
Ask HN: A Good Alternative for ReCaptcha? - Ayesh
Are there any good alternatives for reCaptcha? It has come to a point that traditional text&#x2F;sound captcha challenges are trivial to bypass today, and the more distorted we make them, the more challenging they are for humans.<p>Google went Sparta with their reCaptcha be, and nobody in their right mind should add a script that fingerprints users, specially from an adtech company.<p>What solutions do you use to thwart bad boots from submitting your forms and automating things where it should not have been?
======
tpetry
For bots which are not specifically targeted at your page i simply add an
invisible form element named url. Bots _LOVE_ to share their viagra urls. Any
request which submitted an url is discarded.

This trick is simple stupid and should not work but somehow the simple spam
bots have not improved.

This does not work for sophisticated bots (never met one) or the ones
programmed specifically for your site (happens very rarely).

~~~
ghusbands
Be very careful how you do this, unless you want to exclude blind users. I've
seen a blind user have an online form silently fail at them because they
filled in a field that wasn't visible. Using display:none applied indirectly
via CSS is probably reasonably effective against bots and won't interfere with
screen-readers.

~~~
mrighele
Are there tools or guides to help test how websites "appear" to people with
disabilities ? It is difficult to design something if you don't have an idea
of what will be the outcome, but I wouldn't know which software is used by
(e.g.) a blind user, let alone how I would use it.

~~~
jacekm
Simply try to browse the page without using mouse, just the tab key. The next
step would be to use screen reader, NVDA[1] (Windows) or Apple VoiceOver
(MacOS). There are automated testing tools, but they don't cover the whole
spectrum of problems. Nevertheless you can try

* WAVE (Chrome or FF plugin, [https://wave.webaim.org/extension/](https://wave.webaim.org/extension/))

* AXE ([https://www.deque.com/axe/](https://www.deque.com/axe/))

* AChecker ([https://achecker.us/checker/index.php](https://achecker.us/checker/index.php))

* Funkify (Chrome plugin, tries to emulate various disabilities)

* Lighthouse in Chrome Dev Tools also checks some accessibility rules

The full list of things that you need to take care of:
[https://www.w3.org/TR/WCAG21/](https://www.w3.org/TR/WCAG21/) (it's huge I
know, it takes 5-7 days to test everything from this list)

~~~
mises
Please do the tab test. Some of us do this even if we don't need accessibility
tools, as it can be faster (those who create forms which cannot be tabbed
through are evil).

------
dessant
W3C has published an extensive list of reCAPTCHA alternatives:
[https://www.w3.org/TR/turingtest/](https://www.w3.org/TR/turingtest/)

W3C is requesting feedback for the document, if you'd like to make
suggestions, please open an issue:
[https://github.com/w3c/apa/issues](https://github.com/w3c/apa/issues)

~~~
dmos62
That's a very informative document. Privacy Pass caught my eye:
[https://privacypass.github.io/](https://privacypass.github.io/) It's an
extension that is currently only supported by Cloudflare's CAPTCHA, that
pretty much stores tokens after you complete a CAPTCHA, and the next time
instead of requiring you to complete a CAPTCHA again, it will use those
tokens. The point is that it does it in an anonymity preserving way. You can
fork their server for a custom implementation.

~~~
chatmasta
So now the spammers only need to solve one captcha?

~~~
bo1024
And more broadly -- it's kind of funny, but the more we all just roll our own
solutions to this, the less standardized the solutions, and the harder it is
for spammers to scale.

------
mpol
Akismet is a third party service that works really well. You send data there
with a HTTP POST and it will reply with a yes or no, it is spam or not spam.
It is not that hard to implement. You do have to be aware that you are sending
user data to that service, which you have to mention in your privacy policy.

Stop Forum Spam is a similar third party service. You send it an ip address
and an email address. It will reply on both items if it is spam, together with
a confidence level. Quite interesting way to reply :) It is originally
intended to fight registration spam, but you can use it for comment spam or
contact forms as well.

JavaScript spamfilters can be very usefull. Most spambots do a HTTP GET for a
page with a form. They fill in all the fields and submit it with a HTTP POST.
They don't run any JavaScript on that page. You can have honeypot and timeout
fields on a form that get manipulated by JavaScript, and spambots will not
validate. Works really well, and all transparent to the user. The only "risk"
is that in the future spammers might start using more sophisticated spambots,
like using Electron or Chromium. I implemented spamfilters like this in a
WordPress plugin and it works really well for me:
[https://wordpress.org/plugins/la-sentinelle-
antispam/](https://wordpress.org/plugins/la-sentinelle-antispam/)

