hCaptcha now runs on fifteen percent of the internet

I dislike the widespread use of captcha regardless of provider.<p>I realize anything connected to the internet will be subject to automated abuse, and it&#x27;s impossible to run some types of services without taking some steps to defend against it, but it seems to me there&#x27;s usually a way to handle that without invading the user&#x27;s privacy or wasting their time. The exact details will vary based on the type of service, of course.<p>One particularly egregious misuse of captcha in a service I use presents one <i>after</i> I enter a correct username and password. An incorrect login says so without presenting a captcha. The potential reward for an attacker who successfully gains access to an account is high, so it seems almost certain anyone running a targeted attack would defeat this by handing it off to a human upon detecting that they had a good account.

I think it&#x27;s great. So many sites sit behind Cloudflare now and Cloudflare now uses hCaptcha, which is a big win. And the hCaptchas themselves are easy to complete. No more wondering if you actually clicked on &#x27;all&#x27; the traffic lights anymore, yay!<p>I inspected the source code of Google&#x27;s reCaptcha offering and was disgusted at how many bits of information they were collecting. They also seem to be fingerprinting users so they can&#x27;t keep registering new accounts on a platform, locking out anonymous users who are usually the best types of users on the platform, as IMHO anonymous voices are (usually) the best voices, or at least the more <i>interesting</i> of voices.<p>Google&#x27;s reCaptcha code seemed to be very keen on knowing my &#x27;cadence&#x27; or the way I used my mouse and how quickly (or how slow) I completed the captcha. It also looked at things like timezone, screen resolution, battery charge level etc So they could determine if it was &#x27;you&#x27; who was using the captcha, soon after, in a separate session (even on a different device!)

Worth noting that this title is primarily due to Cloudflare having switched to them from ReCAPTCHA, and Cloudflare is... well, relatively popular, to say the least.<p>I&#x27;m curious what kind of data may exist on the experience of switching for larger providers; do the users like it? how much more&#x2F;less time do they spend solving? do they care, let alone even <i>notice</i> that it&#x27;s not Google&#x27;s ReCAPTCHA?<p>Regardless, as ReCAPTCHA is not only terribly annoying but also built for surveillance from the ground up, I still view this as a good improvement.

I&#x27;m really starting to hate all the captchas with a burning passion. Partly because the corporation I work for seems to have gotten our NAT addresses onto a blacklist so I get captcha&#x27;d <i>constantly</i>, and partly because my close up vision is getting noticeably weaker (pushing 50, that&#x27;s why) and without hunting down my reading glasses it can be difficult to make out the smaller details necessary to solve the puzzle. Especially when I&#x27;m on my phone.<p>I really wish we could find something relatively foolproof that didn&#x27;t rely heavily on tracking or really good vision.

We&#x27;ve moved to hCaptcha from reCAPTCHA after Google surprised us with their pricing (blog[1], hn discussion[2]), and couldn&#x27;t be happier. We use it in invisible mode and it does a great job at finding bots while getting out of users&#x27; way.<p>Also top-notch customer support. The CEO was personally in the slack channel helping us. Highly recommended.<p>[1]: <a href="https:&#x2F;&#x2F;blog.repl.it&#x2F;anon" rel="nofollow">https:&#x2F;&#x2F;blog.repl.it&#x2F;anon</a><p>[2]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25004476" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25004476</a>

My mom and dad&#x27;s shared IP (somewhere in Europe) repeatedly gets on CloudFlare&#x27;s IP ban list meaning my mom keeps having to solve these hCaptcha&#x27;s. hCaptcha&#x27;s is a lot more difficult to complete than Google&#x27;s reCaptcha and she has a lot of trouble with it.<p>Why they get on these IP lists is I think because it&#x27;s a general consumer ISP and probably a lot of people get bot nets on there.

As someone who scrapes, captcha&#x27;s are pretty silly. One of the sites we scrape implemented hCaptcha, and it was a breeze to get around. There are a few things that make my life more difficult, but captchas aren&#x27;t one of them, and nothing can stop scraping altogether.

