26 votes

You (probably) don't need ReCAPTCHA

34 comments

  1. [10]
    Wes
    Link
    Back when reCaptcha v1 was standard, I used to install it for clients on contact forms and such. It annoyed customers that they had to type in squiggly words, but it became increasingly necessary...

    Back when reCaptcha v1 was standard, I used to install it for clients on contact forms and such. It annoyed customers that they had to type in squiggly words, but it became increasingly necessary as spam got worse.

    I tried alternative approaches like honeypots or simple math problems but found them worthless. Akismet's antispam works well but is paid, and I can't convince small business owners to pony up monthly to block spam.

    Eventually reCaptcha v2 (the checkbox version) dropped, and the complaints about squiggly letters dried up completely. It worked great. I see people on HN complaining about endless stop signs, but of the 30+ client sites I've now implemented v2 on I never hear complaint anymore.

    As far as I'm concerned, reCaptcha has made contact and signup forms possible again on the web. I'm sorry to those who block everything and get tagged as suspicious, but spammers have ruined it for everyone.

    I have not yet played with v3, but I understand it works similarly to v2 but offers a scoring instead of a binary result. That might improve the situation for those users some.

    9 votes
    1. [8]
      Comment deleted by author
      Link Parent
      1. [7]
        Pilgrim
        Link Parent
        Now you just check a box. Unless you're using a VPN or something you rarely have to "perform free labor for Google."

        Eventually reCaptcha v2 (the checkbox version) dropped, and the complaints about squiggly letters dried up completely. It worked great.

        Now you just check a box. Unless you're using a VPN or something you rarely have to "perform free labor for Google."

        5 votes
        1. blitz
          Link Parent
          I don't ever use a VPN and I have never been able to just "check a box". I've been using Firefox with its tracking protection on and that seems to trigger the more in depth tests. Now that Firefox...

          I don't ever use a VPN and I have never been able to just "check a box". I've been using Firefox with its tracking protection on and that seems to trigger the more in depth tests. Now that Firefox is shipping with privacy protection on by default I think a lot more people are going to start seeing how annoying recaptcha is.

          23 votes
        2. [4]
          unknown user
          Link Parent
          That depends on whether you use chrome or not. If you use chrome and are logged into google, you will probably never need to do more than check a box. If you are like me and use Firefox, you find...

          That depends on whether you use chrome or not. If you use chrome and are logged into google, you will probably never need to do more than check a box.

          If you are like me and use Firefox, you find yourself doing a lot of free work for google.

          10 votes
          1. [3]
            Diff
            Link Parent
            Be sure to check out the Buster Captcha Solver extension for Firefox. It uses voice recognition software to solve the alternative audio captcha, so you only need 2 clicks (checkbox then...

            Be sure to check out the Buster Captcha Solver extension for Firefox. It uses voice recognition software to solve the alternative audio captcha, so you only need 2 clicks (checkbox then BusterButton™) to solve captchas.

            3 votes
            1. [2]
              unknown user
              Link Parent
              I do use it. doesn't solve the having to give google JavaScript permissions and agreeing to be spied on bit though.

              I do use it.

              doesn't solve the having to give google JavaScript permissions and agreeing to be spied on bit though.

              2 votes
              1. Diff
                Link Parent
                You are right, it does not. Something I've been curious about, if you check out the Clover app for android, 4chan requires a ReCAPTCHA for every post. Used to be just the text recognition stuff...

                You are right, it does not.

                Something I've been curious about, if you check out the Clover app for android, 4chan requires a ReCAPTCHA for every post. Used to be just the text recognition stuff that didn't require any javascript, but now the full image selection deal is required.

                But on Clover, instead of an interactive javascript deal it seems to be a static form. Little native browser checkboxes appear in the corner of each image. No fading images, no "keep clicking until there are no more images" challenges. There's still an audio button, but clicking it says "Please enable JavaScript to get an audio challenge" so it seems like if you can block Google's scripts from running, ReCAPTCHA will still tolerate it?

