
“No-CAPTCHA” reCAPTCHA - abstractcoder
https://www.google.com/recaptcha/intro/comingsoon/index.html
======
Benferhat
I found a demo[0] via this old forum thread from August[1].

Obviously there are privacy concerns. That being said, this looks like a boon
for anyone interested in bot detection, as you can periodically challenge your
users' humanity without getting too much in their way. Nice one, Google.

From the thread:

 _Implemented it successfully for a website. I have to say, it works great!

it also checks if html pages are changed at runtime and how many times you
"reload" the page where the captcha is. When it thinks you are a bot a captcha
popups, when entered, it got checked on googles servers if it's right and
fills in a hidden input. When the user submits the form, the filled in captcha
coded, again, will be verifed._ [sic]

[0]
[http://www.google.com/recaptcha/api2/demo](http://www.google.com/recaptcha/api2/demo)

[1] Edit: don't go to this url without adblock (see comment below).
[http://forum.ragezone](http://forum.ragezone) com/f144/googles-captcha-
recaptcha-1023607/

~~~
markbao
The key post from that page:

 _" Since it goes through Google's servers, they can verify a lot of things.
Whether you are logged in currently to google, have you been logged in the
past, verify your activity on your IP address, etc. Even if you signed in from
the same ip or ip range like a year ago, they can still tell it's you based on
your previous actions."_

~~~
korzun
So if you are in a remote location or do not fit a specific demographic you
are basically a robot.

~~~
jonny_eh
In that case you get a normal captcha, which is no worse than the current
situation.

~~~
makomk
The normal captchas have been getting increasingly user-hostile over time. The
only limit on them is what users are willing to put up with, and now that
Google's most profitable users don't get them that's less of an issue. In
fact, having nearly unsolvable captchas is actually an advantage because it
encourages users to let Google track them.

------
letstryagain
This page has zero information. What am I looking at?

~~~
albertoleal
Looks like a button to click that you're not a robot:
[http://www.google.com/recaptcha/api2/demo](http://www.google.com/recaptcha/api2/demo)

~~~
therealdrag0
What makes that work against robots versus other things?

~~~
GeneralMayhem
In 99% of cases, whether or not you're a bot can be determined before you
interact with the box. It's mostly just a vector to download the script that
does the actual detection based on mouse and keyboard patterns while you're
using the rest of the page.

~~~
therealdrag0
Interesting! But while I find captchas annoying, I like helping out with the
text-decoding that re-captcha does.

~~~
rspeer
By now the helping-out-with-OCR part of ReCaptcha is entirely unrelated to the
actual captcha. In some cases now you're just identifying street numbers for
Google Maps.

If captchas got simpler, you could still do Mechanical Turk jobs if you wanted
to.

~~~
ademarre
The easy house number tests are for users with established sessions because
the system already has a high degree of confidence you are a human. Delete
your cookies or use an incognito window and I expect you'd see the traditional
captcha with two words.

------
mfjordvald
We've been running the beta of this captcha on
[https://account.oneplus.net/sign-up](https://account.oneplus.net/sign-up) and
while it's certainly a much better experience we also still do get some spam
sign ups.

I'm not sure if these are manually solved from people hired to just solve
captchas or if perhaps it's a bit too lenient. Ultimately I think the improved
usability is more important than spending a bit more effort deleting spam.

~~~
JohnTHaller
It's likely manual signups by people paid to do captchas. It's a thing. A kind
of large thing. When you run a website with a public forum with a couple
million unique visitors a month, you get familiar with it.

------
zvanness
This stuff kind of seems like an overkill to me.

I think asking really simple questions that only a human could understand
seems to get the job done most of the time.

Perhaps something like: "What is the opposite of bad?" or "How many planet
Earths are there?"

I've used things like this for a handful of projects and have never had any
problems:
[https://github.com/kiskolabs/humanizer](https://github.com/kiskolabs/humanizer)

~~~
fear91
There's an annual contest for spam community. It's organized by Botmaster, the
producent of Xrumer software.

Basically, whoever answers most of these questions correctly, earns $15,000.
People submit MILLIONS of answers.

This list is then incorporated into the Xrumer itself.

I can tell you that these things are easily broken: a) Answering questions and
building global list of answers, as in this case. b) Reading image captcha -
spammers send it to Pakistani manual solvers for dirt cheap. c) More complex
puzzle captchas can also be broken in software if a lot of websites implement
them.

What works the best is using non standard html form field names. Also, try to
not use text labels for the fields ( no "password", "captcha" etc. ) - because
the software will try to match the best field by text surrounding it. It is
better to use image for labels.

This solution will stop spambots because they simply match form field names.
Unless someone specifically targets your website, in which case there's not
much you can do.

