
Recaptcha v3: new way to stop bots - kevinday
https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html
======
robin_reala
I’m quite proud of GOV.UK for banning CAPTCHAs from government services
completely.[1] Have you ever tried to use the ‘accessible’ fallback for
ReCAPTCHA? It’s literally impossible (my team had 0% passes trying it over and
over again) so by implementing ReCAPTCHA you’re completely blocking an entire
set of already disadvantaged users. At the same time, even a normal CAPTCHA is
already harder for some users to solve than it is for some bots and you’re
lining Google’s pockets by training their ML algorithms.

While this new version potentially helps things, it feels like the users with
more automated interaction methods or those who want to reduce fingerprinting
efforts will still fall foul of over-zealous site owners.

At the end of the day, all a CAPTCHA is is a method to externalise business
costs onto your users.

[1] [https://www.gov.uk/service-manual/technology/using-
captchas](https://www.gov.uk/service-manual/technology/using-captchas)

~~~
avip
I'd suggest CAPTCHA nay-sayers to come up with alternatives. The implied
alternative is, by default, constant abuse, phishery, scrapping, automated
login attempts, and DDoS. Which sometimes may be fine, and many times is just
not acceptable.

~~~
chickenfries
If a CAPTCHA is the only thing keeping your site secure from abuse then I
think you have larger problems.

~~~
spookthesunset
> If a CAPTCHA is the only thing keeping your site secure from abuse then I
> think you have larger problems.

This is one of those pithy remarks that add zero value to a discussion.

I'm curious how you would approach blocking automated access to various parts
of your site?

~~~
chickenfries
Well usually ReCAPCHA is usually used on sign in pages. You can rate limit
login attempts, exponentially increasing rate limit (or just locking out) IPs
that exceed allowed login attempts and analyze your logs to ban abusive IPs.

Yeah, that's harder than ReCAPTCHA, but I think a lot of these big companies
can afford to do these pretty basic steps.

If you just want to throw some comments on your free blog and not have to
moderate the comments (and honestly, how many comments does your blog get that
you can't read them?) then sure, throw ReCAPTCHA on there. But there are
plenty of big companies that use ReCAPTCHA.

~~~
spookthesunset
> You can rate limit login attempts, exponentially increasing rate limit (or
> just locking out) IPs that exceed allowed login attempts and analyze your
> logs to ban abusive IPs.

Rate limiting and bot blocking are two totally different things. Rate limiting
only increases the cost of a bot attack. Either they need more IP's (which are
dirt cheap in the black market) or they need more time--either way it is
increased cost. But it won't stop a bot. Just slow it.

Banning IP's might have worked back in 2000, but these days it is useless.
Bypassing an IP block is trivially easy for even a low-sophistication
attacker.

~~~
tinus_hn
> Bypassing an IP block is trivially easy for even a low-sophistication
> attacker.

Not easy for an average user though.

~~~
sieabah
You're not trying to block the average user, you're trying to block the people
trying to abuse the system.

------
pdkl95
Recaptcha v3 explicitly bans any browser that isn't one of "the two most
recent major versions"[1] of Chrome, Firefox, Safari, or Edge. I don't mean it
falls back to showing you an annoying select-the-picture quiz; if Google
doesn't like your browser, the recaptcha widget replaces itself with:

> Please upgrade to a supported browser to get a reCAPTCHA challenge.

There are _many_ reasons this is bad, but for now I'll point out that creating
barriers that prevent new competitors from entering an established market is
the behavior of a monopolist abusing their power over a market.

[1]
[https://support.google.com/recaptcha/?hl=en#6223828](https://support.google.com/recaptcha/?hl=en#6223828)

~~~
beojan
It's even worse on Android. The only supported browsers are Chrome and the
native Android browser.

I wouldn't be surprised if they get another fine from the EU over this.

~~~
h2onock
Are you sure? I was quite certain that you could install Firefox onto an
android device until I read your comment.

~~~
detaro
What does being able to install the browser have to do with it being supported
for recaptcha? The link above clearly states a list of supported mobile
browsers, which does not contain Firefox. (I wouldn't be surprised if it still
worked, but the claim is clear and based on official Google material)

------
hnaccy
I hate Recaptcha.

In my experience using Firefox and not being logged into a google account
results in a very long if not impossible chain of captcha challenges.

~~~
wild_preference
On the flip side, abuse exists, and wishing that anti-abuse measures went away
does not acknowledge reality. Just like how I'm annoyed when I have to pay for
a cup of coffee, but my annoyance doesn't really inform how things _should_
be.

Besides, if a relatively simple puzzle is too much to ask, then maybe you
didn't care all that much to begin with. I can think of various platforms
where this would be a good filter even if there was no such thing as abuse. ;)

~~~
robin_reala
The puzzles aren’t simple if you’re blind or hard of vision. Or don’t have a
US cultural background (I personally know a sidewalk is US English for a
pavement, but I definitely don’t recognise all US street signs or shop
hoardings, and have been caught out by that before).

~~~
Izkata
> The puzzles aren’t simple if you’re blind or hard of vision. Or don’t have a
> US cultural background

I've lived my whole life in the US and have about 20/20 vision (used to be
slightly better than 20/15), and I'd estimate my reCaptcha pass rate around
20%.

The puzzles are just badly done, it's not even a vision or knowledge thing.