That&#x27;s great to see! At Plausible Analytics, we had a wave of spam attacks two months ago or so and hCaptcha saved us. Great product and great service both for companies and for users. We&#x27;re very happy with how it works. And great to have a quality de-Googled alternative for this use case!

I don&#x27;t understand why anyone likes hCaptcha. With reCaptcha, I rarely got more than the checkbox. Now I get a series of puzzles every time I want to look at a web page. When that happens, I&#x27;m just closing out, and going to a better website.

I personally found hCaptcha harder to pass than reCaptcha, to the point where I will leave a site that demands one if that&#x27;s a realistic option (e.g. not really an option if it&#x27;s my bank, totally an option if it&#x27;s one of many stores selling an item).<p>It&#x27;s possible that I just got unlucky (one of my recent experiences was a site that didn&#x27;t let me in even after solving it, which really soured me), but I feel like the main reason it&#x27;s hated less is because people haven&#x27;t seen it as much yet.<p>Edit: TIL how offputting a single bad experience can be. From going through my HN history, I found out that this terrible experience was 6 months ago.

Honestly captcha seem pointles to me.<p>Literally every time I&#x27;m in a situation where I&#x27;m required to use a captcha to <i>access</i> a site it is impossible to successfully solve the captcha in any sane amount of time.<p>This happens both with google and cloudflare.<p>Tbh. if they don&#x27;t trust my connection can&#x27;t they just tell me so instead of pretending to provide a &quot;I&#x27;m not a robot&quot; test which is practically (close to) unsolvable???<p>(Note that this post only refers to captchars guarden the access of an site if they somehow don&#x27;t trust your connection, not &quot;I&#x27;m not a robot captures&quot; on forms or similar).

From the privacy policy<p>We collect the following categories of information:<p>Information that can be used to identify or contact an individual (&quot;Personal Information&quot;), such as name, email address, and country.... We may also verify the identity of our Integrators and Customers by comparing personal information against third party databases or official legal documents.<p>Information collected automatically as a result of an Integrator’s or Customer’s use of the our Sites or the Services (&quot;Analytics Information&quot;), such as IP addresses, browser type, Internet service provider, platform type, device type, operating system, date and time stamp of access, and other similar information. Some Analytics Information is collected on our behalf by third parties we engage for that purpose, and some Analytics Information is collected through a variety of tracking technologies, including cookies<p>In the preceding 12 months, we have shared the following categories of information with third parties for a business purpose:<p>Identifiers. A real name, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers. Shared with Service Providers<p>Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, credit card number, debit card number, or any other financial information. Shared with Service Providers<p>Commercial information. Records of products or services purchased, obtained, or considered. Shared with Service Providers<p>Internet or other electronic network activity. Browsing history, information on a consumer&#x27;s interaction with an internet website, application, or advertisement. Shared with Service Providers<p>Note: Fraud risk associated with an individual IP address may be shared with an Integrator upon request.<p><a href="https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;privacy" rel="nofollow">https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;privacy</a>

I used to think that reCAPTCHA was bad, but then I had to solve numerous CAPTCHAs from hCaptcha. Now I think that they&#x27;re all bad.

Accessibility - I am surprised nobody mentioned it.<p>We looked at hCaptcha, and the feedback we got was that their approach to accessibility is simply unacceptable.<p>If you can&#x27;t solve the challenges, you have to sign up on their website, in advance, and provide them with your email address.<p><a href="https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;accessibility" rel="nofollow">https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;accessibility</a><p>We just couldn&#x27;t justify that sort of privacy imposition.<p>Personally, I think all Captcha needs to go.

I really hate all these captcha codes<p>Why can’t they do something like a reverse SSL where we have to authenticate ourselves as humans?<p>For example if I have an Apple account on my Apple devices, why can’t they figure out a way to authenticate me as a human from that information?<p>This doesn’t work for all scenarios (eg throwaway accounts), but it could work for the majority?

