
Moving from reCAPTCHA to hCaptcha - migueldemoura
https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/
======
zachware
One of the more insidious elements of ReCAPTCHA is its propensity to challenge
users who have robust cookie blocking in place. So as we encourage people to
be more privacy-aware, the web gets harder and harder to use.

We've seen ReCAPTCHA pop all over ecommerce, all over benign websites with
little to no need to challenge use almost completely because of the increase
in privacy-aware users.

ReCAPTCHA essentially flies in the face of the recent blocking features
rolling into Safari and Firefox and more privacy-aware users...growing by the
day.

In many ways it's a genius structure from Google. 1\. Convince people to use
your privacy challenge. 2\. Serve it when you don't see Google tracking
cookies. 3\. Offer a way around that with the least privacy-aware browser
available (Chrome use is growing steadily month over month.

So good on Cloudflare.

~~~
noad
You're forgetting the main benefit for google, which is getting humans to
train all their vision models for free. At one point they were just forcing X%
of clicks to fill out a captcha regardless of origin or identity just to get
more data.

I for one am getting quite tired of trillion dollar corporations getting
things for free out of me. Hard pass.

~~~
weinzierl
> You're forgetting the main benefit for google, which is getting humans to
> train all their vision models for free.

Is this still true? I keep seeing the same type of images for years and there
might be 7 or 8 different categories but that's it. To me reCaptcha looks like
a service well in its maintenance phase. If it was actually in use for
training purposes you might expect images to match a wider range of tasks.

~~~
airstrike
I've lost track of how many times I've had to read house numbers from Google
Street View...

~~~
sli
I haven't gotten one of those in years. These days it's just picking out
buses, cars, traffic signals, and sometimes motorcycles. Maybe once in a while
it'll ask for storefronts.

~~~
eythian
Most of mine lately have been traffic features also. This is a little tricky
in some cases, e.g. with crossings, as it sometimes gives me things that I
don't think are crossings but it insists I select, perhaps they are in the US,
or the perspective is weird, or someone else has told it that a series of
white squares is a crossing and it requires me to agree.

------
blakesterz
> "Earlier this year, Google informed us that they were going to begin
> charging for reCAPTCHA. That is entirely within their right. Cloudflare,
> given our volume, no doubt imposed significant costs on the reCAPTCHA
> service, even for Google."

Even in the article they say... "Google provided reCAPTCHA for free in
exchange for data from the service being used to train its visual
identification systems." ... I thought this was one of those win/win things...
Google gets something, websites get something... what's changed? Is Google not
getting much out of reCAPTCHA now?

~~~
oefrha
Seeing that reCAPTCHA v3 doesn't use endless streams of images any more, I
would guess that Google no longer benefits much from having users tag
storefronts, traffic lights, buses or fire hydrants. Maybe their image
recognition algorithm is past that stage.

~~~
robin_reala
It does as a fallback. But you’re missing the main point of v3, which is that
it shifts the legal onus of blocking from Google to the integrating site. No
longer can Google be sued for accessibility violations, if it’s the site
that’s stopping the user from entering purely on a suggestion from Google.

~~~
dathinab
Just because you do some technically workarounds doesn't mean you get a legal
free pass.

I don't think this aspect did matter much because it was always the sites
decision to use reCAPTCHA and that didn't change.

I also don't think Google gets much profit out of the image tagging part
anymore, they already have a huge database of tagged images.

------
yjftsjthsd-h
_Well._ That's probably fantastic news; using ReCAPTCHA (and thereby making
users subject to Google's tender mercies) was honestly my main reason to
dislike cloudflare from a user's perspective. ReCAPTCHA is utterly foul; it
follows you _everywhere_ it can, exists to undermine privacy, punishes non-
Chrome users, and throws you in an infinite loop when it decides that you're
not a human.

~~~
curiousgal
I don't blame reCAPTCHA for existing, I blame Cloudfare for using. It made
using Tor literally impossible. Hopefully this will be better.

