user comments, including 100s I wrote, and started putting old articles behind a paywall. My activity is perfectly legal, as I'm doing all this for my own personal use.
Thankfully I have all the content locally in the database.
Does it mean I should be prevented from accessing third party services that use recaptcha?
It discriminates against people who value their time. Who in the right mind thinks that spending several minutes on captcha is ok?
Ticketmaster uses both recaptcha and a pre-filtering solution they supply based on their own heuristics, as well as a complex user activity tracking system to determine whether you're a bot or not based on the activity you present and traffic you pass, so even if you pass all CAPTCHAs, they still might tell you to pound sand if you try to reserve something.
In the last few weeks, for select sales, they've even required unique phone numbers which they will SMS a number to or call and relay a code to which you need to enter just to get a single place in line for a sale.
I'm not sure of any company more actively on the forefront of prevented automated access than Ticketmaster (which makes it kind of funny when everyone chimes in about how Ticketmaster doesn't do anything to prevent brokers from getting all the tickets).
The problem is that what Ticketmaster is up against is people running specialized software that's able to emulate a browser, which ties into services that are specifically designed to beat CAPTCHAs in an automated manner using mechanical turk type solutions, but at a very low cost.[1] I have reliable testimony that some people spin up the largest AWS instance for an hour or so as needed, run this software, use a proxying service, and make 8k connections to queue up for tickets on a sale. Each AWS machine is another 8k positions in the queue. Every new layer Ticketmaster throws into the verification process knocks these people out for a couple weeks, until the company providing the software (which I believe charges a small percentage for every ticket purchased, so they fix problems fast) works around it. The arms race metaphor is very apt.
That's just one of the companies trying to circumvent Ticketmaster's road blacks for brokers. There are others that try to automate their purchasing to varying degrees. I myself work for a broker that takes a very different approach, where we use (relatively) very minimal automation, and have a person in front of a browser for every purchase (and we don't have many people at all), and instead try to make select purchases based of complex analysis and lots of data. Even that's gotten much harder in the last few years as venues and promoters have learned to play with the allocations of tickets, and hold large chunks of the inventory back to be released later at higher cost. I don't really see anything wrong with that, it's a market response to supply and demand, but it is unfortunately hidden in a purposeful manner, which affects not only brokers but the the end consumer, as market information is purposefully obfuscated (which makes the markets less efficient).
I've written on this multiple times before, so if anyone finds this interesting, just do an HN search for my username and Ticketmaster together.
1: https://anti-captcha.com/ (Scroll down and read their animated infographic for what is possibly the most amazing graphical metaphor of this I can imagine at step 4. It's so disturbing it's funny).
That's interesting. Unless you are talking about having to click on more than one "page" of tiles (as illustrated in the video in the OP) guess I don't run into reCAPTCHA often enough to have noticed this phenomenon. Can you elaborate on what you mean by that?
I second this (for the same reasons that you cite), and it's fresh in my mind as I just recently began reimplementing authentication for my personal CMS. reCAPTCHA is not a nice thing to do to your users. And I also don't want to feed The Beast.
It's good to see some confirmation that you're not insane. Google's ReCAPTCHA is plain EVIL.
Originally it was an awesome solution based on OCR'ing books that usually worked quickly on the first try, and almost never took more than two.
Then it turned into a single checkbox (analyzing mouse movement) so it was even faster... and I remember some simple image-based like "select the images of cats" that were also easy to get right. So even better.
But THEN... in the past couple of years, the image-matching started asking exclusively for analysis of street images, that has two huge problems:
1) The images are so blurry and ambiguous it's really hard to get right, it feels like a test designed to make you fail
2) You never know how far you have to go -- you keep clicking items, they keep replacing them with new ones, and there's zero indication of if you're almost done or if you're getting better or worse.
Once I did one for three minutes straight, neither passing nor failing, until I just gave up and left the page... if it's a bug, that should never happen. If that's supposed to be able to happen, that's the apex of asshole design. Either way, it's a failure in every way.
