Recaptcha v3: new way to stop bots

I’m quite proud of GOV.UK for banning CAPTCHAs from government services completely.[1] Have you ever tried to use the ‘accessible’ fallback for ReCAPTCHA? It’s literally impossible (my team had 0% passes trying it over and over again) so by implementing ReCAPTCHA you’re completely blocking an entire set of already disadvantaged users. At the same time, even a normal CAPTCHA is already harder for some users to solve than it is for some bots and you’re lining Google’s pockets by training their ML algorithms.<p>While this new version potentially helps things, it feels like the users with more automated interaction methods or those who want to reduce fingerprinting efforts will still fall foul of over-zealous site owners.<p>At the end of the day, all a CAPTCHA is is a method to externalise business costs onto your users.<p>[1] <a href="https:&#x2F;&#x2F;www.gov.uk&#x2F;service-manual&#x2F;technology&#x2F;using-captchas" rel="nofollow">https:&#x2F;&#x2F;www.gov.uk&#x2F;service-manual&#x2F;technology&#x2F;using-captchas</a>

Recaptcha v3 explicitly bans any browser that isn&#x27;t one of &quot;the two most recent major versions&quot;[1] of Chrome, Firefox, Safari, or Edge. I don&#x27;t mean it falls back to showing you an annoying select-the-picture quiz; if Google doesn&#x27;t like your browser, the recaptcha widget replaces itself with:<p>&gt; Please upgrade to a supported browser to get a reCAPTCHA challenge.<p>There are <i>many</i> reasons this is bad, but for now I&#x27;ll point out that creating barriers that prevent new competitors from entering an established market is the behavior of a monopolist abusing their power over a market.<p>[1] <a href="https:&#x2F;&#x2F;support.google.com&#x2F;recaptcha&#x2F;?hl=en#6223828" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;recaptcha&#x2F;?hl=en#6223828</a>

I hate Recaptcha.<p>In my experience using Firefox and not being logged into a google account results in a very long if not impossible chain of captcha challenges.

As a site owner I know captchas are vital in the battle of not being overwhelmed with spam, but as a user I hate Recaptcha with a passion.<p>Every time I’m asked to identify the motorbikes or traffic lights I feel like google should be paying me a few cents each time for helping train their machine learning algorithms.<p>And on mobile the experience is even worse. Depending on the placement of the captcha box half to a third of the tiles might be off the edge of the screen, making it impossible to solve. Seriously, how can Google not have a mobile version in 2018?

The &quot;deep telemetry&quot; nature of this doesn&#x27;t sound like a good idea. It&#x27;s already been annoying with v2 thinking that I clicked a checkbox &quot;too fast&quot; to be human, to worry about every action taken in a site&#x2F;app being compared to some weird AI model for &quot;humanity&quot;.<p>That&#x27;s even before other panopticon questions of who all this added telemetry even benefits.

No, no, no, no.<p>I do not want Google to have any more fucking data about me than it already does! &quot;Put this blob of JavaScript on every page of your site so that we can see how users are clicking, scrolling, and browsing around. Think of the children^W spam and abuse!&quot;<p>I just cannot believe that Google somehow gets away with spinning this as some sort of &quot;guardian of the Internet&quot; thing when it is a transparent attempt to a) make adblocking more difficult and b) force people to accept being tracked by Google or get blacklisted from the web.<p>Getting banned from sites or treated as a subhuman because you don&#x27;t want Big Brother to follow your actions around should not be something that we&#x27;re okay with. It just shouldn&#x27;t be.

Hopefully having an ad blocker (uMatrix) doesn&#x27;t cause it to flag the user like reCAPTCHA v2 does on every single site I go to. I have had to click way too many cars and street signs at this point.

Sorry your citizen score is not high enough to access this website.

&gt; Since reCAPTCHA v3 doesn&#x27;t interrupt users, we recommend adding reCAPTCHA v3 to multiple pages.<p>Frictionless user interfaces arr great, but could this be a ploy to get websites to add Google-property tracking JS on more pages?

I use Firefox with maximum tracking protections and a VPN, so I&#x27;m first in line to claim frustration about being forced to solve reCAPTCHAs.<p>But on the other side, it needs to be understood just how important having a CAPTCHA is. The amount of destruction to user experience that bots can cause is sometimes far worse than the pain the CAPTCHA causes.<p>The long chains of reCAPTCHAs annoy me to no end, and I hope a middle ground can be reached, but bots are a very serious problem.<p>I do wonder if maybe computational challenges are a feasible alternative in some scenarios, or perhaps as an alternative choice you could give to the users.

While we hate Google for the privacy invasion in advertising, reCAPTCHA is one the areas that is a definite positive. Google has the data and the unique position to make the web safer. I wish they did more.<p>Need to give them credit for fighting: hurting malicious websites by not sending them traffic, keeping search results relevant against SEO abuses, cutting down email spam effectiveness, ... and reCaptcha.<p>All of this becomes very relevant when you run our own online business like I do. You can lament that google knows you&#x27;re shopping for a new car, but my users lose real dollars if a scammer gets on my website - and google provides the tools to combat this.<p>And, no you can&#x27;t implement your own captcha. No matter how smart you think you are, you don&#x27;t have the data that Google does.

Their recaptcha is broken and causes a lot of pain especially when you&#x27;re on an ISP that may have had some bad apples (pretty common in India where ISPs don&#x27;t care about spam or piracy). It&#x27;s like the whole neighborhood is paying the price of someone else&#x27;s crime and it feels like the digital version of being racially profiled.<p>Worst part is even after solving dozens of images (which keep refreshing by the way to no end) you still sometimes get we don&#x27;t believe you&#x27;re human comment and no way to go forward.<p>Cloudflare and this recaptcha can really break the internet for some people, esp in small Indian cities.

