
Ask HN: Do we need Google captcha? - fractalf
Many of us remember the early batches of captchas. Annoying and sometimes next to impossible to get right. Googles &quot;one click&quot; captcha was a fresh breeze when it came. I&#x27;m not so sure anymore though. Now instead we have to use brain power to press 2-4 images in an AI quiz or said differently &quot;help Google improve their ML data-set for free&quot; which I&#x27;m not at all comfortable with. Isn&#x27;t there a better way to fight bots? Could not the community make a FOSS alternative? How hard is this really?
======
jmstfv
Two weeks ago my website [0] got hit by a botnet attack. These bots were
submitting 2 POST requests to /login, followed by 2 POST requests to /signup,
and since there were no checks in place, they were getting in quite easily.
All their requests originated from residential IP addresses (probably hacked
IoT devices) so IP blocking seemed impossible. I knew I needed to do
something, but didn't want to send my users' data to Google.

I settled on implementing a honeypot technique using invisible_captcha gem
[1]. It uses multiple techniques to detect bot activity, such as checking if
the form was submitted too fast, hidden form attribute only visible by bots
but not humans, etc...

Luckily for me, these bots weren't quite sophisticated so I managed to clamp
down on their activity. I still get a couple of bogus signup attempts every
day.

Disclosure: I am a contributor to the invisible_captcha gem

[0] [https://tryhexadecimal.com](https://tryhexadecimal.com)

[1]
[https://github.com/markets/invisible_captcha](https://github.com/markets/invisible_captcha)

EDIT: grammar and wording

~~~
fractalf
Very interesting idea (the invisible captcha approach)! Since you are a
contributer, can you tell us how efficient this strategy is? I mean, do you
still experience advanced bots being able to still act as humans?

~~~
jmstfv
They still try to sign up, but none of them can actually bypass the captcha. I
implemented a custom callback that returns a HEAD response with 404 to fool
them (because I noticed that attacks intensified when I returned 2xx or 3xx
responses).

~~~
fractalf
THIS is what I'm talking about :) Great work! Seems to me this is very
centered on Rails apps. Would it be possible to do somethink like this for
"everyone"? I have nothing agains Rails, but as a js/php/python develper
myself, I wouldn't know where to begin with this..

~~~
jmstfv
The easiest way to start would be introducing an invisible form field [0] and
on submission, checking if it is not empty. Give this form field a random name
so that it wouldn't be populated by password managers.

You can take it one step further and check how fast the form was submitted. If
it is below the predefined threshold, it is probably a bot.

[0] To hide the form field, you can use one of these snippets,
interchangeably:

    
    
        "display:none;"
        "position:absolute!important;top:-9999px;left:-9999px;"
        "position:absolute!important;height:1px;width:1px;overflow:hidden;"

~~~
Master_Odin
It should be stated that you should either use the first approach (display
none) or give a 0 height/width, so that screen readers don't pick up these
fake fields and ruin accessibility on your form.

~~~
throwaway_bad
Unfortunately anything screen readers can recognize as invisible, a more
sophisticated bot can too.

------
luizfzs
It's worse than that. It fingerprints the browser, the OS, and a ton of other
stuff.

I'd love to see a solution that's privacy-friendly.

~~~
Kaveren
not possible because anything based off computation only wards off denial of
service attacks, not bots which usually have too much profit.

the absolute best you could do is track on the site itself without google, but
you still need to track user's data.

anything else you can think of can be beaten pretty easily or is going to
really hurt your user experience to the point of severe loss of revenue

any CAPTCHA custom to a site will be broken very easily if your business takes
off.

~~~
NetToolKit
> any CAPTCHA custom to a site will be broken very easily if your business
> takes off.

For me, this is an interesting and open question. I've taken the view that as
long as it's easier to come up with new types of challenges than it is to
create an automated means to solve those challenges, CAPTCHAs offer some
protection. If you're ok with requiring JavaScript, mouse input, and images
(e.g. you don't require your site to be accessible by sight-impaired users who
cannot use a mouse), I think people can come up with varied enough challenges
to present a problem to bots. How long will that be the case? I don't know.

~~~
Kaveren
The problem is coming up with challenges that are not trivial to automate and
not annoyingly hard for users.

Botters aren't just making passive income, they can fix their bot every day as
long as it's making them money. Many sites try "random" questions which are
really easy to pattern match with a little regex.

The amount of effort that goes into botting generally scales linearly with
userbase size (not always). But once you're talking about a botter with a
profit motive when your site has hundreds of thousands or millions of MAU, I
think trying to come up with challenges to beat botters would be prohibitively
time consuming.