Google is a hypocritical pile of burning . They use bots right? They scrape websites, they infest everything from my banking website to console emulators with their tracking, and yet we little people are not allowed to scrape or interface with the web programmatically.
I want them to burn so badly, I hope the EU breaks them up. Screw captcha, screw AWP, screw them.
Yeah because too many people abuse any hint of such functionality to peddle fake Viagra, pennystock scams, MLMs, ICOs or the good old SEO link spam.
In some cases, the blame should be put on the site runners. I get a ReCAPTCHA when logging into my Patreon account. I've been paying then $10+/month for years now, they should know by now I'm not a spammer
While filing taxes, on several occasions I had to just give up and try again after several hours because the Captcha won't let me pass through and after several attempts Turbo Tax will throw an error - to come back later.
It was literally a Nightmare
However, it was shown for each financial institution. So it is possible that the financial institutions (or the API provider) were doing it, though it is equally likely that turbo tax just has a bad implementation. Because TT can make an assumption that I'm a human, I wonder if there is a regulatory requirement or the API provider is doing that.
And I never figure out how to solve the traffic light riddle.
But I can't figure out why they make a 'delay'? Why not just show the next dam image?
For a fair comparison OP would need to use clean browser profiles on fresh IPs. Like this it is just fan-service for Google Captcha victims (like me).
Do other non-American's get this as well?
The captchas are completely non-localised as far as I can tell; as others have pointed out the 'store-fronts' tend to be non-American.
I’ve noticed that in the last week, Google no longer provides a link to the non-amp version of pages. Previously, you could press two button taps to get to the non-amp page, but now that ability has been removed. This sucks because Amp doesn’t always support all the features of a normal site, like Reddit or blogs (commenting).
I worry how Google will abuse this in the future. Right now they control the first page you visit after leaving Google through AMP, but you can usually find a link to the home page of a site. In the future, they may restrict it further.
"Speed Up Google Captcha"
"Makes Google Captcha works faster by removing slow visual transitions and unnecessary delays."
https://greasyfork.org/en/scripts/382039-speed-up-google-cap...
You're moving too fast; your mouse and mouse clicks are "too good" to be human. Try solving the reCAPTCHA slower and you'll see wildly different results, or, purposely fail one reCAPTCHA to get easier ones.
reCAPTCHA tech is crazy; reCAPTCHAs are not simple web forms and Javascript, they're a sandboxed and monitored 'window' to a Google server. If you solve too many reCAPTCHAs too quickly (ie. when you are testing a web page, or are rotating your passwords on many websites) then Google's servers will try to rate limit you with slow animations and harder reCAPTCHAs.
Google should absolutely not be in a position where it can be inadvertently rate limiting your attempts to rotate passwords on different websites across the internet.
Aside from the the obviously concerning censorship that happens if you try to access reCAPTCHA-locked sites over Tor, it is literally forcing internet users to do free labour for Google so that can train their AI for whatever project they're doing.
So not only is it a tax on using the internet (paid in seconds to minutes of human existence each time -- I bet reCAPTCHA has collectively cost humanity thousands of lifetimes of wasted effort solving stupid puzzles) and it creates censorship, it also is an act of charity on our part that we provide Google free work with no benefit for ourselves. Given that they literally pay people to do (something similar to) what we are doing for free, I wonder it there are labour law arguments to be made (we aren't paid anything for this work which Google clearly is willing to employ people to do).
reCAPTCHA used to be far more reasonable and ethical when it was being used to digitise books. And when you got reCAPTCHA'd constantly as a Tor user, it wasn't so bad. These days I have to spend several minutes of my life giving training data to Google on every site which uses reCAPTCHA, with nothing in return except for the privilege to be able to access the internet.
I solved the problem by using an extension that toggle that flag: https://addons.mozilla.org/en-US/firefox/addon/toggle-resist...
