One of the more insidious elements of ReCAPTCHA is its propensity to challenge users who have robust cookie blocking in place. So as we encourage people to be more privacy-aware, the web gets harder and harder to use.<p>We've seen ReCAPTCHA pop all over ecommerce, all over benign websites with little to no need to challenge use almost completely because of the increase in privacy-aware users.<p>ReCAPTCHA essentially flies in the face of the recent blocking features rolling into Safari and Firefox and more privacy-aware users...growing by the day.<p>In many ways it's a genius structure from Google.
1. Convince people to use your privacy challenge.
2. Serve it when you don't see Google tracking cookies.
3. Offer a way around that with the least privacy-aware browser available (Chrome use is growing steadily month over month.<p>So good on Cloudflare.
> "Earlier this year, Google informed us that they were going to begin charging for reCAPTCHA. That is entirely within their right. Cloudflare, given our volume, no doubt imposed significant costs on the reCAPTCHA service, even for Google."<p>Even in the article they say... "Google provided reCAPTCHA for free in exchange for data from the service being used to train its visual identification systems." ... I thought this was one of those win/win things... Google gets something, websites get something... what's changed? Is Google not getting much out of reCAPTCHA now?
<i>Well.</i> That's probably fantastic news; using ReCAPTCHA (and thereby making users subject to Google's tender mercies) was honestly my main reason to dislike cloudflare from a user's perspective. ReCAPTCHA is utterly foul; it follows you <i>everywhere</i> it can, exists to undermine privacy, punishes non-Chrome users, and throws you in an infinite loop when it decides that you're not a human.
It's a start. reCAPTCHA is a notorious pain in the arse for anyone whose browser isn't Chrome and for anyone who doesn't keep cookies. I'm not sure if hCaptcha will be better, but it's hard to imagine it being any worse.
> Earlier this year, Google informed us that they were going to begin charging for reCAPTCHA<p>So it came down to cost.<p>> Over the years, the privacy and blocking concerns were enough to cause us to think about switching from reCAPTCHA. But, like most technology companies, it was difficult to prioritize removing something that was largely working instead of brand new features and functionality for our customers.<p>I like that they're upfront about this. In most companies / teams of this size, these issues are always swept under the carpet until something ugly forces you to clean up at a later point in time. It's just unavoidable.
Hey everyone. HCaptcha founder here. We are so happy to be on hackernews. I'm curious if anyone is having any problems? We are trying hard to respond carefully to customer requests but as you can guess we are very busy. Also we are hiring :)
This is what I recently got on CF's HCAPTCHA (look closely): <a href="https://imgur.com/a/QZNHmUC" rel="nofollow">https://imgur.com/a/QZNHmUC</a>
A few days ago I encountered this when Cloudflare decided my IP address (which is behind an ISP-level NAT) was suspicious all of a sudden (which it hadn’t been doing, a pleasant change from when I was at this location three years ago when half the internet sprouted Cloudflare CAPTCHAs at me). It was <i>awful</i> to solve, worse than the substantial majority of reCAPTCHA checks I’ve encountered. Certainly <i>nothing</i> like the illustrations in the article.
I just tried it on a website that uses Cloudflare and that always asks me to solve a captcha. (I guess this website does this if the user has a foreign IP address.) In the past I managed to get the non-script Recaptcha. But I don't see a non-script Hcaptcha. I'm a little afraid of <i>possible</i> browser fingerprinting scripts. If there was an unwaivable, enforced right to privacy I wouldn't be afraid.<p>Also, I don't want to solve any script captchas anymore because of a traumatic experience with script Recaptcha. I had a portable Chromium with login cookies for a few websites. I didn't use that Chromium for other websites than these few. Suddenly, one service almost always demanded a new login after just 1 day. On each login I had to solve a script Recaptcha. I didn't find a way to get non-script Recaptcha. According to the service evil spambots had attacked it. Once, Recaptcha let me solve captchas for minutes, just to eventually tell me I was a bot. I had an IP of a large internet provider. I deleted cookies, got a VPN IP, tried it again, worked on the captchas in the exact same way as before and managed to log in to my account. A website operator wrote in a forum thread that Recaptcha was the only solution to the bot problem. One user suggested "email login as an optional alternative". This was not implemented, because apparently Recaptcha was really specifically the only solution. I then switched to another service, which cost me a few hours of work. This traumatic experience has made me completely unwilling to solve any script captcha.
A little off-topic, but the article mentions they support Privacy Pass. I remember seeing the announcement a little ways back when they first released it but just kind of forgot about it. Is anyone using the browser extensions? Has it reduced the amount of captchas you end up seeing, or made your browsing experience better in any way?
The enterprise grade hCaptcha[1] is not free either. Does anyone have pricing information?<p>[1]: <a href="https://www.hcaptcha.com/#plans" rel="nofollow">https://www.hcaptcha.com/#plans</a>
> <i>But, sometimes, when we're not 100% sure if something is malicious or good we issue it a “challenge”.</i><p>I think they meant “bot or human”, not “malicious or good”. Bot != malicious. And these challenges will do no good to non malicious bots.