~~~
fractalf
What if you had a community helping out, somehow gamify making new challenges?
I dunno, just have the feeling if there was a proper project with enough
bright minds behind it, it should work

~~~
majewsky
This sounds like a recipe for disaster when 4chan and friends find out about
it.

------
spiderfarmer
My problem with Google Captcha is that I have to solve the "select all" window
every time I check the checkbox, even when I'm logged in to Google. Maybe it's
because I use Safari, but it's getting really annoying. What's the benefit of
Google Captcha if you have to solve the captcha every time?

~~~
eyegor
That's what they show if you're not on chrome, especially if you're blocking
scripts or on a VPN.

~~~
inetknght
In my experience it doesn't work _at all_ if you're blocking scripts.

~~~
johnisgood
It does not work under Chromium either with cookies disabled either.

------
maxwellito
From a user point of view on Firefox, Google captcha is a an absolute hell.

Every single time I have to pass few batches of captchas. I'm not on a private
window and I'm logged in to Google. So I started to blacklist websites that
use Google captcha. and forced myself to change reading habits.

~~~
fractalf
Exactly what I was thinking when writing this question. Seems to me there
really is a big demand for something proper, secure and open source. Kind of
like how letsencrypt help secure the net

~~~
godot
There were a few factors making letsencrypt successful: alternatives were not
free, and mainstream browsers were all making attempts to surface unsecured
http clearly on address bars.

A free open source alternative for captcha will have a harder time getting
traction, mainly since the popular option (Google) is already free; and
neither business not customers (who are not privacy sensitive) care about the
end result unlike the browser and http case.

------
zawerf
CAPTCHA isn't just a matter of protecting your site. One of the most evil
attacks nowadays is "Distributed Spam Distraction", where you spam your victim
with thousands of emails per second so an important email (e.g., fraudulent
purchases) gets lost in the noise.

How do you do this in a world with decent spam filters? By using the victim's
email to sign up for real services so they get hit with a welcome email.
Because these are real services, spam filter won't catch it. This can only be
done with services that have sign up forms that are easily automated.

The most evil thing here is your email is crippled even after the attack is
over because these real companies will keep sending you newsletter and it's
impossible to unsubscribe to them all.

~~~
jazoom
You've just reminded me I really need to use unique email addresses for each
service.

~~~
ryankrage77
If you use gmail, you can add a + followed by anything and it goes to the same
mailbox.

For example, if signing up to drop, I might use myemail+drop@gmail.com

Makes it very easy to see which services are selling the address you provide
to advertisers

~~~
jazoom
Yeah I know, and you're unfortunately correct that I use Gmail, but it's
something I'm planning to change soon.

Also, if someone was targeting you with spam that won't help. They'll just
remove the "+..." and you're back to the same problem.

------
SyneRyder
I didn't even find Google Captcha to be effective, I still got a ton of spam
coming through my web contact forms - often advertising software tools to
bypass Captcha.

In the end I wrote my own rule based spam filters and that has been
significantly more effective without tracking or annoying users.

------
castis
Over the past 2 years or so I've become incredibly skilled at identifying
crosswalks, fire hydrants, traffic lights, and bicycles.

I don't necessarily mind contributing to googles car-driving AI, but the
services that I've put this captcha infront of have seen a dramatic increase
in spam.

I unfortunately don't know what the solution to this problem is but I would
gladly contribute to whatever someone smarter than me comes up with!

~~~
jrs235
>identifying crosswalks, fire hydrants, traffic lights, and bicycles. I don't
necessarily mind contributing to googles car-driving AI

Wow. I just realized that's exactly what they must be doing with the data!

------
rapnie
I only know about Buster:

> The difficulty of captchas can be so out of balance, that sometimes they
> seem friendlier to bots than they are to humans. The goal of this project is
> to improve our experience with captchas, by giving us easy access to
> solutions already utilized by automated systems.

[https://github.com/dessant/buster/blob/master/README.md](https://github.com/dessant/buster/blob/master/README.md)

------
falcolas
Probably not.

A sophisticated attacker will simply use something like Mechanical Turk to get
past Google captcha, and Google captcha is incredibly aggravating to a number
of marginal users. But it's simple to implement, so that makes it popular.