~~~
lol768
Didn't Privacy Pass help here?

~~~
hedora
I have no idea what privacy pass is, but if it involves setting browser state
across more than one site, then it breaks the tor anonymity model.

Anyway, hopefully hCaptcha works with Tor.

~~~
eastdakota
Specifically designed to allow you to authenticate once and then use that as a
proof of work across multiple sites, without revealing your identity as being
connected across those sites. Here's the math:
[https://blog.cloudflare.com/privacy-pass-the-
math/](https://blog.cloudflare.com/privacy-pass-the-math/)

~~~
IanCal
I'm not so hot on this stuff so this might be answered or clear on the site
and I didn't get it - can the other sites tell who authenticated you? Can the
authenticator add metadata?

I'm wondering about other use cases, using it to prove you've paid for
something, or donated perhaps. Or passed a daily quiz/challenge. I feel like
there's some fun ways of using this.

------
elric
It's a start. reCAPTCHA is a notorious pain in the arse for anyone whose
browser isn't Chrome and for anyone who doesn't keep cookies. I'm not sure if
hCaptcha will be better, but it's hard to imagine it being any worse.

~~~
tgv
By now, I almost immediately close a page with a reCAPTCHA, because the stream
of buses, traffic lights, and cycles never seems to end when you're using
Firefox. And then it says "too many requests from this computer" and refuses
to continue.

~~~
tcd
I'm amazed Mozilla hasn't sued Google for discriminating against their browser
- I also use Firefox and suffer endlessly using privacy tools. I can prove
there are no more busses and I'm 100% right, but I can predict 100% of the
time it'll say "please try again".

The pattern seems to be 2/3 'right' guesses. on sites like eBay, the captcha
is broke on firefox. I complete it, and it says "you need to resubmit this
form again", and reloads the entire page.

That's the cost of privacy; broken pages and refused access because Google
says "NO!".

And businesses are okay with Google denying them money. I wonder if they did a
cost/ben analysis if they find it worthwhile.

Thanks to Google, I've actually saved quite a bit of money, they lost out
hundreds recently when their automated systems decided to refuse my
transaction. Their loss and my gain.

~~~
fludlight
Google pays Mozilla to be the default search engine in firefox. This is
Mozilla's main source of revenue, so I doubt they will sue.

~~~
jakear
I wonder why they don’t negotiate with Msft to use Bing or even DDG instead.
Seems... incredibly odd... to put oneself in a position where a third party is
directly antagonizing your users, reducing your user satisfaction and likely
dramatically increasing churn, but you can’t do anything about it because that
same party is your main source of funding.

(Disclaimer, I work at msft. Nowhere near this though).

~~~
jdashg
I'm not sure why you think they don't negotiate with other search providers.

~~~
jakear
The fact that they’re still on google even though google is screwing over
their userbase? I don’t use Firefox because of how difficult it makes captcha.
There are others like me.

If they are negotiating with other providers, they certainly aren’t doing a
very good job of it.

------
cinbun8
> Earlier this year, Google informed us that they were going to begin charging
> for reCAPTCHA

So it came down to cost.

> Over the years, the privacy and blocking concerns were enough to cause us to
> think about switching from reCAPTCHA. But, like most technology companies,
> it was difficult to prioritize removing something that was largely working
> instead of brand new features and functionality for our customers.

I like that they're upfront about this. In most companies / teams of this
size, these issues are always swept under the carpet until something ugly
forces you to clean up at a later point in time. It's just unavoidable.

------
alexnewman
Hey everyone. HCaptcha founder here. We are so happy to be on hackernews. I'm
curious if anyone is having any problems? We are trying hard to respond
carefully to customer requests but as you can guess we are very busy. Also we
are hiring :)

~~~
ronyfadel
Hey Alex, one suggestion, the HCaptcha challenge box is way to tall, sitting
at 725px, it's larger than the chrome viewport on a 13" MBP, so I have to keep
on scrolling up and down to solve the captcha.

~~~
alexnewman
You would not believe how much we think about these things. We appreciate the
feedback and will continue to tune for every puzzle. Thank you so much for the
feedback.