From the most common of captchas, Mollom seemed to be the biggest pain in the
ass for spammers. Mainly because it banned suspicious IPs ( you could solve
the picture correctly and it wouldn't authorize it. )

~~~
minikites
> What works the best is using non standard html form field names. Also, try
> to not use text labels for the fields ( no "password", "captcha" etc. ) -
> because the software will try to match the best field by text surrounding
> it. It is better to use image for labels.

Except browser autofill breaks and anyone who needs a screen reader will go
elsewhere if the screen reader can't parse the images.

------
Animats
OK, so what Google is pushing is something where they track lots of stuff
about your web site in exchange for a CAPTCHA that looks like every other
CAPTCHA. That's so Google. Everything comes with a privacy intrusion.

Amusingly, the examples they give are actually readable. Most of the time,
when I see a CAPTCHA displayed, it's not a word, or anything close to a word.
I've seen ink smudges, math symbols, and Cyrillic.

Besides, machine learning is good enough now it can beat most people at
CAPTCHA solving. Look on Black Hat World for the software.

------
a3_nm
This is a bit worrying. If CAPTCHAs start becoming easier for "real" users
(those who are logged in a Google account, run the Analytics JS, etc.) and
harder for "suspicious" users (who block ads, who use Tor, etc.), it may
eventually become very hard and unpleasant to be a suspicious user, and non-
suspicious users will not notice it.

------
Artemis2
I've already seen it implemented on humblebundle.com, using it is a delight
compared to filling a captcha every time.

I hope Cloudflare soon adopts it for their anti-bots protection – my home
connection is often flagged as malicious on a few websites.

~~~
dublinben
Cloudflare also flags every Tor exit, which makes quite a bit of the web
rather difficult to visit. I shouldn't need to fill in a captcha to load a
gfycat animation.

~~~
eli
I could totally believe that is based purely on observed activity coming from
those IPs (as opposed to some intentional act against Tor)

~~~
mintplant
That matches up with what they claim on their site:

 _CloudFlare does not actively block visitors who use the Tor network._

 _Due to the behavior of some individuals using the Tor network (spammers,
distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes
generally earn a bad reputation. Our basic protection level issues captcha-
based challenges to visitors whose IP address has a high threat score._

[https://support.cloudflare.com/hc/en-
us/articles/203306930-D...](https://support.cloudflare.com/hc/en-
us/articles/203306930-Does-CloudFlare-block-Tor-)

~~~
duskwuff
From personal experience: most activity you're likely to see from Tor exit
nodes is fraudulent. Absolute bottom-of-the-barrel cesspool traffic trying to
probe for vulnerabilities, commit fraud, scrape content, avoid IP blocks, and
generally abuse your site in ways that the attacker wouldn't be comfortable
doing with their own IP address. It's really tragic - given the potential of
the network as a privacy tool - that it's mostly used for evil, not good.

~~~
cbg0
Good people don't care about hiding their IP that much.

~~~
Artemis2
"I have nothing to hide" is just plain wrong. The less Google and others know
about me, the better.

------
rnhmjoj
[http://random.irb.hr/signup.php](http://random.irb.hr/signup.php)

This one is better.

~~~
fletchowns
Not really, botters just haven't had a reason to automate it yet. If they did
have a good reason to automate it, it seems like it would pretty easy to do
so.

~~~
jawns
I don't think you appreciate the joke.

~~~
fletchowns
Hah! I guess I didn't look at it very close =)

------
Sarkie
I had an idea for a better Captcha many years ago for my Uni final project,
but went with a different idea in the end.

Mine was a list of boxes with similar pictures in them, and ask the users a
question.

* Choose the only dog

* Choose the cars

* Choose everything but the men in these pictures

Microsoft then created something similar a few years later but then killed it,
I still think this was a better way than OCR type stuff.
[http://research.microsoft.com/en-
us/projects/asirra/](http://research.microsoft.com/en-us/projects/asirra/)

~~~
makomk
The trouble is that a well-trained AI can currently slightly beat humans on
this kind of classification test, and it also requires a lot of pictures if
you don't want it to be trivially broken just by enumerating them all.

~~~
hrjet
The image classification yes, but if the questions are worded intricately,
then it might still be a challenge for bots.

~~~
Houshalter
You would spend more effort wording the questions than a spammer would paying
people to solve them on mechanical turk, then storing the answer if it ever
comes up again.

------
wmf
Previously, reCAPTCHA evolved to show easier (street address) CAPTCHAs to
users who have already passed a few hard ones. I guess the next step is to
skip it completely.

~~~
bigbugbag
You're mistaken, the reason street addresses first showed up in recaptcha is
that google needed to have address numbers filled in for their street map
service.

~~~
mintplant
It's a combination of both, really.

------
hippich
Shameless plug - i am trying it from different angle :)
[https://hashcash.io/](https://hashcash.io/)

~~~
pacmon
Your site needs more detail about how your system functions and compares to
existing captcha systems. All I could find on your site is that basically
existing systems don't work and that yours does.