~~~
avian
> The only "risk" is that in the future spammers might start using more
> sophisticated spambots

You’re also making your website unusable for people with Javascript blocked or
disabled in their browsers.

~~~
mpol
In the context of the question, that is not relevant. reCAPTCHA requires
JavaScript as well. The question is about an alternative to reCAPTCHA. Both
methods use JavaScript.

I do understand where you are coming from though. And I also think this
alternative is better in this regard. reCAPTCHA loads JavaScript from a third-
party domain. With JavaScript spamfilters you are loading them from the first-
party domain.

~~~
ChrisSD
reCaptcha has a noscript alternative with iframes and checkboxes. Once
completed you have to manually copy an authorisation string to a field and
submit it.

~~~
killahpriest
I don't think the noscript alternative works anymore. I get this message
"Please enable JavaScript to get a reCAPTCHA challenge."

[https://www.google.com/recaptcha/api2/demo](https://www.google.com/recaptcha/api2/demo)

~~~
ChrisSD
Huh, last time I hit a cloudflare website on Tor it directed me to
[https://www.google.com/recaptcha/api/fallback?k=..](https://www.google.com/recaptcha/api/fallback?k=..).

Perhaps that's just a cloudflare thing.

------
LogIN-
As per google "reCAPTCHA is a free service that protects your website from
spam and abuse" but instead one can argue that reCAPTCHA is a service that
transfer spam issue from the provider to its users, so at the end one provider
will be free of spam (I guess) but all of his users will be spamed, tricked,
fingerprinted and abused to actually constantly work for free for this 3rd
party ant-spam service

~~~
dmos62
I suppose you expand the usage of spam to also mean the recaptcha mini-games
where you tick all the boxes with traffic lights in them. I agree with the
sentiment. I'll add that if you don't use anti-fingerprinting or anti-tracking
measures, then recaptcha catches on really quickly that you're a person, and
it's not much of a bother in that case. The problem with it is that it's made
for the ad-peddling web, not for the private web, or whatever the alternative
should be called.

------
no_gravity
I think it is best to design your own captcha around your use case. All you
need to do is make the amount of work for spammers too high for targeting your
site.

Just recently, I added the idea of a captcha that might actually be enjoyable
for users to my list of "things that should exist":

[http://www.gibney.de/things_that_should_exist](http://www.gibney.de/things_that_should_exist)

The idea is to show the user a random image and ask what is on it. If the
image is beautiful, that might even be fun. And there are many sites that
offer beautiful public domain images. And have tags for everything in them.

There probably are many other funny and enjoyable captcha ideas one could
implement.

~~~
zbaylin
PassThePopcorn has a similar CAPTCHA-like implementation to the Pexels one you
mentioned in your article. It has a repository of movie posters (which I think
are user submitted to the movies themselves), one of which is chosen and the
user is asked what movie the poster is for. I've always thought of that as an
"enjoyable" CAPTCHA.

~~~
viceroyalbean
GazelleGames does that with game covers. Lichess has one where you need to
find a checkmate in one move. It's usually pretty easy, but could in theory be
frustrating for someone just starting with chess.

------
anonymous5133
I had a serious problem with bots spamming my forum. I implemented all the
usual captchas but none of it worked. What I found interesting was that I was
able to defeat the bots simply by "tricking" them. I kept the old forum up but
basically set this forum to auto delete the content on it. I then setup a
brand new forum and for whatever reason bots don't spam it, at all. It is
almost like the bot goes to the original forum, spams it, and then moves on
thinking it has completed its mission. I even flat out disabled the captcha to
see if anything changed and nothing did. The new forum never got spammed. I
have no idea why that happened but it strangely did work. When I do get spam,
I don't think that spam is from bots. It is from humans posting instead but
that is at least manageable to clean up.

It kinda leads me to conclude that each developer has to create "out of the
box" solutions instead of some plug and play solution. If a plug and play
solution is developed then all the spam bot creators start figuring out ways
to crack or simply create a service for human based cracking. If
unconventional methods are used on each site then it gets more complicated for
the spammers.

------
temp99990
I’m a fan of the Chinese-style captchas where you just move a puzzle piece
with a slider. I have no idea how defeatable it is vs reCaptcha but it’s far
far less painful.