~~~
splintercell
can you get 4chan to start using hcaptcha, I can't tell you how much I hate
Google recaptcha. not to mention the brainiacs at 4 Chan have figured out how
to solve Google's recaptcha easily.

------
aeonflux
This is what I recently got on CF's HCAPTCHA (look closely):
[https://imgur.com/a/QZNHmUC](https://imgur.com/a/QZNHmUC)

~~~
alberth
I see 2 clear images of dogs. 2 possible dog images. And zebras humping.

Nice.

------
chrismorgan
A few days ago I encountered this when Cloudflare decided my IP address (which
is behind an ISP-level NAT) was suspicious all of a sudden (which it hadn’t
been doing, a pleasant change from when I was at this location three years ago
when half the internet sprouted Cloudflare CAPTCHAs at me). It was _awful_ to
solve, worse than the substantial majority of reCAPTCHA checks I’ve
encountered. Certainly _nothing_ like the illustrations in the article.

~~~
IAmEveryone
I had the same experience. But this may just be an artefact of humanity now
having been trained exceptionally well to identify traffic lights and busses,
but being relative novices at identifying elephants.

And now I'm wondering if this may not be a spectacularly useful tool to raise
standards of education world-wide. Imagine, say, the French government buying
them and asking every person on the internet twice a day to match some
vocabulary to images: Identify "le baguette"! _Lingua Franca_ , le sequel.

Or a maps puzzle: "Please identify Equatorial Guinea, Papua New Guinea, and
Guinea-Bissau".

------
KCUOJJQJ
I just tried it on a website that uses Cloudflare and that always asks me to
solve a captcha. (I guess this website does this if the user has a foreign IP
address.) In the past I managed to get the non-script Recaptcha. But I don't
see a non-script Hcaptcha. I'm a little afraid of _possible_ browser
fingerprinting scripts. If there was an unwaivable, enforced right to privacy
I wouldn't be afraid.

Also, I don't want to solve any script captchas anymore because of a traumatic
experience with script Recaptcha. I had a portable Chromium with login cookies
for a few websites. I didn't use that Chromium for other websites than these
few. Suddenly, one service almost always demanded a new login after just 1
day. On each login I had to solve a script Recaptcha. I didn't find a way to
get non-script Recaptcha. According to the service evil spambots had attacked
it. Once, Recaptcha let me solve captchas for minutes, just to eventually tell
me I was a bot. I had an IP of a large internet provider. I deleted cookies,
got a VPN IP, tried it again, worked on the captchas in the exact same way as
before and managed to log in to my account. A website operator wrote in a
forum thread that Recaptcha was the only solution to the bot problem. One user
suggested "email login as an optional alternative". This was not implemented,
because apparently Recaptcha was really specifically the only solution. I then
switched to another service, which cost me a few hours of work. This traumatic
experience has made me completely unwilling to solve any script captcha.

------
worble
A little off-topic, but the article mentions they support Privacy Pass. I
remember seeing the announcement a little ways back when they first released
it but just kind of forgot about it. Is anyone using the browser extensions?
Has it reduced the amount of captchas you end up seeing, or made your browsing
experience better in any way?

------
devy
The enterprise grade hCaptcha[1] is not free either. Does anyone have pricing
information?

[1]: [https://www.hcaptcha.com/#plans](https://www.hcaptcha.com/#plans)

~~~
wongarsu
According to the article Cloudfront is paying, but is paying "a fraction of
what reCAPTCHA would have [cost]". Recaptcha is $1/1000 challenges, so
apparently hcaptcha is some small fraction of that.

Cloudfront might get a discount for running some of the infrastructure on
their own servers, on the other hand that might also be an integration hassle
that actually costs them money.