------
msoad
It's not always home street number I think. Once you proved you are not a
robot, it will not ask you to fill a captcha next time on other websites.

Here is a demo
[http://www.google.com/recaptcha/api2/demo](http://www.google.com/recaptcha/api2/demo)

~~~
13
I have noticed this. You get words for a while, once you get a good enough
score you go to house numbers, if you fail a house number you go back to the
words. Playing with the demo of it if you fail the checkbox (letting it time
out is one way) they throw you back to the house number again[1]. As other
people have pointed out, what they're promoting here has been used on the
Humble Bundle website for a while now, I guess it's the next logical step to
show "good" enough users no captcha at all. Not sure about the privacy
implications of that though.

[1]: [https://i.imgur.com/EnydTJs.png](https://i.imgur.com/EnydTJs.png)

------
impish19
I'm not sure why this link is trending. Hasn't reCAPTCHA been around since a
while?

~~~
Kiro
Read again.

~~~
Houshalter
Read what? All I get is a picture of a cat and a link to reCAPTCHA.

------
TimJRobinson
I was implementing this yesterday and discovered there is absolutely no way to
customise the style / layout of the captcha. You either use the light theme or
the dark theme and that's it, and it's inside an iframe so you can't manually
hack the css.

The old version used to be customisable so I really hope Google adds the
ability to customise this soon.

Another trivial but important oversight: the captcha has a background color of
f9f9f9 but the fallback captcha has a background color of ffffff. So even if
you try and style around it unless you manually detect what kind of captcha is
showing and change the background color on the fly one of them is going to
look off.

~~~
homakov
There's very simple API and all you need is to insert something like img
src=recaptcha?challenge=C. Isn't it?

~~~
TimJRobinson
You only insert a div and the script places an iframe inside it. I don't think
there is any way to only load the image.

~~~
homakov
there's a way of course - what can be done with JS can also be done on server
side. But it's not a legit way to use, yes.

------
pbreit
Certainly an improvement. But captchas remain user-hostile and generally
unnecessary.

~~~
mintplant
Have you ever had to deal with spam on, eg, a forum or wiki? CAPTCHAs are
absolutely necessary in many cases.

~~~
pbreit
Yes. At PayPal we had one of the very first. And then at Eventbrite as well.
They are most definitely overused.

~~~
mintplant
Interesting. If I may ask, what alternate routes did you take to counter spam
without resorting to CAPTCHAs?

~~~
pbreit
Honeypots and timestamps would work in many cases. There are folks who want to
captcha anything because they couldn't care less about users. But then when
you take a step back and question if it's really necessary, it's frequently
not.

------
missing_cipher
I've seen the "I'm not a Robot" checkbox in Humblebundle.com.

------
misterdata
Why not use some kind of Bitcoin-like proof-of-work system for this?
[http://pixelspark.nl/public/pow.html](http://pixelspark.nl/public/pow.html)
has a working demo

~~~
pixl97
Because bots will commonly run on stolen computer time. The bot doesn't care
how much of your computer processor it uses.

------
arjn
Here is a key difference from prior CAPTCHA services :

"reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are
solved, that human effort helps digitize text, annotate images, and build
machine learning datasets. This in turn helps preserve books, improve maps,
and solve hard AI problems. "

They're using captchas to solve text analysis and digitizing problems.

~~~
mintplant
reCAPTCHA has been around in that form for a long time already. This post is
about a new system they're planning on rolling out to replace that one. This
one won't require any text input for (most) users.

------
tux3
I've seen this new captcha plenty of times already, I'm surprised it's not yet
"official".

It is much more convenient and painless from a user's PoV but I'm a bit
surprised it actually stops bots.

~~~
hobarrera
I don't see how it's differente at all. Could you elaborate?

------
hobarrera
I honestly don't get it. How is this different from the same old reCAPTCHA?
Click the checkbox, get a captcha, fill it in. What's the difference?

------
pdknsk
Personally, I'm no longer solving reCAPTCHAs after I noticed that Google uses
it for free labor. (Google sometimes knows very well that I'm no robot, yet it
still shows a reCAPTCHA). So far it affects the Chromium issue tracker, which
presents a reCAPTCHA to post more than one comment per day.

------
Houshalter
I just get a picture of a cat.

------
chuckcode
So they're turning captchas into a mechanical turk for free?

~~~
eps
That's what reCaptcha was from the very beginning. That's also the reason why
a lot of people intentionally misspell the non-challenge word in it.

------
elwell
So they buy reCAPTCHA, then they self-deprecate it.

------
marcosscriven
I couldn't help but notice the 2006 MacBook Pro with front-loading CD-ROM
drive.