~~~
lucb1e
I don't know these, do you have an example?

~~~
ivarojha
Geetest is one of them, I've seen it on crypto projects generally, binance for
example.

------
jermaustin1
The best solution I've ever come to that didn't negatively impact my clients
was generating a UUID on the server via an ajax call 100ms after page load.
That UUID was stored in a cookie, and returned via AJAX and stuck it in a
hidden field on the form.

Server checks cookie != null and cookie == hidden field, and returned a 200 OK
regardless of if it failed (used the response text for success or failure
indication), and deleted the cookie.

Implemented it across a network of sites ~10 years ago, and only a handful of
spam had gotten through when I quit that job 4 years ago. They had been
getting 10-20 spam comments per day per site.

~~~
jm4
That will work for low end drive by stuff. Anyone motivated will have a better
bot. I was running one 10-12 years ago that was essentially a headless
browser. It had a JavaScript runtime and a custom DOM. It could run jquery,
prototype, ajax and just about everything else that was popular at the time. I
even had a custom flash runtime in there for the jackass sites with the nav in
flash.

These days you could just throw together a selenium script and call it a day.

This kind of stuff is fine for stopping comment spam because there are so many
other opportunities out there that the spammers move on to an easier target.
If you need to protect against a targeted attack then it’s a lot more
difficult.

~~~
snowwrestler
Does any kind of captcha stop a targeted attack? I don't think that's what
captchas are for.

~~~
jm4
Maybe. Maybe not. They are pretty darn difficult. I’ve seen a few that are
fairly straightforward to break. For the good ones, you’d need some quality CV
tech and if what you have is that good then you’re probably better off using
it for something other than breaking captchas in order to post comment spam
for penis pills or whatever they are peddling these days.

~~~
snowwrestler
You can pay teenagers in the Phillipines a few dollars a day to solve any kind
of captchas for you. Maybe I have a different concept of a targeted attack,
but that seems certainly in the realm of what a criminal enterpise or nation
state would expend on a high value target.

------
Nextgrid
> It has come to a point that traditional text/sound captcha challenges are
> trivial to bypass today

I have yet to see a general-purpose tool to which you can throw any text
captcha and it’ll solve it.

Just because there are academic papers that demonstrated it once doesn’t mean
there’s still a huge barrier to entry in implementing this solution (which
spammers won’t do as long as it’s easier to move onto another target).

There are paid captcha-solving services out there and even those are still
powered by humans even though it’s in their commercial interests to automate
the process. Them not doing so further suggests that AI is not there yet.

~~~
dewey
[https://github.com/dessant/buster](https://github.com/dessant/buster) What
about this one?

~~~
Nextgrid
Does it actually work? Speech recognition is often terrible enough in normal
conditions, so I don't expect it working well on audio captchas which are
often designed to counteract speech recognition.

~~~
westondeboer
Buster works great! I use it all the time.

------
brylie
It might be worth considering a honeypot approach. E.g. having a field in the
form that isn't visible for users that, when filled in, indicates that it is
likely a SPAM submission.

[https://www.projecthoneypot.org/](https://www.projecthoneypot.org/)

~~~
gjs278
I do this but I also put a javascript field that is already checked and js
unchecks it. not great for no script users but pretty good for any random bot
that is using curl or some other scripting language and doesn’t check your
trap box.

~~~
turshija
You can make that checkbox visible by default and put label "I'm not a bot"
and uncheck + hide it using JS, that way noscript users will still see the
checkbox and uncheck it manually.

~~~
tylerhou
Bots might be smart enough to uncheck that from the label; maybe text near the
top of the form that says “please uncheck the checkbox near the submit
button”?

~~~
wongarsu
You could use CSS to place label and checkbox visually close but completely
unrelated in the DOM. Not great for accessibility, but better than the current
situation.

------
KirinDave
Unfortunately, there aren't many good captcha systems that don't do the
equivalent of what ReCaptcha does, because we're at a point where
fingerprinting users is a strong signal to help identify contractors doing
captchas on behalf of bots.

Even some silicon valley products use captcha-breaker services. These services
present themselves as sophisticated APIs but in reality they're just
dispatching work to humans who accept pennies an hour at internet cafes; a
competition with Amazon's mechanical turk for digital sweatshops. They're
common and cheap and the tech industry feeds them. Undercutting the workforce
doing the captcha busting is the only viable way to stop that.