So we use 15% of the internet for captchas and I lose 15% of my life identifying crossroads, stoplights, and buses to computers. There&#x27;s got to be a better way

Not keen on hcaptcha because I&#x27;m almost always need to solve 2 sets of the puzzle vs 1 with recaptcha. Theres a thin line between privacy and convenience, most of the time I&#x27;ve felt hcaptcha to be on the least convenience side.

&quot;hCaptcha now ruins fifteen percent of the internet&quot;<p>I loathe captchas, especially Googles who seems to punish my use of privacy extensions (ie ublock origin, Ghostery Lite).<p>Captcha is a ok tool when you have valid reasons to assume the user is a bot (multiple failed logins, unusual traffic, password resets etc.). Used as a default it only antagonizes users.

I hate hCaptcha, those pictures are messy, they pop up everytime and theres 2 slides of them... Why not just use the honeypot method?

Reading their website:<p>&gt;Presented Challenges:<p>&gt;Comparison - Select all images that match query<p>&gt;Bounding Box - Define bounding area for objects<p>&gt;Categorization - Identify the corresponding labels<p>&gt;..and other simple tasks.<p>No, hCaptcha, no way am I going to train your neural networks for free, so please join Google on your journey to hell.

hCaptcha makes money by having humans label things to teach machines. This suggests that at some point, the machines will be nearly as good as the humans at labeling. At this point, until the humans are tasked with a different training exercise, a bot will be effectively indistinguishable from a human via hCaptcha.<p>If there&#x27;s value in it, it sounds like a spammer could train an hCaptcha-defeating bot via hCaptcha.

I see there&#x27;s several &quot;captcha solving services&quot; (Google the term, I don&#x27;t want to link any) that charge in the $1&#x27;s per 1000 solves. This makes me wonder how effective captchas <i>really</i> are. Do they just raise the bar high enough so only spammers actually making money attack the more lucrative sites?<p>Can anyone talk about their experience running a (large) service with a spam problem where adding a captcha helped? How about still battling bots&#x2F;spam&#x2F;abuse <i>despite</i> having a captcha?<p>Supposedly these services have humans solving these. I remember hearing about a bypass in use where the attacker would pass-through captchas and present them to users on their own pirate&#x2F;torrent&#x2F;porn&#x2F;etc sites, and then when the user solved it, they&#x27;d get at the content and the spammer would do whatever they were doing on the original site. I wonder if that technique is still in use, or if there are people specifically sitting there solving captchas all day being paid fractional pennies per solve?

Captcha is a terrible 90s technology, it should have been completely destroyed in year 2000.<p>it&#x27;s really annoying.

I see the product is offered in 2 plans, though the only paid plan is enterprise without publicly disclosed pricing. Anyone has info whether it&#x27;s affordable also for small and bootstrapped businesses or it&#x27;s primarily focusing on larger enterprises?

I was a bit surprised to not find a reference to the singularly most irritating thing about Google&#x27;s recaptcha - that it treats <i></i>me<i></i> - the one trying to authenticate - as a free source of data labels for its ML systems. I guess I&#x27;m unlikely to be the only one irked by another &quot;identify all the bicycles&quot; challenge.<p>Do the labels I provide belong to me or to Google? .. when I signed no job contract with them to provide that information.<p>edit: aha! <a href="https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;labeling" rel="nofollow">https:&#x2F;&#x2F;www.hcaptcha.com&#x2F;labeling</a> - that&#x27;s why it wasn&#x27;t mentioned. One more labelling service that I won&#x27;t like.

&quot;hCaptcha has grown into the largest independent cybersecurity service in the world&quot;<p>I feel like Cloudflare might have something to say about that, given that Cloudflare is an independent cybersecurity service and <i>uses</i> hCaptcha.