~~~
meowface
> Recaptcha is $1/1000 challenges

This seems unwise, because many captcha farms charge less than this. A quick
Google search shows one service offering $0.50/1000 challenges. If it's 2x
cheaper for an attacker to solve a captcha than it is for a provider to
display it, it sounds like the attackers win.

~~~
aaron695
This only works if you are Soviet Russia vs the USA and your plan is to ruin
the other by draining their money and you have equal pools of cash.

Spammers don't want to hurt the company they attack if they can help it, they
need them!

I don't understand why ReCAPTCHA cost so much though. A human solving them is
cheaper than a computer/human hybrid creating them?

~~~
meowface
True, the attacker is much less likely to have anywhere near the funds of the
target, and they don't want to hurt them.

Regardless of the actual price multiple, it costing anywhere near the price to
serve as the price to solve just seems to defeat the point. Really, it costing
any money per captcha served just punishes sites that happen to face a higher
volume of bots, even if they're a small site. It's just going to push the
company to switch to a different captcha service, which may be even cheaper
for attackers to solve.

------
cm2187
> _But, sometimes, when we 're not 100% sure if something is malicious or good
> we issue it a “challenge”._

I think they meant “bot or human”, not “malicious or good”. Bot != malicious.
And these challenges will do no good to non malicious bots.

~~~
lucideer
I think you're confusing intent with implementation.

You're right that the implementation excludes non-malicious bots and fails to
solve for malicious humans, but that just makes it an imperfect implementation
of the intent: which is to differentiate malicious & good.

------
_nickwhite
From the article:

"We evaluated a number of CAPTCHA vendors as well as building a system
ourselves."

and

"We worked with hCAPTCHA in two ways. First, we are in the process of
leveraging our Workers platform to bear much of the technical load of the
CAPTCHAs and, in doing so, reduce their costs. And, second, we proposed that
rather than them paying us we pay them. This ensured they had the resources to
scale their service to meet our needs. While that has imposed some additional
costs, those costs were a fraction of what reCAPTCHA would have. And, in
exchange, we have a much more flexible CAPTCHA platform and a much more
responsive team."

So Cloudflare are basically cloud hosting hCAPTCHA's services. I wonder why
Cloudflare didn't just buy them, as it seems like it would be a win-win with
getting an excellent CAPTCHA service, and not have to build it themselves?

~~~
IAmEveryone
CF likes the CAPTCHA part of CAPTCHAS, but any vendor is probably far more
invested in the "generating ML training data" scheme.

CF probably has zero interest in that part of the product: It doesn't fit with
their existing products nor customers, and it's just too small relative to
their other business to devote much attention to it.

At the same time, the business opportunity is probably too large for
hCAPTCHA's founders to just forget about it, or for CF to compensate them on
the hot-new-technology assumption when they're only looking for peace-of-mind-
utility tech.

------
noncoml
IMHO CPATCHA is a lazy way to protect your service as you shift the burden to
your users.

Maybe if you are big and essential for some users, you can afford that. But if
not, be aware that users will turn their back on you if you add obstacles
between them and your service.

Edit: meant to say “be aware that _some_ users will turn their back to you”

~~~
cdubzzz
> IMHO CPATCHA is a lazy way to protect your service as you shift the burden
> to your users.

What is the non-lazy solution to having a basic website contact form that
_doesn't_ receive hundreds of spam submission per day?

~~~
noncoml
"receive hundreds of spam submission per day"

But this is exactly the point I am trying to make. That's the service
provider's problem and not the user's. CAPTCHA shifts the problem to the user.

CAPTCHA is a 00's idea, when we had the multiple page registrations(with
errors showing only after you submit the page), the insane password
requirements, etc.. It doesn't belong to modern stack in my opinion.