Your real alternative is to do the fingerprinting yourself.

------
jedberg
There was a good podcast about this [0] just a couple weeks ago. They
interviewed the guy who invented CAPTCHA as well as the head engineer on
ReCaptcha v3.

The gist of it was that in a few years, all Captchas will be useless because
machine learning is too easy and cheap. The only way to defeat spam will be to
use reCaptcha v3 or something like it, because those services will use what
they know about you to determine if you're a bot or not, plus their own
machine learning of what "normal" behavior is for your website. It sounds like
ReCaptcha v3 is basically an app level IDS.

[0]
[https://www.npr.org/sections/money/2019/04/24/716854013/epis...](https://www.npr.org/sections/money/2019/04/24/716854013/episode-908-i-am-
not-a-robot)

~~~
sjamaan
> those services will use what they know about you

This is inherently user-hostile, as it presupposes tracking and
identification. I _don 't_ want them to know anything about me!

~~~
ufmace
Which is kind of the trick - there may be a point not to far in the future
where it is nearly impossible to tell the difference between hostile bots and
users who are just really into privacy and not being tracked.

------
Risse
In my personal blog I am using "Riddler" Drupal module, and have had good
experience:
[https://www.drupal.org/project/riddler](https://www.drupal.org/project/riddler)

You can create your own Captcha questions / answers. I feel like this is the
preferred way of handling spam posts, creating your own custom Captcha
implementation.

~~~
Dolores12
Eventually your questions will be answered by humans and added to database.

~~~
mattigames
Might be good idea to extend the plug-in so adding questions is as easy as
sending an SMS, then you can spend less than a minute daily to add a
question/answer combo:

    
    
        Color of the sky at night? Black

~~~
julianlam
#000000

------
bjoli
I have a mail server with a new address generated per post (or per comment for
thread functionality) on a blog i run. People then get to mail their comments.
For all reputable mail sites I let things directly through, for everything
else I use a spam filter turned to 11 together with a mail-back link for post
verification.

I have had zero spam the last 8 years.

The code is ancient and runs on an even older version of lispworks with Auth
details hard coded all over the place, so I the time it would take for me to
share it would be longer than to rewrite it in some hip language.

Had I been lazy and not as privacy conscious I would have let Gmail do the
spam filtering for me.

~~~
pdimitar
Have you considered open-sourcing that and posting it on HN? I'd use it.

~~~
bjoli
I have been asked to many times, but it is part of a largish website written
in Common Lisp. The codebase is written by me over 3 years with no
consideration for modularity. It would be a considerable effort to break it
out.

There is nothing technically novel about it. Heck, python even includes an
SMTP server in the stdlib. You could.probably write a PoC in a couple of
hours.

------
huhtenberg
Depends on why you need it.

Captchas work well for telling humans from bots for the purpose of denying
automated/scripted access. But here a simple IP-based blacklist works well,
because of how many bots now live on Amazon's properties and some such.

You don't need a captcha to filter out bot _spam_. That's a massive overkill.

stopforumspam.com works well. You can combine it with a simple keyword based
filter, have it tag hits with a cookie, temporarily blacklist the IP and then
filter them out based on that as well. Auto-submit it to stopforumspam too.
Obviously, also have whitelisting in place, e.g. to let through existing
customers, previously cleared posters, etc.

For bonus points, first-time posts that look OK may be put into a "shadow
ban"-ish mode, whereby they are visible to the posters and mods, but not
anyone else. Until they are cleared. This works equally well.

The bottom line is there's no spam that doesn't try to promote something and
they aren't likely to target just _you_ , so there's always a keyword/URL you
can latch onto, and it also makes sense to participate in a distributed
monitoring framework to piggy-back on each other's first hits.

~~~
dredmorbius
"there's no spam that doesn't try to promote something" is, unfortunately, not
true. Or at least, some spam plays the long con. On sites where karma or
social graph confers advantage, bots will harvest one or both through low-
effort, high-payoff posts. Various disinformation and distraction campaigns
may sell only confusion, discord, or volume of content. And if it's the graph
itself or specific connections which matter, ossiby for hishing, recruitment,
or other compromise, you'll see other behaviours.

Not all media manipulation is commercial. Not by a long shot.

You're fighting the last war, if not older.

------
nopcode
As a user I found geetest [1] to be really friendly and much easier to use
than recaptcha. I have never integrated it myself.