I was thinking maybe something that has 10 difference Google sessions, and shards them depending on the website, deciding which to send to the Captcha. You'd build reputation at 1/10th the speed, but you'd still potentially build it. Or, one that allows you to create a random Gmail account and then use that as your identity across the different sites. Perfect privacy would be hard, but improved privacy should be doable.
Alternatively, getting something like blinded identity tokens widely used would be good.
2016-2019: working for google - analyzing street footage for implementing AI for self driving cars.
Maybe I should also invoice google for the effort.
It makes me sad that they are so pervasive or I would categorically refuse to engage with any site that uses reCaptcha.
This whole captcha joke and firefox made me hate Google more than anything else.
Or it will ask for pictures of crosswalks, and you have to decide if 3 pixels of a crosswalk in the corner of one of the pictures counts.
The pictures are blurry and positioned at weird angles. There are lots of signs with east-asian letters (I'm not informed enough to guess what kind of alphabet they belong to) and I have no idea wether they are store fronts or not.
Is a sign to a dentist's office a store front? Generally it seems like anything with a sign above some sort of door or window qualifies as a store front.
I sometimes wonder if these projects are actually internal astroturfing, someone trying to make people hate Google from the inside, it's so bad it must be intentional right?
To me it constantly feels like I'm working for google for free for their AI projects which is very annoying comparing to help a smaller company OCR books.
When they reboot the Matrix, instead of being used as batteries, the machines will keep humans around for machine learning test sets.
1) Computer vision got a lot better over the past few years. It's also become way easier for the average Joe bot operator to run cutting-edge stuff. OCR tasks don't cut it for distinguishing people from machines any more. Every time I see a blog post about a new computer vision architecture or how some random developer trained a neural network to get an X% result on benchmark Y, I think to myself CAPTCHAs are going to get more annoying.
2) The frequency at which most people have to solve a CAPTCHA has gone way down. In the beginning, I remember having to solve a CAPTCHA every single time I did anything on some sites. Now, I can't even remember the last time I had to do more than just check the checkbox. So, the amount of annoyance is amortized over a larger number of sessions, and Google probably feels like they can ask the user to complete more tasks as a result.
It is so freaking slow. I sometimes lose 60s to complete a captcha.
And if Google keeps the pressure and nothing hits them back, soon the answer will be "Number 17 of 312 still using Firefox".
I still can't believe how Google has changed their tune - from "dont be evil" to being worse than MS ever was, which is quite an achievement in itself.
On top of that, I think some of the training sets are wrong. Multiple times I've been asked to find traffic signs, but it would only let me pass when including street signs.
I guess if your adversary is a dogmatic AI then that might be by design.
This data is a few years old but I imagine it's the same based on my experience.
They're using your cookie + IP + your account data to determine if you're probably a human.
A LOT of reCAPTCHA sites never prompt you. You only know if it's there because you're on Tor or something.
That has only happened to me in Chrome, not Firefox or Safari. Which is the subject of this article.
Today I feel like Google uses it mostly for their self-driving-car computer vision projects.
I wish more sites would implement a Jigsaw-puzzle-style similar to the Binance login captcha, but I can't speak to the efficiency of that in defeating bots.
People kept trolling it by typing the test word correctly, and random garbage instead of the OCR word. It was easy to spot which one was which. Source: I was one of these people.
they're just discriminating
against Firefox users?
Recaptcha is frustrating and I dislike it, especially the slow fade-ins and multiple challenges, but if you repeat the test shown in the video you won't find it 100% repeatable just because you're using Firefox.
[1] https://github.com/google/recaptcha/issues/268#issuecomment-...
It then takes between 1 minute and 1 minute 30 to get past the recaptcha when blocking those cookies - and I was certain to be 100% correct in most cases and it kept asking me to solve more and more ..
most of the time spent solving the captchas is from the countless '4s fade ins' via inline style when cookies are blocked (as opposed to 1s fade ins via css, when cookies are set).