I'd even say that most services don't need captcha in the first place. Captcha
only affects relatively unsophisticated attacks, and if it's just an entry in
your database, who cares? If it's sending you spam in an attempt to DDOS your
email or customer service platform, use correlation between purchases and
accounts to filter out the spam.

So, as with all security related matters, identify your threat model, and use
that to figure out what you _actually_ need, not what you think you need.

------
mbreedlove
Are bots now advanced enough that transcribing obscured text is no longer a
viable solution?

There's dozens of simplistic captcha libraries that serve obscured text. I can
would rather transcribe a few letters much than complete a Google Captcha,
probably faster, too.

~~~
rocky1138
They were advanced enough to do that 10 plus years ago.

------
kop316
Here was an earlier discussion about it:

[https://news.ycombinator.com/item?id=20158386](https://news.ycombinator.com/item?id=20158386)

------
phyzome
My general answer is "no". But the question also isn't meaningful unless you
define what it is you're trying to protect.

(E.g. maybe it's reasonable to have a captcha of some sort for account
creation, with fallback to a human-involved process. But if you're trying to
prevent credential-stuffing on a login form, the correct approach is using the
Pwned Passwords dataset and/or cooloffs.)

------
NetToolKit
To the extent that you'd consider non-Google alternatives, there are multiple
different CAPTCHA services, and we at NetToolKit recently launched our own
version called Shibboleth:
[https://www.nettoolkit.com/shibboleth/about](https://www.nettoolkit.com/shibboleth/about)

You can try out demos at
[https://www.nettoolkit.com/shibboleth/demo](https://www.nettoolkit.com/shibboleth/demo)

While not open-source, the service is very affordable ($10 for 100,000
CAPTCHAs), and clients get to review user submissions to see if the CAPTCHAs
are reasonable or not.

Would love to get your feedback on the service.

~~~
pythonaut_16
Just tried it out.

Clicking on the buttons with a laptop trackpad was tedious and unintuitive.

It would be nice if I could use the arrow keys (or even WASD) on my keyboard.

Other than that it seems preferable to Google's new image captchas.

~~~
NetToolKit
Thanks for the feedback! One thing that is not clear from the demo (and
something we should fix) is that you can click on the path CAPTCHA to grant it
focus. After that, you can use the arrow keys (although WASD currently does
not work).

~~~
pythonaut_16
Ah! I tried clicking every except on the path itself!

------
ishanjain28
I started using Buster[1] few months back with Google Speech to Text API. I
use Firefox on Linux and I hadn't had to manually fill a captcha in all these
months. Highly recommended. :)

I get 60 free minutes/month from Google Speech to text API. So, It's pretty
much free to use.

[1]: [https://addons.mozilla.org/en-US/firefox/addon/buster-
captch...](https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-
solver/)

------
mcv
I like captchas that ask a question relevant to the topic of the site. For
example, a forum about D&D might ask: "Who created D&D?" and accept all
answers that contain "gygax", "arneson", "TSR" or "WotC". Trivial for your
target demographic, but at least it requires a very different kind of bot.

Though I suppose if this becomes common, bots might just google that question
and try some of the zero-click results as answers.

------
globile
Honest question. What’s wrong with Google Recaptcha V3?

No need to select 25 traffic lights. Gives you a score from 0 to 1 so you can
decide whether you let them in easily or not.

~~~
jhasse
If Google doesn't like a client (e.g. Firefox users) they can just set their
score to 0 and break half the internet.

~~~
zeroxfe
You could say that for any captcha library though.

~~~
albertsondev
But the risk is doubly so for a closed-source codebase maintained by a company
with a history of doing this sort of stuff.

------
litoE
Add to the problem the complication that you need a replacement for the
captcha that is usable by users with disabilities.

------
alexnewman
Hcaptcha will soon be open source.

------
floatboth
> Isn't there a better way to fight bots?

Don't?

I mean, what _are_ you trying to protect? If it's account registrations,
shouldn't an email confirmation be enough?

~~~
folkhack
> If it's account registrations, shouldn't an email confirmation be enough?

This won't stop someone with enough sophistication.

~~~
floatboth
Not every service will be targeted by sophisticated bots. What kind of service
are we talking about? Is it even social? Is it even a service or just a public
website?

OP did not provide a threat model or any description of the service really.

Talking about this "in general" is awful and leads to stupid bullshit like
endless CloudFlare captchas on literally STATIC blogs.