[1] [https://www.geetest.com/](https://www.geetest.com/)

------
rcdwealth
Simplest way is to use filtering.

``` (defparameter _spam-words_ '("viagra" "cialis" "v1agra" "c1alis" "tamadol"
"hydrocodome" "doxycyline" "prozac" "prozca" "prizac" "doxycyclins" "anx8ety"
"amytriptylone" "poker" "laxative" "anatrim" "breast" "penis" "fiorinal"
"sexy" "kaspersky" "hoodia" "thyroid" "coupon.com" "vuitton" "coupon" "fetish"
"famotidine" "footwear" "sweetwater" "sunglasses" "ninja" "www" "http"
"cheap3ddigitalcameras.com" "aquadivingaccessories.com"
"tastyarabicacoffee.com" "yourmail@gmail.com" "bit.ly"
"cottonsleepingbags.com" "italiancarairbags.com" "newpopularwatches.com"
"glasslightbulbs.com" "browndecorationlights.com" "fx-brokers.review"
"ceramicsouvenirs.com" "xevil" "senuke" "captcha" "xrumer" "vkontakte" "апрап"
"erectile" "spellingscan" "lialda" "lamborghini" "doubles your bitcoin" "pro-
expert.online" "specified wallet" "selected wallet" "online casino"
"multimillionaire" "win-win lottery" "lottery" "Перезвоните пожалуйста"
"yuguhun88@hotmail.com" "meeting-club.online" "from2325214cv" "did you receive
my offer" "Domain zone .de" "all your photos" "Pay 1 BTC" "to our bitcoin
wallet" "you will be sued" "police will be interested" "hacked")) ```

~~~
Ayesh
If HN had this filter, you wouldn't be able to submit this comment.

------
realcr
I had a strange idea about solving this problem: How about a micro-payment,
something like $0.01, instead of solving a puzzle? In that case maybe you
won't care if many bots login to your website.

I think that I by this time I have the technology to make something like this
work, I was wondering if this is a good solution though. What do you think?

~~~
bo1024
You could use JavaScript cryptocurrency mining instead. User clicks a button
to activate miner script, it runs in their browser for 10-30 seconds or
whatever, then reports back to your server that they are good to go.

~~~
quickthrower2
You’ll lose people who are blocking this kind of shit. Also you might end up
on a Firefox blacklist.

~~~
bo1024
Don't know how the blacklist works. As someone who blocks javascript by
default, if I were asked to enable this to submit a login, I would probably be
okay doing so if I could be confident a script was only mining and not
fingerprinting me. (Big if)

------
weeb
Whatever you use, please remember not everyone has good vision / hearing /
dextrous mouse control. Captchas can be a nightmare for accessibility. Most of
the 'clever' solutions to this will completely block some subset of keyboard
users / blind users / eye gaze users along with the bots.

~~~
cheschire
It's really frustrating talking to client side developers these days about 508
compliance. It feels like only one in 10 understand the concept of
accessibility.

------
yeppie
For automation I would recommend ratelimiting endpoints. I personally tend to
use 5 requests per IP/second along with 100 requests/minute as default and
then override specific endpoints to e.g. 1 request per IP/hour.

For user input I recommend keeping the first comment submitted by a new
account/IP hidden until you/moderators have approved it, after which new
comments from that user no longer needs to be approved before they become
visible to other users.

------
simongr3dal
If it's a problem with spammy blog comments I would recommend to just remove
any kind of input on the site and ask people to send you an email with their
questions and concerns.

Be sure to use a separate email and give it to readers on your about page via
some language like "questions (dash) and (dash) comments (at) (this domain)".

If it's for account signups just send an email confirmation link and possibly
include a code in the email that has to be submitted manually as well.

------
NetToolKit
For those who are interested in an alternative CAPTCHA service, we at
NetToolKit are putting the finishing touches on a service that we hope to
launch at the end of next month (June). The CAPTCHAs are interactive and meant
to be fun for the user -- no machine learning training involved. We'd be
thrilled to get some early feedback before launch, so if anyone is interested,
please reach out via email or via our website (both in profile).

------
NourEddineX
What about PoW ([https://en.wikipedia.org/wiki/Proof-of-
work_system](https://en.wikipedia.org/wiki/Proof-of-work_system)) ?