                2 votes
        3. WiseassWolfOfYoitsu
          Link Parent
          As a Firefox user. I find I'm about 50/50 on checking a box vs identifying road features. I do stay signed in to Google for GMail, so that probably helps.

          As a Firefox user. I find I'm about 50/50 on checking a box vs identifying road features. I do stay signed in to Google for GMail, so that probably helps.

          3 votes
    2. [2]
      nic
      (edited )
      Link Parent
      Math problems worked for me until it did not. You should try javascript and hidden form elements.

      Math problems worked for me until it did not. You should try javascript and hidden form elements.

      2 votes
      1. cos
        (edited )
        Link Parent
        Out of curiosity, why did they stop working? Edit: Nevermind, just read your other comment.

        Out of curiosity, why did they stop working?

        Edit: Nevermind, just read your other comment.

        1 vote
  2. [14]
    MimicSquid
    Link
    You mean when Google already has a pretty good idea you're a real person, it takes less stringent measures to confirm that you're still human? I am shocked! Shocked I tell you. There are plenty of...

    It’s worth noting how much easier it is to successfully solve ReCAPTCHAs when the user is logged into their Google account, thus allowing Google to associate their actions with their real identity. A similar effect is often reported for users of non-Google browsers, who notice ReCAPTCHAs take more time to complete in Firefox over Chrome. This is in-line with many other anti-competitive techniques that Google has used over the years to help grow their market share.

    You mean when Google already has a pretty good idea you're a real person, it takes less stringent measures to confirm that you're still human? I am shocked! Shocked I tell you. There are plenty of things to bust Google's balls about, but this one seems sensible. The more thoroughly you allow Google to track you, the more they're sure you're not a bot. Is that wrong?

    8 votes
    1. [13]
      onyxleopard
      Link Parent
      It’s not wrong from a technical point of view. It’s wrong from an ethical point of view. If the notion of personhood ends up conflated with whether you have a personal Google account (and are...

      It’s not wrong from a technical point of view. It’s wrong from an ethical point of view. If the notion of personhood ends up conflated with whether you have a personal Google account (and are logged into it), I think that is wrong (in the moral sense).

      23 votes
      1. [12]
        MimicSquid
        Link Parent
        Is Google doing that? I don't think anyone is actually conflating the concept of personhood with whether you have a personal Google account. What is being associated is whether that Google account...

        Is Google doing that? I don't think anyone is actually conflating the concept of personhood with whether you have a personal Google account. What is being associated is whether that Google account has a pattern of behavior independent of the kinds of things that bots do. You could make a bot that had a Google account, only made regular posts and solved the more complex captchas for a while and then was trusted, but it would be trusted not because it was a person but because it behaved the ways we associate with non-harmful individuals. Is that immoral?

        6 votes
        1. [11]
          onyxleopard
          Link Parent
          No, the immoral aspects of Google’s service are: Lack of recourse for false positives (I.e., being falsely classified as a bot when you’re human) Increased pressure to create a Google account to...

          No, the immoral aspects of Google’s service are:

          1. Lack of recourse for false positives (I.e., being falsely classified as a bot when you’re human)
          2. Increased pressure to create a Google account to reduce the likelihood of being falsely identified as a bot

          I’m not saying I have a better solution—reCaptchas seem like a necessary evil, and the more bits Google has as input to their classifier, the more accurate they can be. But, the idea that Google is possibly using their position to pressure people into creating Google accounts in order to prove they are humans is problematic.

          6 votes
          1. [6]
            mat
            (edited )
            Link Parent
            Is (1) a significant problem? I've run recaptcha on my site for a long time and nobody has ever come to me saying they consistently failing to log in (users can still contact me without logging...

            Is (1) a significant problem? I've run recaptcha on my site for a long time and nobody has ever come to me saying they consistently failing to log in (users can still contact me without logging in, via multiple methods)

            When I'm logged into Google I only ever get the checkbox. When I'm not I get the checkbox sometimes and the image search things a bit more often. But not enough to make me think "I'll log into/get a google account just to make this go away", it's not like I'm hitting captchas multiple times every day. But I don't think it's immoral for a company to want to get users per se. You might, and I assume you do, disagree with some of their business practices but just wanting more customers by making customer's lives easier than non-customers isn't immoral in and of itself.