I'm curious why they would add 3s to the fade in if their cookies are blocked .. does that help to fight off bots, or does google just want to punish me for blocking their cookies?
Especially when I'm logged in with my 12+ year old paid account?
Won't say anything bad about googlers but in between this and the deeply irrelevant ads I get despite all yheir metrics the company seems deeply dysfunctional these days.
Using Firefox shouldn't be an indicator of anything malicious.
How do you go about filing this complaint? I'm sure many others (myself included) are interested
Their discrimination against FF users has been fairly evident over the past year or so.
It's amazing how my identification abilities improve exponentially by using Chrome instead of Firefox.
Easy to hate on Recaptcha while reaping the rewards of participating in a community that deals with less automated spam because of it. :)
What's KYC?
It felt like staring into the soul of evil.
I've had to pay 100x bills on my monthly quota once too often, and as a hobby developer, I just can't afford trying to fight off people abusing my website every day.
Yes, resorting to fingerprinting is not ideal, but what's better, asking everyone to solve that hard captcha, or only some users?
One of the things, if it ever gets there, would be for the anti-trust probe, if any, to look at how Google shares data between its browser, Chrome, and it's other services.
1) Try to login
2) Login doesn't show up--go to uMatrix and whitelist some crap.
3) Try to login again.
4) First phase of login completes, now blank when site tries to load Google captcha.
5) Whitelist Google captcha frames in uMatrix and reload again.
6) Login for the third time, Google captcha now displays properly.
7) Spend 10 minutes solving captchas. If I'm lucky, the first "Verify/Submit" will work. If not, I probably need to whitelist cookies for it within uMatrix and reload/try again.
8) Get notification from HumbleBundle that "You have not logged in from this browser before" and wait for a Verification email to hit my inbox.
9) Enter verification code. Site usually then logs me out for some reason, even though it was successful.
10) Login again. Solve Google Captchas again. Finally allowed to login.
11) Finally buy the goddamn thing I was there to buy.
12) Search Amazon for wig.
Funny you should mention that, I actually wrote an email to support asking them to have frickin mercy with the google captchas. The response was as you expect "we do this for safety and protection, yada yada" which to be fair, I obviously didn't expect them to change anything, although I hope it did help raise some awareness.
The interesting thing I got out of it was that they mentioned that google captcha for logging in is disabled so long as you have 2FA activated on your account, which certainly helped, at least a little bit. You do still have to use the captcha to buy anything from the bundle (at least if you're using something like paypal, anyway).
I wonder if it's just incompetence at the developer stage or a management decision to annoy users that have ad block etc. Neither really makes sense, I'm a paying customers, they shouldn't take it personally that I don't care for ads, and they are multi-million (or even multi-billion) companies, surely somebody there knows that ad blockers exist.
Also, they're doing away with the questionnaire. It works by using a scoring system or something similar since it loads on the pages leading up to form fills.
Edit: Source for you disbelievers - https://developers.google.com/recaptcha/docs/v3
>reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take an appropriate action for your site.
Edit: This is a joke, I am joking.
So most of them will have already been classified and those are used to test your integrity (and verify you) but an occasional new one will be presented that won't count towards your verification and if enough people agree on it it'll be classified.
The voters seem to have formed a consensus that it was not a joke, unfortunately, so your humor has failed the test.
(This was a meta-joke, and I too am joking.)
As long as there continue to be enough cookie-cutter blog/forum/ecommerce sites out there for the bots to exploit, very simple techniques (JS-populated form fields or request parameters, very basic validation of the HTTP headers, taking into account the rate or frequency at which requests are made, etc.) will quickly and cheaply identify almost all of the bot activity.
Of course sophisticated or dedicated bots will still pose a problem, but assuming you're not just standing up a popular off-the-shelf platform without any hardening or customization, you'll need get pretty big (or otherwise valuable) before attracting that kind of attention.
