
Cloudflare Stops Using ReCAPTCHA - mmm_grayons
https://twitter.com/muellermartin/status/1246108409486852103
======
mmm_grayons
More specifically, it now uses a service called hCaptcha:
[https://www.hcaptcha.com/](https://www.hcaptcha.com/)

It appears it pays people to use the captchas by providing data labeling. This
is similar to Google's business case for running ReCAPTCHA, just labeling
others' data instead.

~~~
eastdakota
FYI: hCAPTCHA don’t pay us. We pay them.

ReCAPTCHA decided to start charging for their service (which they have every
right to do, but it was a surprise). Just to use ReCAPTCHA on our Free
customers would have cost us $10M+/year, which was untenable. We’d been
concerned about the privacy issues around using a Google service for some
time, and this was the kick in the butt we needed to move off of them.

hCAPTCHA has been incredibly responsive so far to improving their service,
something even at our scale we had a tough time getting from the ReCAPTCHA
team.

Ultimately, we’re working toward entirely eliminating visual/audio CAPTCHAs.
But, until then, we are enjoying working with the hCAPTCHA team.

~~~
lsb
I recently switched my phone to route all internet traffic through Tor and the
DDG browser on Android, but the hCaptcha challenges are even more exasperating
than the ReCaptchas, and I've found my bounce rate close to 100%.

Is the abundance of hCaptcha challenges for those of us browisng CF-fronted
properties in such a manner going to change any time soon?

~~~
14
Off topic here but since you seem knowledgeable can you point me in the
direction of some good resources I can read to become informed on how to use
tor? I worry I will have issues as you described. My kids school just moved
online. The teacher was considering using google classroom then I voiced my
concern which she thanked me and she ended up going with a Canadian company (I
am Canadian) called myblueprint.ca and their privacy policy can be found here
[1]. Reading their privacy policy it is quickly apparent they are a giant data
collection machine and I want to throw up. I plan on sharing some of the key
points but if I have to go forward want to try use like a tails live CD or
what ever is recommended in 2020 to avoid their tracking. Thanks for any
insight [1] [https://myblueprint.ca/privacy](https://myblueprint.ca/privacy)

~~~
justusthane
I’m curious, what about their privacy policy has you convinced that they’re a
“giant data collection machine”? I just read it and it seems pretty reasonable
to me.

They clearly outline all the purposes they need to use your data for, most of
which are just to operate their site.

I would encourage you to think twice before implementing measures that are
going to o add more friction to your kids’ schooling. (Live CD? Tor? Really?)

~~~
silverreads
I worry a lot about my kid writing or saying something that would be innocent
child's play when in person but might be construed as domestic terrorism if
seen in the wrong data dump by the wrong enforcement agency.

How can you teach right and wrong in an environment like this?

------
motge
If no content blocker like µBlock is used, Google will probably find out about
the website visit through Google Analytics. But the important difference is
that Analytics is not essential for visiting a website while the CAPTCHA from
the CloudFlare page in front of the website is.

But the change is especially good for Tor users as they are often blocked from
using Google reCAPTCHA (due to "suspicious" activity from the network) at all.

Finally I hope more companies follow the lead of CloudFlare and change some
parts of their services to not solely use Google so that the web becomes more
diverse again.

------
mikkelam
With my pretty aggressively tuned privacy settings in Firefox I'm getting
captchaed CONSTANTLY, and everybody is apparently using cloudflare. Here's
hoping hCaptcha is less aggressive..

~~~
zenexer
That’s almost certainly unrelated to your Firefox settings. The rate at which
you get captcha’d is mostly based on the level of suspicious activity from
your IP address and nearby IP addresses—though if you mess with headers too
much, that can also do it. I’m decked out for privacy in Firefox, and I never
get captcha’d. You may have a malicious extension or other malware on your
network that’s doing something nefarious.

~~~
mikkelam
That's entirely false. It is primarily related to how easy it is for google to
determine whether you're a real human. If they have to keep reidentifying you
as human (due to for example fingerprint resisting or tracker blocking)..
surprise you get captcha'ed

------
lostmsu
Oh boy, time to update uMatrix rules.

~~~
Ayesh
How would this help? You have to pass captcha to access pages that CF is
proxying. You cannot block hcaptcha and continue to access the sites.

~~~
RunningDroid
lostmsu probably uses the "block third party requests by default" policy so
they'll need to unblock hcaptcha to gain access to the sites.

------
rectang
Hopefully this is better for people who don't browse the web while logged into
their Google accounts.

~~~
zzzcpan
Some people have workarounds for recaptcha or at least understand how it
behaves to not bother solving impossibly hard puzzles, but not for hcaptcha. I
got hit by hcaptcha today on a digitalocean website I think which is served
via cloudflare and struggled to solve it. After clicking "I'm not a robot" it
started asking me to find dogs in pictures a couple of times, pretty awful
experience. I don't know what to say, it's been many years and cloudfare is
still pretty incompetent in that area ruining the web for a lot of people.

------
Ayesh
hCaptcha is annoying! Even when I'm not logged into Google, I rarely get a
captcha when I click "I'm not a robot". With the new captcha, I get promoted
100% of the time.

I'm glad Google is out of the picture (although their DNS, Google analytics/
tag manager, chrome, maps, etc) would know my history anyways. But hCaptcha
needs to be less greedy when it wants free labeling labour.

~~~
Keverw
Yep, I noticed the new captcha a few days ago on a game wiki site just to view
it but I think the site owner has the most strict option however where every
visitor gets a captcha.

But anyways, felt the captcha lasted longer then it should. Was kinda starting
to wonder if it’s ever end where very close to just exiting that tab.

I wish there was a more open way to stop spammers and abuse. For my project I
want to do, you’d need to be logged in for most things anyways so probably
just need it for signup, password reset and contact form - but plan is to only
do that based on some private risk algo maybe, so not every user gets it.