"What is the non-lazy solution?" That's how disruption is born.

~~~
hombre_fatal
The vast majority of users never see a recaptcha puzzle when you're using v2's
invisible recaptcha.

~~~
SquareWheel
And 0% of users see it if you're using reCaptcha v3.

~~~
xur17
It never presents challenges to users, but instead just buckets them into bot
or not bot?

~~~
SquareWheel
Almost. It gives a botness score to the server, and it's up to the website to
decide what to do with that score. They can pick a threshold to approve,
reject, or apply stricter verification to.

------
Legogris
Apart from the surveillance aspect, one thing that bothered the hell out of me
with Cloudflare using ReCAPTCHA was that it yielded a much larger part of the
web than necessary effectively blocked in China, since the CAPTCHAs would get
triggered, and not load, from Chinese IPs.

I had a customer where we had to migrate away from Cloudflare for this reason
- this was about 5 years ago and the issue has been there to this day. Glad to
hear they've finally done something about it. Even if it took Google starting
to charge money for ReCAPCHA to trigger it.

------
notechback
This sticks out to me:

> We also had issues in some regions, such as China, where Google's services
> are intermittently blocked. China alone accounts for 25 percent of all
> Internet users. Given that some subset of those could not access
> Cloudflare's customers if they triggered a CAPTCHA was always concerning to
> us.

They are explicitly saying that China's blackmailing of Google is working so
well it even affects decisions on using Google products outside of China.

I'm not a Google fan and think this move is a great improvement for the web
and user privacy, but that this was explicitly motivated by China's
blackmailing tactics is terrifying.

And we can from this post even make another case that also doesn't paint a
nice picture: Cloudflare does not care enough about 25% of internet users to
move away from reCAPTCHA - until it affects their bottom line in a visible and
immediate way.

------
jasonhansel
Has anyone else seen reCAPTCHA getting way more difficult of late? It often
takes me a full minute to find all of the tiny traffic lights hidden away in a
set of low-quality images.

~~~
ship_it
Just use Buster[1]

[1] [https://chrome.google.com/webstore/detail/buster-captcha-
sol...](https://chrome.google.com/webstore/detail/buster-captcha-solver-
for/mpbjkejclgfgadiemmefgebjfooflfhl?hl=en)

~~~
drusepth
Worth noting that it's possible to get a hellban if you get too many wrong
guesses using extensions like Buster.

------
kevindong
There are plenty of services that will happily accept a screenshot from a
developer, send it out to live humans who solve it in real time, and then
return the answers to the developer.

I'm not going to link to them, but you can find them yourself by googling "buy
recaptcha solver". The prices for the top two results are $0.50 and $1.39 per
1000 solves (respectively, $0.0005 and $0.00139 per solve).

At that price point, it's feasible for the truly determined to just use those
solvers to bypass ReCAPTCHA (or similar services).

~~~
xur17
Are there chrome extensions that I can use these with? I'd be willing to pay
those rates to never have to solve a captcha again. I'm fine leaving the tab
open for a few minutes while it's solved even.

------
kennydude
hCAPTCHA looks interesting, although it seems they use Blockchain for no real
reason compared to just storing the payments as rows (i.e what they gain from
being chained on top of another)

~~~
colejohnson66
The point of a blockchain is that to edit an earlier record, you would need to
edit every record that comes after (due to storing a hash of the previous
block in the current block). _However,_ it doesn’t make sense when one entity
controls the entire system because if a hacker (or even an insider) can change
_one_ record, they could change _all_ of them. Hence why a good blockchain
would be _distributed_. Then, if one node edits the history, the other nodes
will see the anomaly and ignore that node.

This is also why Git’s history is easy to edit when it’s only on your machine.
But once you push to GitHub and others clone your repo, it becomes a lot
harder to edit history. Yes, Git isn’t a blockchain, but it does use the idea
of hashing the previous “block” (commit) and storing it in the current
“block.”

~~~
speedgoose
Yes if do not you want to distribute your data with random people over the
internet, you need a Merkle tree. Not a stupid blockchain with all the
downsides a blockchain have.