A reasonable analogy here is the observation that simply running sensitive services on non-standard ports (e.g., not running SSH on port 22) will eliminate a ridiculous volume of malware probes against your system. To be clear, that's no substitute for actual robust security practices -- you almost certainly shouldn't have something like SSH world-visible to begin with -- but given how trivially easy it is do something like to change the default port for services you're not expecting the public at large to reach it's absurd that servers are compromised by dumb scripts blinding probing the Internet to exploit well-known and long-ago-patched exploits every day.
But one of them did! Whenever I changed the questions, bots would stop for a few days, and then start again. Someone cared enough to manually enter the correct responses (no, blind dictionary attacks were not possible)!
Erm, unless I'm mistaken, that patent says it's owned by Juniper, not Google. Google is just hosting the patent document.
All sources I can find say that population of China is bigger than India.
This is often impractical for several important use cases, like image rendering and PDF generation. Just hand waving away the cost of developing dedicated, pure APIs won't make companies more likely to do so.
> If they are concerned about fraud they will be woefully defended by CAPTCHA, it makes no judgement on the validity of transactions at all and doesn't prevent frauds signing in manually.
There are many different vectors of attack and fraud and CAPTCHA tackles one of them. It's silly to say it's unnecessary just because it doesn't cover all fraudulent activity
i think you probably meant to say recaptcha allows an extraordinarily large number of humans compared to false positives? because that would be the relevant metric. you sure about that one?
https://www.quora.com/Why-cant-bots-check-“I-am-not-a-robot”...
Was posted on HN a while ago.
The interesting question then becomes how this is going to interact with future browser anti-fingerprinting measures whose purpose is to prevent just that.
The United Nations estimates the current population of China around 50,000 more than the population of India. Given the uncertainty of these numbers, I can't exclude that India already has the most numerous population.
However, federated things are accessible. The big names Facebook/Twitter/Youtube/Google are blocked, and the services below them. However it is a blacklist of blocked not a whitelist of accessible. Putting google analytics traction in a header of a federated blog, meaning it's actually not federated, is indeed a stupid pain. China internet is restricted, but it is only restricted 'enough' for the current power.
Edit: And that seems good enough for now. Wechat 'moments' and use of Tiktok, from my observation of friends or even taking the train, are on a steep decline. Wechat's future seems mainly as a commercial P2Passist or very simple blog platform. Both dropped the ball and mobile payments will not disappear but the tide has turned (NFC, anyone? this was an already solved problem. The only real challenger bank China has is China Merchants Bank but they're after merchants, the clue in the name. For customer service and being one to perhaps pull a rabbit out of the hat, China Construction Bank. I have no idea how BEA didn't grab mobile payments.
The government facilitate corruption. The government is a hegemony.
Aside from that broad shot, 10 years ago you enter the aforementioned square freely, not only after going through a 'police' security check, bags x-rayed, IDs checked.
[1] except those that reCaptcha doesn't support.
At the same time an implicit belief in "we're the good guys" (combined with indoctrination including interview hazing rituals) can enable bad behavior, because then: "of course whatever we do is good, by definition, because we're the good guys" and then not questioned. MS did some really underhanded and insidious things with its power, and it's easier to see some of Google's behavior as due more to hubris/brainwashing.
I've started to use the CS101 whiteboard hazing as a litmus test for whether there's any point in trying to do good at Google, for my own career. So long as they insist on subjecting everyone to that (starting with people having just spent 4 years and a quarter of a million dollars on a Stanford CS education, and then people with verifiable experience on top of that), and also considering having been caught on abusive hiring/mobility conspiracy at they executive level, I think the CS101 whiteboard ridiculousness is not a good sign for corporate ego and intentions. It's also not great when CS students focus on drilling for that, to the exclusion of other things. For myself, if I applied anyway, I'd be fooling myself that I wasn't mainly after the compensation package, rather than wanting to have positive impact.
It's called "selling out".