            Funnily enough the captchas I have most trouble with are the non-recaptcha ones. I still can't log in to Debian forums because whatever text-read-y thing they use is completely illegible.

            2 votes
            1. [5]
              onyxleopard
              Link Parent
              The fact that Google’s free services are so convenient is part of why I don’t like them. Google is able to offer a good service for free because they are exploiting users of their customers. If...

              The fact that Google’s free services are so convenient is part of why I don’t like them. Google is able to offer a good service for free because they are exploiting users of their customers. If it’s not free manual annotation of text or images to fuel their machine learning models, it’s getting you to stay logged into your Google account so they can track your use of the web and gather data on you. This is normalization of exploitation.

              7 votes
              1. [4]
                mat
                Link Parent
                I have friends who work at Google. The attitude internally is they have two customers. Users, and advertisers. Advertisers pay money for access to user eyeballs - and not, as many people assume,...

                I have friends who work at Google. The attitude internally is they have two customers. Users, and advertisers. Advertisers pay money for access to user eyeballs - and not, as many people assume, data about those eyeballs; that data is highly confidential because it's exclusivity is Google's main revenue stream (same at Facebook). Users pay by seeing ads in return for generally pretty high quality services at no financial cost. The text thing, btw, has meant countless previously undigitised books being available for public view. That's a pretty fair exchange for reading a few words if you ask me. Many hands make light work and all that.

                Nobody is really being exploited. It's not a secret how Google make their money. Everybody knows that really, "free" things aren't free. People choose to make that transaction, the same way they choose to watch commercial TV. This isn't a new arrangement by any means.

                I used to run my own email server. It was a pain in the ass and it cost me money and time. Gmail provides an excellent quality service with insane uptime and loads of storage, speed and reliability in return for me seeing a few ads which may be slightly relevant to the contents of my email. That's a fair deal as far as I'm concerned. Most Google services are a pretty good deal, I think. Nobody is making you do anything you don't want to do, you don't have to have Google in your life. If people are being "exploited" it's largely by choice and is that really exploitation?

                I am Old so I remember the fuss kicked up when it was announced (announced, not hidden away) that Gmail would "read" your email to show you relevant ads. I remember similar fuss being made for years before that and years after about similar "exploitations", and to be honest I used to agree with all the people complaining but you know what? Nothing bad has come of this arrangement. Google knows a lot about one particular subset of who I am, but what's actually bad about that? They show me ever so slightly more relevant adverts than they otherwise might seems to have been the only thing which has happened in 15+ years of them gathering my "data". Maybe I'm just too busy and too tired to care. Maybe years of experience has shown that whatever downside there might be, it's really not a problem for me. I don't know. I'm not trying to say your attitude is wrong, but more to explain why I no longer share it.

                7 votes
                1. [3]
                  unknown user
                  Link Parent
                  But in a way people are forced to use google and consent to tracking with recaptcha. I disable JavaScript wherever possible. If a website uses recaptcha I not only have to give google JavaScript...

                  But in a way people are forced to use google and consent to tracking with recaptcha.

                  Correspondingly, webmasters that use Google’s ReCAPTCHA on their websites must link to both Google’s Privacy and Terms pages (included in the form by default in a small 8px style that makes them appear unclickable). Although Google used to have its own privacy and terms pages for ReCAPTCHA, these links are no longer specific to ReCAPTCHA, but rather are the privacy and terms pages for all users of Google services in general, regardless of which service is being used, or if the user has (or even wants) a Google account to begin with. Therefore accepting these terms (implicitly, by attempting to prove you are Not A Robot) grants Google permission to do everything that they do to their regular users of their services to you, and little information is available as to what specifically is done (GDPR is likely to be unhelpful here, given ReCAPTCHA’s spam-stopping purpose). Not only are the unhelpful links in the ReCAPTCHA box never opened by users, but there is also no Google logo or visual reference to indicate that ReCAPTCHA is a Google service, so many users have zero indication that they have just consented to all of Google’s tracking just because they tried to leave feedback or create a ticket on your website. If you thought you could use the Internet without using Google’s services, try using the Internet without filling out a single ReCAPTCHA, which for some users is required to pay their bills, file their taxes, and sometimes even use Government websites (if you somehow manage this, next try never sending email to Gmail/Gsuite addresses or using Google APIs for a more exciting challenge). Good luck.