I appreciate at least having a good option that doesn&#x27;t involve putting a Google product on my website. We tried to use our own captcha back in the day, and then used some third party, and they just weren&#x27;t good enough. I&#x27;m glad to see them getting this market share because it means that they will get the opportunity to improve based on a large set of users similar to how Google is able to make their products so good.

Just tried the demo and found it somewhat confusing<p>&quot;enter your name and your favourite vegetable&quot; is to lure bots into responding?<p>When &quot;I am human&quot;, I am asked to select boats and fail because I didn&#x27;t tick the images with ships.<p>I would not like to add a Captcha that appears to be smart Alec, has a tendency to trigger the same in the respondents or, worse, makes customers feel stupid. reCaptcha somehow seems better at avoiding this.

Never heard of them before but went to their main site and got served the Romanian version which is so bad I think it could be used as commedy. Also loved how their front page image shows a barrier with their logo stopping some robots but the robots are facing the backside of their logo&#x2F;stop sign!<p>Like, hire me for more!<p>I&#x27;m curious how can they train ML models while preserving privacy. Where does the corpus come from?

Is that meant to be a proud boast?<p>Because, to me, it equates to someone bragging that 15% of the people they&#x27;ve slept with now have syphilis.

Is this mainly thanks to getting Cloudflare as a customer?<p>Congrats, albeit I have to say I had less problems with recaptcha captchas. I experienced a couple of cases of hcaptcha just not working correctly and being unable to access something despite the captcha success, which never happened with recaptcha (in my experience).

Is hCaptcha less of a pain for users who block tracking (with Brave, Privacy Badger, uBlock Origin, etc) than reCaptcha is? I&#x27;m not sure I&#x27;ve ever solved an hCaptcha, but I find reCaptchas to routinely be incredibly time-consuming, and I suspect it&#x27;s because I block their trackers.

While privacy is definitely my main concern here, it&#x27;s not just privacy that&#x27;s the issue here--I believe people should be compensated for the work that they offer society and if Google is using a captcha to create driverless cars then it&#x27;s obviously antithetical to this premise.<p>I always try to miss some of the obvious items or make mistakes and I (almost) always get through. There&#x27;s only one service that uses a Google captcha that I continue to use, so it&#x27;s not really a huge issue for me anyways, and I have decided to stop using it!<p>It&#x27;s not too difficult to host your own captcha, I don&#x27;t see why this can&#x27;t be an open-source effort.[1]<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;dchest&#x2F;captcha" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dchest&#x2F;captcha</a>

It’s good to hear that alternatives to any Google tech are gaining market share.<p>For me, all captchas are a stain on the web - in most cases, shifting (and multiplying) the wasted human hours from the company collecting data (eg the owner of the contact form) to the user (the person completing the contact form).<p>The company is saved from filtering through contact form responses from bots (spam and injection attempts) but simply shifts the work to the user who they hope to pay for their service, losing countless enquiries from frustrated users.<p>In my opinion, the only acceptable use for captchas is when you’re making a useful, free, no-login-required service available to the public and even then should only be brought in after bursting reasonable rate limits.

Their demo even doesn&#x27;t work for me. It displays an error message in my native language similar to &#x27;Rate limited or network error. Please try again.&#x27;. Reloading doesn&#x27;t change the situation (maybe related to my ad blocker).<p>Doesn&#x27;t make the best impression...

I like that this isn’t Google and isn’t tracking people. I tried this on its own homepage. I didn’t find it a whole lot easier (I was asked to choose photos with boats in them), but it was a little more easier than the blurry photos on reCAPTCHA.<p>What I didn’t like: when I looked for pricing information, I saw that there’s a free tier and there’s a “Contact Sales” tier (for enterprise). There is no intermediate level if you want finer control and just want to know how much that could cost. If anyone from hCaptcha is reading this, I’d strongly recommend adding one or two more tiers or expanding the feature set of the current free tier, at least for some level of granular control.