It require minimum user interaction, and you will eliminate most of spammers
bot, since it will lose its cost-effectiveness. You can implement something
like coin-hive proof-of-work, without having to mine monero anyway

------
josefresco
Looking at these comments (141 at the time of this post) the answer looks to
be: No.

I have small business clients, Google's reCAPTCHA is our best option. They
aren't willing to pay for some obscure, and expensive one-off solution that
might work. They just want the spam to stop. I fill out reCAPTCHAs every god
damned day because I work on the web. Asking "normal" users to fill out a
handful each year isn't asking that much.

Maybe for your startup "rolling your own" makes sense, but not for small biz.

~~~
NetToolKit
There are definitely alternatives. For example,
[https://hcaptcha.com/](https://hcaptcha.com/) (I have not used or evaluated
them).

If any of your small business clients might be interested in our new CAPTCHA
service that should launch late next month, please let me know (see profile
for contact information). Our pricing is projected to be $10 for 100,000
requests.

------
zzo38computer
I think reCaptcha is very terrible. For HTML forms, a simple question could be
used (change them sufficiently often when spam is received), or you may
require the user to edit the URL manually in order to access something, based
on the client IP address perhaps (which would be displayed). I also invented a
protocol-independent CAPTCHA, which is also text-based, and uses SASL. You
should allow the user to implement the code themself if they want to do rather
than requiring that they use your code.

------
mkbkn
I also recommend mailing the website owners who uses ReCaptcha about why it's
a nuisance and stating that you and many others won't be using the site
anytime soon.

~~~
n_ary
Doesn’t work, they don’t care. I mailed+twitted to many among which were
Dropbox/HumbleBundle/Packt etc.. most just ignore me or came back with canned
responses like “we value security blah blah improves security blah blah your
data...” :(

------
Too
Unless your website is under targeted attack just putting "2+3" on a image
will block 99.9% of all bots. You hardly even have to distort the image or
randomize the math but doing so could help against script kiddies. Only
drawback vs reCAPTCHA is you have to show the captcha all the time instead of
automatically suspecting bots.

If you are under targeted attack by someone more dedicated, captcha is not
going to be the only defense in your book.

~~~
massimo-nazaria
> Unless your website is under targeted attack just putting "2+3" on a image
> will block 99.9% of all bots.

Absolutely.

I did exactly that with a PHP script which generated images with the GD
library.

It definitively worked for me.

------
aendruk
For the use case of blocking general web form spam, we've had good results
with relying solely on IP reputation crowdsourced via AbuseIPDB:

[https://www.abuseipdb.com/about](https://www.abuseipdb.com/about)

Occasionally we're an early target of a fresh IP, but we report it back to the
database to help later victims. The more people contribute to such a system,
the better it gets.

~~~
packet_nerd
Many IPs are shared by more than one endpoint, and hundreds or thousands of
endpoints sometimes share a single IP. Say a home router is compromised on an
ISP using CGNAT and you block by IP, you could potentially be blocking an
entire neighborhood of innocent users.

Having parts of the Internet blocked for huge numbers of their customers puts
pressure on ISPs to monitor and censor users traffic, which is not the
direction I want to see the Internet go.

IPs do not have a one-to-one relationship with users, and I feel strongly that
they shouldn't be treated as if they do.

~~~
aendruk
Thank you, that's well-put. I also share that value.

Another value that I hold is that the cost of bad actors shouldn't be
externalized to innocent people, i.e. that it's unfair for me to pay the cost
of completing a captcha just because somebody somewhere else is misbehaving.

I'm not sure how to reconcile those.

------
dangerface
> nobody in their right mind should add a script that fingerprints users

Fingerprinting users is no more a problem than using cookies, there are far
more legitimate reasons to use these things than illegitimate. The problem is
Google and Facebook using these techniques to spy on people at massive scale.

Once again the problem is Google and Facebook not the internet.

~~~
cyphar
The problem with fingerprinting is that it's used to track users across sites.
Cloudflare's "super cookies" and ordinary ad-network cookies are both examples
of fingerprinting which use cookies and could definitely argued to be bad for
user privacy.

A text-based challenge-response captcha doesn't fingerprint you in any way.
Google's reCaptcha does -- not to mention that it uses you for free labour
that I would argue should be a violation of minimum wage laws in most
countries (Google hires people to do data entry for ML, so why am I being
forced to do the same work for free in order to post a comment on a forum or
log into a website).