                  I disable JavaScript wherever possible. If a website uses recaptcha I not only have to give google JavaScript permissions, I then have to do free labour for them. And I have to consent to their tracking. I say have to because recaptcha is so overused that many websites I have to use implement it. Such as where I pay bills. I can try my best to avoid non essential sites that use it, but I cant not pay my bills.

                  Also the point he makes about their being no obvious google branding is a good one. I don't think many people know that by filling in a captcha, they consent to all of googles tracking.

                  2 votes
                  1. [2]
                    mat
                    Link Parent
                    The only bill I recall paying via a website is probably my car tax, once a year. Bill payments are 99% invisible to me - do you not have Direct Debits where you live? The thing is, if you care...

                    The only bill I recall paying via a website is probably my car tax, once a year. Bill payments are 99% invisible to me - do you not have Direct Debits where you live?

                    The thing is, if you care about such things, it's hardly that arduous to install a separate browser which you only use for those forms. I still don't get why tracking is bad though. People keep saying it is but they never say why. It doesn't affect me. So google know a load of things I look at on the internet - I'm completely unbothered by that. They don't care what I look at, all they want to do with that information is try to show me relevant adverts and if I'm going to have to see adverts (which I am, because I refuse to use an ad-blocker because people's jobs rely on me seeing some ads - content creation and hosting isn't free) I'd rather see ones which are at least somewhat related to things I like.

                    How - and why - you manage using the modern internet with no Javascript is beyond me. But you do you, of course! Not judging your choice, it's just not one I'd make.

                    2 votes
                    1. unknown user
                      Link Parent
                      Again me and my weird choices. Paying bills manually makes me better see how much im spending and therefore it makes me try to use less for lower bills. Though I will consider your direct debit...

                      Again me and my weird choices. Paying bills manually makes me better see how much im spending and therefore it makes me try to use less for lower bills. Though I will consider your direct debit suggestion.

                      And as for tracking. I suppose it really comes down to personal preference. I like my privacy, and I don't want to give details about myself away. And I shouldnt have to as an almost requirement to use the internet. I should be able to remove google from my life.

                      3 votes
          2. [5]
            Comment deleted by author
            Link Parent
            1. [4]
              onyxleopard
              Link Parent
              I’m sorry if I’m not catching what you’re throwing, but are you saying a block chain will solve this problem? How?

              I’m sorry if I’m not catching what you’re throwing, but are you saying a block chain will solve this problem? How?

              2 votes
              1. [4]
                Comment deleted by author
                Link Parent
                1. mat
                  Link Parent
                  Hi I'm a spammer and I have a huge network of zombie computers which I can run your workproofs on at no cost to me other than a little time. Thanks for not using effective spam protection! More...

                  Hi I'm a spammer and I have a huge network of zombie computers which I can run your workproofs on at no cost to me other than a little time. Thanks for not using effective spam protection!

                  More significantly, I have no idea how many times reCaptcha triggers in a day but I'd bet it's easily in the hundreds of millions. If you require 5 compute-seconds for every use, that adds up to a significant amount of power used every day, which (in most places) will mean CO2 emitted. That's not cool. Literally not cool.

                  7 votes
                2. unknown user
                  Link Parent
                  ...except then you exclude people with old computers, or on mobile devices, whilst not actually solving the problem. If we say that waiting for 2 seconds for your comment to be posted is...