I vastly prefer hCaptcha to recaptcha because it doesn&#x27;t treat me any differently just because I&#x27;m using Tor. Recently (last year or so), Google has started to explicitly refuse service to me when I use Tor (only after forcing me to solve a CAPTCHA for 3 minutes).<p>Question for dang -- why does HN continue to use recaptcha? It&#x27;s impossible to signup via Tor, and Google is a user hostile company.<p>One thing I will note, is that hcaptcha seems to be more loose in what answers it accepts. Sometimes I click random images and it still lets me pass.

Aren&#x27;t Apple and Google almost obviating the need for this, since they control their duopoly platforms?<p><a href="https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;sign_in_with_apple&#x2F;sign_in_with_apple_rest_api&#x2F;authenticating_users_with_sign_in_with_apple" rel="nofollow">https:&#x2F;&#x2F;developer.apple.com&#x2F;documentation&#x2F;sign_in_with_apple...</a><p>PS: Anyone have the corresponding Google link?

Is there any place where you can just solve captchas from hCaptcha? I was curious what kind of questions&#x2F;labels it displays.

How is hCaptcha for page performance? Google Recaptcha ruins your page speed rankings as it ideally has to load chunk of JavaScript on all pages on page load to continually monitor user behaviour. You could e.g. only load it when someone starts filling out a form but this kind of integration isn&#x27;t standard.

I cannot stand captchas. I cannot even solve them myself sometimes and I think I am human. Or when they show &quot;1&#x2F;5&quot;, then at the 4th they add + 2 because why not... Stop wasting my time. This is actually done by hCaptcha.

I haven&#x27;t tried Firefox + AdBlocker in a while but I always had the idea that in a very Mechanical Turk way I had to earn my few cents worth income for the machine before I was allowed to have no ads and live outside of the Google Empire.

I&#x27;d really love these captcha services to allow me to download an extension that allows me to bypass their captchas. This extension could verify my identity and&#x2F;or device, or just keep an eye on my behavior to validate that I&#x27;m human.

The sub-header of this blog post is &quot;You can beat Google by putting privacy first&quot;, and at this point it&#x27;s interesting to think of how many businesses have done <i>exactly this</i> for an entire range of Google products with success.

I can’t be the only one offended by the unpaid labor involved in CAPTCHAs (training self-driving AIs or whatever).<p>I wish Apple would offer a way for sites and services to verify that a client is indeed human via Touch ID&#x2F;Face ID.

Please die a screaming death. All of you captcha services. I hate you.

reCaptcha is horrible. If you are a business, please stop using it. It feels like working for Google. why the hell should I have to do work for Google when I want to do business with you?

Almost all of the users that Cloudflare shows captchas to are Tor users. Is there any reason why this couldn’t be done without Javascript?

tbh it no ammount of captcha will help a popular platform. If you go black hat for around $150 in private proxies + poster bot + spinner + (insert capcha service here because I dont&#x27; want to advertise them) you can pretty much spam anything for a while.<p>That being said it does make it harder to spam if you don&#x27;t have a budget to start with.

Curious what people think about hCaptcha?

Yesterday I noticed CloudFlare uses it so maybe that is the reason for 15 percent of the internet.

Honestly, I thought hCatpcha was being run by OpenAI in order to provide the benefits of millions of people training AI, but they seem to be completely unaffiliated.<p>What happened to OpenAI? Do they belong to Microsoft now or something?

Anyone have an example of hCaptcha usage?

15% of the web, surely?

hydrant car airplane crosswalk traffic light nightmare

15% of the web. And probably only of the commercial web.

ugh, the craigslist ones are annoying

ublock should include captcha

thanks for making something that has capacity to break google recaptcha v3.

Anyone know why their seems to be military imagery on hCapcha? I don’t want to train anything for the military...

This sounds kinda nitpicky but I think it&#x27;s an important distinction. We&#x27;re talking about the web, not the internet, right? Or is hcaptcha also used for iOS apps, Android apps, etc.?