~~~
ardy42
> The puzzles are just badly done, it's not even a vision or knowledge thing.

Yeah. The puzzles are terrible now, and I have a strong suspicion that they're
no longer testing to see if you behave like another human, but instead testing
you to see if you act like their own machine vision bot.

------
mattkevan
As a site owner I know captchas are vital in the battle of not being
overwhelmed with spam, but as a user I hate Recaptcha with a passion.

Every time I’m asked to identify the motorbikes or traffic lights I feel like
google should be paying me a few cents each time for helping train their
machine learning algorithms.

And on mobile the experience is even worse. Depending on the placement of the
captcha box half to a third of the tiles might be off the edge of the screen,
making it impossible to solve. Seriously, how can Google not have a mobile
version in 2018?

~~~
vosper
> Every time I’m asked to identify the motorbikes or traffic lights I feel
> like google should be paying me a few cents each time for helping train
> their machine learning algorithms.

Over and over again, too. It's completely overdone. I have had screen after
screen of images to click on before the Recaptcha is finally happy that I'm
human / I've provided enough training data for whatever object they're
currently trying to get their cars not to run into.

I wouldn't really object to "of these three pictures, which is a motorbike",
but when I'm on my 4th or 5th screen of 9 images each I'm getting pretty
annoyed... And they're so slow to fade in, too!

------
WorldMaker
The "deep telemetry" nature of this doesn't sound like a good idea. It's
already been annoying with v2 thinking that I clicked a checkbox "too fast" to
be human, to worry about every action taken in a site/app being compared to
some weird AI model for "humanity".

That's even before other panopticon questions of who all this added telemetry
even benefits.

~~~
bqe
Websites that want to prevent automated bots from attacking them benefit
immensely.

~~~
WorldMaker
That goes without saying, and isn't an interesting answer in this case.

When I mentioned panopticon benefits, I was more directly implying the complex
"cui bono?" question of whether or not this data continues to entrench
Google's behavioral analysis arms that use such data to sell our every
behavior to advertisers for the purpose of buying our attention. It's not the
websites using reCAPTCHA that benefit from all that extra advertising
information stored on Google's servers, and it's not necessarily the
individuals like you or me using those websites that's benefitting from all
that extra information on Google's servers.

Especially given that in v2 it seems very clear that Google has been using
reCAPTCHA as their own personal Mechanical Turk to also entrench their
positions in map data and possibly automated driving image recognition, this
is not an idle question.

------
gergles
No, no, no, no.

I do not want Google to have any more fucking data about me than it already
does! "Put this blob of JavaScript on every page of your site so that we can
see how users are clicking, scrolling, and browsing around. Think of the
children^W spam and abuse!"

I just cannot believe that Google somehow gets away with spinning this as some
sort of "guardian of the Internet" thing when it is a transparent attempt to
a) make adblocking more difficult and b) force people to accept being tracked
by Google or get blacklisted from the web.

Getting banned from sites or treated as a subhuman because you don't want Big
Brother to follow your actions around should not be something that we're okay
with. It just shouldn't be.

~~~
avip
You seem to subtly express the notion that we are somehow "entitled" to access
a website, just because it has a public IP address and we happen to have an
http client.

Well - we're not.

~~~
pwnna
To put it bluntly.. I think this "just don't use it" meme needs to die. At
this point in time, accessing certain websites is effectively a requirement of
modern life: want to see your bills without paying for paper bills? want to
apply for jobs? want to sign up for courses? submit your taxes? or even vote
under some jurisdictions? Then you have to access a website. Sure, for a lot
of these, there are alternatives. However, the costs will likely be much
higher and you'll simply be left behind by everyone else in society.

This effort by Google, at its worst possible implementation, could break a
huge number of "required" websites for users. As others have pointed out in
this thread, the users who will be impeded are likely already at a
disadvantage[1]. This just reinforces that, especially if everyone starts
adopting this given how it is "free" for businesses/organizations.

A convenient side effect? Google gets more information about us and encourages
us to view more ads.

[1] Someone mentioned smaller villages in India. The GOV.UK reference talks
about users with disability. One could also imagine shared locations like
public library, whose users may not have direct access to the internet.