From the article:<p>"We evaluated a number of CAPTCHA vendors as well as building a system ourselves."<p>and<p>"We worked with hCAPTCHA in two ways. First, we are in the process of leveraging our Workers platform to bear much of the technical load of the CAPTCHAs and, in doing so, reduce their costs. And, second, we proposed that rather than them paying us we pay them. This ensured they had the resources to scale their service to meet our needs. While that has imposed some additional costs, those costs were a fraction of what reCAPTCHA would have. And, in exchange, we have a much more flexible CAPTCHA platform and a much more responsive team."<p>So Cloudflare are basically cloud hosting hCAPTCHA's services. I wonder why Cloudflare didn't just buy them, as it seems like it would be a win-win with getting an excellent CAPTCHA service, and not have to build it themselves?
IMHO CPATCHA is a lazy way to protect your service as you shift the burden to your users.<p>Maybe if you are big and essential for some users, you can afford that. But if not, be aware that users will turn their back on you if you add obstacles between them and your service.<p>Edit: meant to say “be aware that <i>some</i> users will turn their back to you”
Apart from the surveillance aspect, one thing that bothered the hell out of me with Cloudflare using ReCAPTCHA was that it yielded a much larger part of the web than necessary effectively blocked in China, since the CAPTCHAs would get triggered, and not load, from Chinese IPs.<p>I had a customer where we had to migrate away from Cloudflare for this reason - this was about 5 years ago and the issue has been there to this day. Glad to hear they've finally done something about it. Even if it took Google starting to charge money for ReCAPCHA to trigger it.
Has anyone else seen reCAPTCHA getting way more difficult of late? It often takes me a full minute to find all of the tiny traffic lights hidden away in a set of low-quality images.
This sticks out to me:<p>> We also had issues in some regions, such as China, where Google's services are intermittently blocked. China alone accounts for 25 percent of all Internet users. Given that some subset of those could not access Cloudflare's customers if they triggered a CAPTCHA was always concerning to us.<p>They are explicitly saying that China's blackmailing of Google is working so well it even affects decisions on using Google products outside of China.<p>I'm not a Google fan and think this move is a great improvement for the web and user privacy, but that this was explicitly motivated by China's blackmailing tactics is terrifying.<p>And we can from this post even make another case that also doesn't paint a nice picture: Cloudflare does not care enough about 25% of internet users to move away from reCAPTCHA - until it affects their bottom line in a visible and immediate way.
There are plenty of services that will happily accept a screenshot from a developer, send it out to live humans who solve it in real time, and then return the answers to the developer.<p>I'm not going to link to them, but you can find them yourself by googling "buy recaptcha solver". The prices for the top two results are $0.50 and $1.39 per 1000 solves (respectively, $0.0005 and $0.00139 per solve).<p>At that price point, it's feasible for the truly determined to just use those solvers to bypass ReCAPTCHA (or similar services).
hCAPTCHA looks interesting, although it seems they use Blockchain for no real reason compared to just storing the payments as rows (i.e what they gain from being chained on top of another)
> Earlier this year, Google informed us that they were going to begin charging for reCAPTCHA.<p>Wait. Is this news? I don’t see other article about this. What is the pricing?
It's not worth a rich person's time to solve captchas, while it is for a poor person. This has lead to captcha solving services, extensions plugins, etc, all which have high latency delay, not over a fast documented API. It would be 100 times easier if cloudfare/google let's you directly buy credits, at the mid-point price between current bid-ask spread, of say 50 cents per 1000 captchas, which would probably last you a few months to a year.
I've ran into hCaptcha a couple times recently and found it vague and I had to try to guess what they meant. Both times it asked me to identify the truck. Well, what do you mean by "truck?" are you counting a semi as a truck? I ended up having to do it twice because I don't consider a semi a "truck" but they did.
So no one can turn free human labour into enough money to pay hosting fees?<p>And given spammers a lot of the time are messing with Google, it's also in Google's interest to do this for free!<p>What are they thinking? Is this one department make $100 internally while killing $1000 in another internal department?
This is fantastic news for privacy on the web. Thank you Cloudflare!<p>I’ve been seeing hcaptcha in more and more places recently. It’s a bit rough around the edges still, but it works well and feels far less hostile than recaptcha.
The funny thing is that Google doesn't even use recaptcha and instead use some awkward hard to read piece of shit. After 4-5 guesses, and they are guesses you might proceed.
1. I think challenges from hCAPTCHA is harder than reCAPTCHA. It's far and even further from human-friendly compared to reCAPTCHA.<p>2. hCAPTCHA seems to be using the similar revenue model as early stage reCAPTCHA and it even pay its users. I doubt that its model is sustainable.<p>3. A huge company like Google may not be able to handle user data well, so a small company will be able to?
It's funny that we need to ensure humans are the ones performing certain actions like making a purchase or accessing a service, but we let machines make decisions over very important matters in our lives (credit/financial decisions).<p>It's intriguing they said Google will charge for reCaptcha, any information on that? I can't imagine all the small business owners will have to start paying, but perhaps if they did they'd just remove it altogether (a net win!).