                  ...except then you exclude people with old computers, or on mobile devices, whilst not actually solving the problem. If we say that waiting for 2 seconds for your comment to be posted is acceptable, then spammers can still post a comment every 2 seconds, which is clearly no good. A wait of 60 seconds, then - but then every visitor's computer has to work flat-out for 60 seconds to post a single comment. Nobody's going to do that except spammers.

                  How is PoW better than a server-enforced time between comments?

                  4 votes
                3. onyxleopard
                  Link Parent
                  Putting a gate on sequential posts from one source is fine. I don’t see how this effectively prevents a bot net, though, which is exactly what any serious spam operation is going to use.

                  Putting a gate on sequential posts from one source is fine. I don’t see how this effectively prevents a bot net, though, which is exactly what any serious spam operation is going to use.

                  4 votes
  3. [7]
    nic
    Link
    I actually got hit by what the article describes as customized spam one time. Someone programmed a bot with the answer to my simple math question. I changed my simple math question to something...

    I actually got hit by what the article describes as customized spam one time.

    Someone programmed a bot with the answer to my simple math question.

    I changed my simple math question to something that requires a little thought: A Barber Shop owner has been cutting hair for 50 years. He has raised his prices a dollar every five years. This averages out to an increase of $1 every how many years?

    That seemed to work.

    Also Javascript in combination with hidden form elements also worked wonders.

    6 votes
    1. [4]
      Diff
      Link Parent
      For me, renaming my actual username and password fields on registration to nonsense and having some hidden honeypot fields named "username" and "password" did wonders. That mixed with that kind of...

      For me, renaming my actual username and password fields on registration to nonsense and having some hidden honeypot fields named "username" and "password" did wonders. That mixed with that kind of generated word question would probably successfully kick out most bots.

      1. nic
        Link Parent
        Yup, for a simple comment form I have one field that has to be set, and another that can not be set. I also use javascript to obfuscate the destination email and only allow email to be sent to...

        Yup, for a simple comment form I have one field that has to be set, and another that can not be set. I also use javascript to obfuscate the destination email and only allow email to be sent to that one email address.

      2. [2]
        Wes
        Link Parent
        Unfortunately it will also kick out autofill tools.

        Unfortunately it will also kick out autofill tools.

        1. Diff
          Link Parent
          Can't say I've run into an autofill tool that fills out username and passwords in registration forms before. Names and addresses, but not usernames, and not passwords. Well, yeah, not in...

          Can't say I've run into an autofill tool that fills out username and passwords in registration forms before. Names and addresses, but not usernames, and not passwords. Well, yeah, not in registration forms, anyway.

    2. [2]
      teaearlgraycold
      Link Parent
      Unless I'm stupid and missing something, that's more of a question of trivial reading comprehension than math. Granted, that's a much better approach than gating something with arithmetic.

      Unless I'm stupid and missing something, that's more of a question of trivial reading comprehension than math. Granted, that's a much better approach than gating something with arithmetic.

      1. nic
        Link Parent
        I had a simple math problem that did not work (what is 5*4?) so I changed it to something that is a completely trivial question, but requires some comprehension and a little thought (A Barber Shop...

        I had a simple math problem that did not work (what is 5*4?) so I changed it to something that is a completely trivial question, but requires some comprehension and a little thought (A Barber Shop owner has been cutting hair for 50 years. He has raised his prices a dollar every five years. This averages out to an increase of $1 every how many years?)

        My site did well but wasn't worth a lot of money in terms of advertising keywords, so it was more than sufficient.

  4. [3]
    nic
    Link
    The author has no "contact me" on his site :)

    The author has no "contact me" on his site :)

    6 votes
    1. [2]
      unknown user
      Link Parent
      He has a twitter if you want to contact him. https://twitter.com/Nearcyan

      He has a twitter if you want to contact him. https://twitter.com/Nearcyan

      1. nic
        Link Parent
        Sadly, I don't tweet, because the irony is overwhelming.

        Sadly, I don't tweet, because the irony is overwhelming.

        4 votes