Just what the world needs, another tracking script...
Disclaimer: We built a solution at SerpApi.com to solve those offline using ML. Timing of solving doesn't matter. It will be odd that they do that just to annoy user when it's not a technical limitation.
Resolving to google.com does not resolve (gmail does, a bit, IMAP but only every few hours or days, depending on connection sans VPN).
Look under the section "use recaptcha globally" -- this is what I was referring to. However it's not clear to me if this approach enables use in China or not.
Could be a while before I get enquiries from China but there is only one way to find out.
Google did say 'globally'...
(And yes, I'm also driven to rage by slow-fade animations. A practice I can date back to Microsoft's Clippy, which, when you punched it in the fact to go away, had just one more gratuitous animation just to twist the knife that just more.)
To reiterate: the primary goal seems to be slowing down bots.
Not necessarily, contrast adds detail and mistakes are expensive, so bots too are incentivized to wait for the final picture (this assuming that network communications aren't monitored to get the incoming image out of the request).
Also clicking on that image too early is a good signal that it's a bot.
Unless Google is literally streaming in the image frame-by-frame, I'll admit I haven't looked into the details but this doesn't seem likely as it's pretty complicated compared to just using an image.
... it really doesn't make it that much more expensive for bots, it's just a short delay. In fact, I doubt it makes a difference at all.
But it makes things really annoying for humans.
So I don't see any advantage in that trade-off.
Also the fade is irrelevant because the bot already has access to the image without the fade (although it still has to await the fades completion to continue).
By blocking specific cookies you're making yourself look like a certain kind of botnet, so obviously you're going to have a difficult time convincing the site that you're a legitimate user.
Most users don't block normal cookies, so if you go tweaking the machinery that manages the relationship between your browser and the site, then be prepared to deal with a buggy experience. This is what it means when they say that what you're doing is "unsupported." Nobody is going to spend any time optimizing for your weird setup.
But you don't know who had it before you, what Google thinks of it ("known Spammer", "legitimate User") etc, so that's not going to help in this case.
They're going to track my IP whether I want them to or not. So they should go ahead and use it to reduce hassle.
Or you clean your cookies out, thank you "Cookie Autodelete".
right. until it doesn't, like it wouldn't for someone who actively avoids feeding their personal information to the goog. and it is sounding an awful lot like the fail case is full denial of service, without any option for the user to prove themselves.
Recaptcha doesn't care. But totally unrelated, it just accidentally worked out to be awfully convenient for Google's other surveillance products embedded on the same sites, which do care quite a bit about how long and how often they can follow me with a single unique identifier.
I've run into state and local tax agencies, utility companies, and large healthcare companies that require Google's reCAPTCHA. So, unless you don't want healthcare, to have water service at your home, or you're in the mood to just shut down your business, you have to suck it up.
there was a time not long ago before wheelchair ramps or accessible doors were commonplace. these people were literally shut out of society.
its the same with captcha forcing privacy-conscious users off the internet.
Or: people who need a wheelchair are protected by anti-discriminatory laws, while people who prefer not to use Google products aren't.
I endorse a site's right to forbid me its content if I can't prove I'm human. I won't endorse a site that accomplishes it by asking me to pay the cost.
> anti-discrimination law
Google-avoiders are not a protected class.
I have definitely seen the "fire-hydrant" one, and we don't have fire hydrants (they are underground below well marked covers that are illegal to park on or placed where you can't park).
And coming from a first-world Western country, I have definitely been flummoxed by at least one that was too American for me to decipher. I feel sorry for anyone that doesn't watch American media.
- You want to train on an unlabeled dataset, label it along the way.
- You have a set of untrusted validators, some with no history, some with known credibility and accuracy scores. And you have a lot of them.
- You do kind of a zero-knowledge proof by showing the unlabeled dataset to validators that you know you can trust because of their historical high success rate, which you've already established through asking them to label a dataset that you already have high confidence on.
