
Using CAPTCHAs - Turukawa
https://www.gov.uk/service-manual/technology/using-captchas
======
judge2020
I understand why people don't like captchas - specifically recaptcha - but I
believe it's a 'necessary' evil. Many small startups and hobby sites don't
have the resources to roll their own bot prevention/detection or subscribe to
paid captcha solutions. Without recaptcha, these sites likely wouldn't exist
or would be few and far between.

> Your service could still be at risk, even with a CAPTCHA in place. Advances
> in computer imaging and the use of CAPTCHA farms means some bots will still
> be able to access your service.

I don't think anyone will tell you that captchas are a 100% effective method
at preventing automated/falsified actions. The main reason they are so widely
used and generally the 'one stop shop' for bot prevention is that it increases
the cost of attacking your service. Without them, an attacker could set up a
simple loop that gets a site's csrf token and attempts a username/password
combination. With them, an attacker does have to have a bot with "advances in
computer imaging" or will have to rent a click farm. ReCaptcha is fairly good
at preventing these two anyways since they will often blacklist a client[0]
while still collecting the known good captcha answers for their car NN.

> Alternatives to CAPTCHAs

Transaction monitoring can be effective, but costly. Honeypots are only
effective against non-targeted attacks, as an attacker can just submit one
form themselves and see the browser's network request and know what to send to
look like a regular browser. Rate limits are also pretty easy to bypass, new
IPs are easy to obtain since every VPS provider I know hands them out like
candy (the only cost to this is not getting kicked off the provider).

0:
[https://news.ycombinator.com/item?id=16164549](https://news.ycombinator.com/item?id=16164549)

\---

For the UK government, I do expect them to employ better mechanisms than
captchas to protect their services. But without them, there would be even less
small communities than there are now. They may be up at the mercy of Google,
but nothing is done without the permission of the biggest companies.

~~~
zzzcpan
For those who have no resources rate limiting still works better and easier
than captchas. You shouldn't do rate limiting per IP though, do rate limiting
per /24 subnet, /16, /8, /0 per http method per URL, etc. Typically it takes
just a few lines of nginx configuration.

~~~
n_ary
^ Good and thoughtful idea.