------
gradschool
A commenter on HN some years ago claimed a 100% success rate at blocking spam
by requiring all web form submissions to be cryptographically signed. This
solution struck me as stunningly elegant both by raising the standard for
constructive feedback and promoting public awareness of secure communication.

~~~
pdimitar
Cryptographically signed where and how? Do you mean to say that you get a full
string like "a=1&b=something&c=[1,2,3]" and hash/encrypt that? Or do you
encrypt each individual field? Or something else?

------
ptman
[https://hcaptcha.com/](https://hcaptcha.com/) ?

------
unnouinceput
I like those math questions captcha. Fun and I doubt a bot or even a real
persona spammer will waste time on this. Make the question appear on an image
instead of text and the bot will also have to do OCR on top of being
wolframalpha to defeat your captcha.

~~~
hakfoo
TBH, I had decent results with the most trivial "3+4=" style CAPTCHAs. I know
some sites where there's even only a single, hard-coded question/answer.

In the world where it's not about scaling to infinity, you're not getting
targeted attacks, you're getting stupid bots that pummel every site thinking
it's a WordPress install from 2007 and anything different is enough to scuttle
it.

By the time your service is popular enough to justify building a focused bot
or tossing low-wage workers at it, hopefully you have the revenue in to
finance something more sophisticated.

------
awinder
> nobody in their right mind should add a script that fingerprints users

I helped vendor-select and lead implementation on a fraud solution that was an
integration with SiftScience (yc-funded,
[https://sift.com/](https://sift.com/)), which relies on fingerprinting. This
was years ago but I still think about the project and how it plays with user
privacy etc. I will say that -- fingerprinting as a component in fraud
management is/can be highly effective.

The problem is, once you get into payments fraud through bots, I think the
conversation becomes way more nuanced. If you're looking for a solution to
bots spamming or throwing bad data into your app, maybe that's a little
extreme. But if the choice between privacy and becoming a front for credit
card fraud and chargebacks, you're in a choice between who the victims of your
service are going to be, and how much ill is done.

------
spydum
Have seen these guys, met the founders a while back at AppSecUSA:
[https://funcaptcha.com/](https://funcaptcha.com/) It’s those puzzles/games as
captchas.

------
htrp
> Google went Sparta with their reCaptcha be, and nobody in their right mind
> should add a script that fingerprints users, specially from an adtech
> company

Elaborate?

------
tmlee
Recaptcha is also blocked in China. Users there wont be able to bypass it at
all to accomplish a protected task.

Anyone knows of a good alternative that works there?

~~~
Zimahl
Yup, this is a huge problem on my company's website. We really like reCaptcha
but, alas, have to fall back to our home-rolled version because reCaptcha
completely fails for our Chinese users.

------
tantalor
"went Sparta"???

------
55555
recaptcha v3 is invisible.

------
techsin101
Just ask a math question?

------
ak-47
A bit late, but honorable mention:
[https://xkcd.com/233/](https://xkcd.com/233/)

------
StreamBright
Just out of curiosity, isn't that feasible today to implement some machine
learning to stop spammers? Is there any project trying to come from this
angle?

~~~
lucb1e
That's like saying "why don't you use algoritms and code". Like, sure, but
what is it you're proposing? What features would you learn from and match
against?

(For those unfamiliar with algoritms and code as solution, it's a reference to
this:
[https://www.reddit.com/r/ProgrammerHumor/comments/5ylndv/so_...](https://www.reddit.com/r/ProgrammerHumor/comments/5ylndv/so_thats_how_they_did_it_its_brilliant/)
)

~~~
StreamBright
Actually we have implemented something like that for HTTP requests. Features
would be: IP (first 3 octets are probably enough), posting time, length, time
to solve captcha, time between clicks, country where the IP is located, post
contains certain words (can be learnt from spam posts), does the post contain
a link(y/n)

I think I would start with these, probably looking into what other people are
doing.

~~~
Ayesh
An ideal machine learning implementation would also need the context, such as
the original post itself, parent comment(s), other comments in the thread,
etc.

It can be quite difficult than one might think. For example, now that we are
talking about spam, the word "Viagra" shouldn't block my comment, even though
my parent post doesn't mention the word or in a situation where nobody else
mentioned it.

------
rajacombinator
How about put your users first and don’t farm them out to Google ML training
because someone told you to. Recaptcha is a cancer on the web.

~~~
icebraining
Isn't that what they're doing, hence this question?