Kind of like how a blue-green colorblind person could find out which pen is blue, which pen is green if he is surrounded by people he can't fully trust. Ask people around you and maybe even show the same person the same pen (or a really dead-easy captcha) twice in a row. If they lie to you both times, they are not to be trusted.
It seems like another way to punish people for caring about privacy.
I just created a new account to check; not even so much as a Recaptcha url in the page source.
If you have one IP, there's a limit on captchas solved that you're going to blow through with or without the delay.
If you have a bunch of IPs, you can multithread the solving.
The fade in is actually a nice gesture to the human to show them that an image will be there soon, while still slowing them down to rate limit the bots.
In the end, a custom captcha is probably a better solution, even if it is easier than google's.
My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places. > What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?
Easy to do but hard to do with computers. My second favorite are the math problems one.
However if these become popular people will just write bots for them and were back to square 1.
> My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places. > What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?
> Easy to do but hard to do with computers. My second favorite are the math problems one.
> However if these become popular people will just write bots for them and were back to square 1.
Interesting...I wonder if they show destructive commands below a certain threshold. It would be funny if a captcha caused a bot to delete itself.
It's up to the site owner to determine how to handle those that don't meet v3's score, which can be a traditional CAPTCHA or hopefully something more effective and forgiving to humans: https://www.w3.org/TR/turingtest/
No it isn't. In fact, out-of-the-box reCaptcha is not GDPR compliant, and using it on your site will open you up to possible liability. See https://complianz.io/google-recaptcha-and-the-gdpr-a-possibl...
My reCaptcha strategy is to fire off an email to the site owners every time I am subjected to a reCaptcha, asking for all my data under GDPR. Most websites only need a few such requests to quickly start looking for an alternative. Fuck Google and their constant attacks on my rights.
So yes, it’s arbitrary, but it’s supposed to be. It’s about your gut feeling as a human because that’s the whole reason they’re showing you any of these images.
If it “looks a lot like” a storefront then you’ve really got the same problem as everyone else in the comments: they’re small, blurry, images and it’s hard to tell what it is. That’s also the whole point: their algorithms can’t tell, so they want a general consensus from users. There are images they know and use as a control, but some percentage of the ones you see they’re legitimately not sure about.
‘Need’ here means exhausted all other opportunities, and have built alternative accessible ways of accessing the same service. I’d certainly have expected a service to have investigated a self-hosted solution, and I doubt a reliance on 3rd party JS from a Google service would fly, regardless of the service, as it breaks a whole bunch of separate resilience guidelines.
Also the gratefulness part is strange. The corporation has no gratefulness for me, why should we show it any kind of loyalty. It's not a living entity with a consistent mind or consciousness. It will change its will based on Wall Street's demands. It will ban you silently with no recourse.
Some people avoid Google Search, Chrome etc. They are still subject to this.
Fair point, I usually run into this when using Tor, or VPN when accessing content behind Cloudflare, and or similar services. This is some anti abuse stuff, but is often overly agressive with giving you captchas.
> Why make me solve a Captcha to log in when I've already completed one to register?
So attackers cannot password spray. This is typically after attackers has gotten access to the latest database breach, and are just blindly trying username/password combinations.
> Why make me solve a Captcha to pay utility bills? Is there some underground group of deviants going around surreptitiously paying other people's utility bills?
Sound like a strange place to have a captcha indeed. What information is needed in the form to submit it? Does it validate stuff that an attacker might want to scrape? I guess they added it for a reason.
This is not necessarily a reasonable assumption. People often do things because they heard it was a good practice, or because it solves a problem they don't actually have, but think they might, or arbitrarily without giving it much thought.
A simple ratelimit takes care of that. Plus, it's not like attackers would be easily defeated by a CAPTCHA anyway --- there are services selling batches of valid tokens, likely generated by actual humans or very close emulations thereof, for ReCAPTCHA.