~~~
wongarsu
If you strip out the proof-of-work algorithm you're basically left with a
chain of Merkle trees, and the payloads hashed by the Merkle trees. Calling it
a blockchain is just a way to make it sound more familiar to potential
investors.

------
datafix
Hey, I interviewed with them a year ago. Their captchas are actually harder
than reCaptcha's.

------
shp0ngle
> Earlier this year, Google informed us that they were going to begin charging
> for reCAPTCHA.

Wait. Is this news? I don’t see other article about this. What is the pricing?

------
synsynack
It's not worth a rich person's time to solve captchas, while it is for a poor
person. This has lead to captcha solving services, extensions plugins, etc,
all which have high latency delay, not over a fast documented API. It would be
100 times easier if cloudfare/google let's you directly buy credits, at the
mid-point price between current bid-ask spread, of say 50 cents per 1000
captchas, which would probably last you a few months to a year.

------
jccalhoun
I've ran into hCaptcha a couple times recently and found it vague and I had to
try to guess what they meant. Both times it asked me to identify the truck.
Well, what do you mean by "truck?" are you counting a semi as a truck? I ended
up having to do it twice because I don't consider a semi a "truck" but they
did.

~~~
Keverw
Interesting, I know some people consider a Truck a semi but your pick up truck
isn't really a truck according to others. So confusing with all the different
definitions.

------
aaron695
So no one can turn free human labour into enough money to pay hosting fees?

And given spammers a lot of the time are messing with Google, it's also in
Google's interest to do this for free!

What are they thinking? Is this one department make $100 internally while
killing $1000 in another internal department?

------
TechBro8615
This is fantastic news for privacy on the web. Thank you Cloudflare!

I’ve been seeing hcaptcha in more and more places recently. It’s a bit rough
around the edges still, but it works well and feels far less hostile than
recaptcha.

------
paulie_a
The funny thing is that Google doesn't even use recaptcha and instead use some
awkward hard to read piece of shit. After 4-5 guesses, and they are guesses
you might proceed.

------
rstupek
Did anyone notice that hcaptcha runs on top of etherium?

------
spsrich2
I hate Hcaptcha. It keeps presenting the same challenge over and over again.
Everytime I need to access a site it protects it wastes so much time.

------
realtalk_sp
Are people here not aware of reCAPTCHA v3? It doesn't involve user
interaction. I just integrated it into a site. Works well.

------
foob4r
How good or bad is the new system on tor? ReCAPTCHA straight up was a 0/10
over tor for me.

------
outloudvi
1\. I think challenges from hCAPTCHA is harder than reCAPTCHA. It's far and
even further from human-friendly compared to reCAPTCHA.

2\. hCAPTCHA seems to be using the similar revenue model as early stage
reCAPTCHA and it even pay its users. I doubt that its model is sustainable.

3\. A huge company like Google may not be able to handle user data well, so a
small company will be able to?

------
garaetjjte
Can we get back text based captchas instead of annoying whack-a-mole photo
picking?

~~~
theandrewbailey
No. Photos of street things are much easier to pick out than warped or
miscolored text.

~~~
hombre_fatal
Especially the amount of warping you apparently need to do to text to make it
hard for a neural network these days.

------
maallooc
I hope this captcha is tor friendly.

------
blackdogie
One look at what cookie domain (google.com) recaptcha runs on will give you a
hint to its usefulness.

------
tcd
It's funny that we need to ensure humans are the ones performing certain
actions like making a purchase or accessing a service, but we let machines
make decisions over very important matters in our lives (credit/financial
decisions).

It's intriguing they said Google will charge for reCaptcha, any information on
that? I can't imagine all the small business owners will have to start paying,
but perhaps if they did they'd just remove it altogether (a net win!).