I got hit by &quot;Distributed Spam Distraction&quot; recently.<p>It works by having a bot signup on thousands of websites at once with your email. The purpose is to flood your email with hundreds of welcome message emails every minute so you will miss the real security message emails (such as someone resetting your password).<p>What makes this attack so evil is that these are real sites you have to individually unsubscribe after the attack is over. This includes many sites from countries without email unsubscribing laws. So to this day, I still get hundreds of emails everyday from these sites who think I have signed up for their newsletter&#x2F;product&#x2F;etc.<p>I would not be against enforcing a captcha on every site out there just to prevent these kinds of attacks.

In addition to the problems already mentioned (Google collecting more data, Google making ad blocking harder), let me share another issue I have with this: Google is becoming a de-facto gate keeper to your website, turning bots away.<p>Do you get it? A company whose business model is based on their bots ability to crawl the web will now have more power over <i>other</i> bots.<p>Brilliant.

The language used seems alarmist, particularly given the extent to which Google use bots themselves.<p>For example, &quot;the new way to stop bots&quot;, &quot;alert you of suspicious traffic&quot;, &quot;identify the pattern of attackers&quot;, &quot;pages are being targeted by bots&quot;, &quot;stay ahead of attackers and keep the Internet easy and safe to use (except for bots)&quot;<p>Many companies have built valuable services by automating HTTP requests. One might even think that Google would like them to stop.<p>Two things that particularly worry me about this are a) encouraging sites to apply captchas to pages that have nothing to do with authentication and form inputs, and b) the hint of requiring two-factor authentication and phone numbers to proceed. [edit] will Google be offering to handle this on behalf of sites?

Can someone explain to me why CAPTCHAs are used all over the place for sites that don&#x27;t have user interactions?<p>I understand it for account creation. I understand it a bit less for login (seems like a lazy way of preventing automated attempts).<p>But for simply accessing a site? What gives?<p>I&#x27;m increasingly starting to find that only tech blogs, the odd big site I&#x27;m logged in on like Amazon, and sites like HN are usable lately, because anything else seems to require a 1 minute + gateway of CAPTCHA + GDPR + whatever else before I can actually get to the site.<p>Is it some way of filtering out users the sites don&#x27;t want without expressly having a &quot;403 Forbidden&quot; or whatever?

Slightly creepy, they want to track users around your site to see if they go page to page like a human or like a bot. (Instead of just checking before form-submit or some other action.) But if you already have Google Analytics you&#x27;re probably not giving up any more information by adding this.

Recaptcha is a horrible experience if you block tracking. Sometimes I fill in literally 10 pages of CAPTCHAs and it still can&#x27;t work out if I am a bot or not. It&#x27;s not even clear to me why having tracking cookies is even a sign that a client is not a bot.

Fidor Bank uses recaptcha. WTF, I don&#x27;t want google to know when I access my bank!

The interesting thing about this type of heuristic is you probably don’t need Google to do it for you. Does anyone know of any open source software that is capable of doing something like this?

I block Google domains on my main browser profile, and JavaScript by default.<p>I noticed if I encounter a recaptcha on a website, I just tend to abandon and seek information elsewhere. Last time I was presented with a recaptcha when setting a search filter on a website. No, thanks. This is too much of a pain to unblock everything and answer a recaptcha. I&#x27;ll pass.<p>When I do answer a recaptcha in despair, this is a pain to do.

Let&#x27;s say that we&#x27;re a small startup and we need a reliable captcha service. What are the alternatives of using reCAPTCHA?

anyone remember the blog from the late 90s or maybe early 00s who just ripped apart every bespoke captcha that existed on major web sites? It was really entertaining&#x2F;interesting&#x2F;informative to me at the time. Can&#x27;t find it anymore...

Related: a guaranteed unbreakable captcha by Scott Aaronson. <a href="https:&#x2F;&#x2F;www.scottaaronson.com&#x2F;writings&#x2F;captcha.html" rel="nofollow">https:&#x2F;&#x2F;www.scottaaronson.com&#x2F;writings&#x2F;captcha.html</a>

Any time I see their stupid image captcha to find all buses or shop fronts I immediately close the tab. It&#x27;s <i></i>never<i></i> worth the effort of solving 5x image captcha to read see some stupid website.

Another thing which can be gleaned from the progression of ReCAPTCHA from v1 - enter street names and house numbers into this box please - through v2 - identify images with street signs, shop fronts, buses, cars - to v3 - only Chrome&#x2F;Firefox&#x2F;Edge&#x2F;Safari users welcome is that Google Maps (and related units) no longer needs ReCAPTCHA users to read those street names and house numbers as that task is now reliably performed by software, nor does it need help to separate shop fronts from normal facades or traffic signs from billboards. Now that these tasks can be handed over from mechanical Turks to the server farm ReCAPTCHA can be turned to other purposes like giving Chrome an extra boost.

I don&#x27;t like any version of recaptcha either. A server-side text-only CAPTCHA is better.

What are the most common use cases for captchas?<p>What do HN users use them for?

What do we think about hcaptcha.com ?

I really thought they would realise how fucking stupid this was and roll it back, but I guess they really don&#x27;t care at all. I feel sorry for anyone who has opted out of the Google ecosystem so far and is now going to be penalised by not being able to access many websites