Captcha solving service also has other costs than just the money it costs. It adds time costs and additional resource usage on the machines it is running on. A quick look at a service[1] shows that the average response for a challenge was 40 seconds (this value changed a lot when refreshing the page). The attacker has now gone from the 200ms range per attempt to several seconds, slowing the down a lot. This gives defenders additional time to respond, it is also a useful metric for detecting malicious logins.
> Sound like a strange place to have a captcha indeed. What information is needed in the form to submit it? Does it validate stuff that an attacker might want to scrape? I guess they added it for a reason.
Ive seen captchas on payment forms to prevent credit card checking. You can take a dump of CC details and try them all out on a site and get back the valid ones. I'd assume they charge $1 to the CC to test it before allowing you to continue and then you could cancel your order before they charge the full amount. However, assuming you have to be logged in to pay your bill that seems less reasonable.
If you host a payment form that informs the user about whether payment was accepted, you're a target.
In the past, I used curl to get some billing info, add the money to a dedicated virtual prepaid card, then pay the bill, then send an email to a gmail (+paidinvoice) label. These day, at least for my bills, they have pre-approved withdraw directly from the bank. However I guess this is not widely deployed.
If other people did this, but ended up doing it from an insecure machine and lost the credentials / got hacked, I can see why at least some orgs might want to prevent people from doing this. This is a classic over reaction, but a plausible scenario.
The measure is not really about protecting the user that is using the payment form, it is meant to "protect" the system that is validating the payment data. The payment form may be a target for attacker which has gotten a large batch of credit cards from somewhere else, and wants to validate the data. They then regularly exploit such forms, or other naive payment system to check if the credit card data is valid.
CandyJapan owner wrote some blog posts about the subject.
https://www.candyjapan.com/behind-the-scenes/how-i-got-credi...
https://www.candyjapan.com/behind-the-scenes/candy-japan-hit...
https://www.candyjapan.com/behind-the-scenes/fraudulent-tran...
My password's not crackable, so it's annoying to be lumped in to that. I'd happily use a service-generated password to avoid login hassles.
With that, the site gives away whether the account has a low entropy password or not.
If anyone from Walmart.com is reading, please please get rid of these useless captchas - it is an incredibly stupid thing that you do and unfortunately you do it too well as well.
Personally I'm skeptical it will ever work correctly for me without tinkering, because I block third party requests (especially to Google) by default.
Or just generate secure high-entropy passwords and force users to use them.
Making users look up SMS codes before each login is acceptable. Making them solve obnoxious, long, privacy-hostile riddles is acceptable. But forcing them to use pre-generated secure passwords?! That can't possibly work. They will revolt!
Sure, why not? Way more than half of passwords are low-entropy, so that doesn't meaningfully help them focus attacks.
And they still have to keep solving captchas to make those attempts.
This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.
Secondly, botnets can, and presumably do, randomize which accounts they try, too.
Incidentally, you still need rate-limiting if you use Google's CAPTCHA. If you don't rate-limit CAPTCHA endpoint, an attacker can DDoS you (especially if your server-side captcha component uses low-performance single-threaded HTTP client). Furthermore, an attacker within the same AS as their target can purposefully screw over their account by performing attacks on Google's services until the reputation of the network hits rock bottom.
...congratulations, I just locked out all of your users. Have a nice day.
This is not theory, this is hard-earned experience. Locking-out people is bad, the most that's acceptable is rate limiting to a once every few seconds.
Conveniently, normal users with typical browser configurations get nothing but the animated checkbox. For nearly everyone, the whole experience is simple and easy. The only people who get inconvenienced are the low-grade privacy enthusiasts who think that preventing tracking is the path to Internet safety. Ironically, "tracking" is literally the mechanism by which legitimate users can be distinguished from attackers, so down that road lies a sort of self-inflicted hell for which the only sensible solution is to stop hitting yourself.
"Be a good little sheeple and do what Big Brother Google says." Fuck no.