~~~
avip
I tend to agree that public services (in the sense of .gov) should avoid using
this. But they do need protective measures. Would logging in with a futuristic
Aadhaar equivalent be considered less intrusive?

~~~
pwnna
If the only websites that we _essentially have to_ utilize as competent
citizens are public ones then it would be easy. We regulate the public ones
and we let the private ones do whatever they want. At that point I think a
bunch of people on this site will probably be content quitting the internet
heh :).

The problem is that it's not that simple. As I said, for things like banks/job
search, these are private entities and not public ones. Going down that line,
we can find some private services that a majority of the population around you
uses that you also have to use in order to keep up with everyone else because
there are little alternatives (google maps comes to mind). Granted, the latter
is a weaker example, but it's meant to explore how practical it is to
completely ditch services that are anti-user.

Also don't get me wrong.. I'll probably be one to turn off my blocker to
access some service that will provide me value even if I'm already paying for
it. However, it's just a terrible state to be in.

------
_asummers
Hopefully having an ad blocker (uMatrix) doesn't cause it to flag the user
like reCAPTCHA v2 does on every single site I go to. I have had to click way
too many cars and street signs at this point.

~~~
jetpks
It's in Google's interest to make using an ad blocker as painful as possible.

~~~
candiodari
And yet comparing using one on Youtube with not using one will quickly drive
the point home that Google is committed to letting you do that, and doesn't
mind losing a few bucks in the process.

------
ju-st
Sorry your citizen score is not high enough to access this website.

~~~
candiodari
That would be a government doing that (I wish we could say just one, but when
it comes to restrictions based on "citizen status", it's really not just
China), not Google, a private company.

But the big point is Google is not the Chinese state. In fact, one might say,
quite accurately, that they're not very friendly.

~~~
WorldMaker
Private companies have had citizens before [1], it's not unreasonable to
suggest they might have citizens again. (It's a common Cyberpunk trope to have
corporate-controlled principalities replace nation-states. It's a common sci-
fi trope in general to have places like space colonies run under corporate
rule of the company that built them.)

[1]
[https://en.wikipedia.org/wiki/Company_town](https://en.wikipedia.org/wiki/Company_town)

------
keehun
> Since reCAPTCHA v3 doesn't interrupt users, we recommend adding reCAPTCHA v3
> to multiple pages.

Frictionless user interfaces arr great, but could this be a ploy to get
websites to add Google-property tracking JS on more pages?

~~~
candiodari
... in trade for a valuable service.

I mean, you must hate cloud software if you've got problems with this.
Surprise ! Almost all software, from steam to windows, to fusion360, to
fastmail, to github, office, ... is cloud software. Just naming some random
examples. All have the same problem, most without providing any service (hat
off to fastmail and github though, who provide service, like Google, in trade
for cloud. And poeh ! to MS, for having office be cloud software for no good
reason whatsoever)

~~~
majewsky
It's still deceptive.

German contract law has the notion of "unexpected clauses", especially for
terms of services. Certain ToS clauses have been invalidated by courts even if
the customer agrees to the contract that includes those ToS, because the
clauses have been deemed "too unexpected". The basic idea is that people
should not be expected to read the entire ToS before agreeing to them.

To me, this is sort of the same: When I visit github.com, my mental model says
that GitHub will know about this and be able to run scripts in my browser.
However, it would be "unexpected" in this sense, and therefore IMO deceptive,
that visiting github.com causes my browser to run code from google.com.

~~~
candiodari
If this is how it works, enforcing this ... would end the web. How much
thought was put into that ?

------
Kaveren
I use Firefox with maximum tracking protections and a VPN, so I'm first in
line to claim frustration about being forced to solve reCAPTCHAs.

But on the other side, it needs to be understood just how important having a
CAPTCHA is. The amount of destruction to user experience that bots can cause
is sometimes far worse than the pain the CAPTCHA causes.

The long chains of reCAPTCHAs annoy me to no end, and I hope a middle ground
can be reached, but bots are a very serious problem.

I do wonder if maybe computational challenges are a feasible alternative in
some scenarios, or perhaps as an alternative choice you could give to the
users.

~~~
sgillen
What exactly do you mean by computational challenges? That seems like the
exact kind of thing a bot would be much better at compared to a human.

~~~
Kaveren
The idea is that you'd need to make the computational challenge more expensive
to solve than any profit that success would have. This is what some DDoS
protection services do (e.g. the "checking your browser" messages you might
see).

In _some_ scenarios such as spam, the profit per bot action isn't high at all,
so this might be feasible. If it's a ticket bot, that wouldn't work at all.

Of course, you're hurting users without good devices, which just sucks.

I haven't really thought too deep into the economics of this, I don't know if
it'd work at all. Just a thought.

 _Edit: Meant to include mobile in there, I don 't know how if this would or
wouldn't work with this scheme for mid-end+ Android devices or iPhones._

~~~
wild_preference
HashCash had the same idea and failed for the same reason: bad actors aren't
using their own machines. They have access to the cheapest compute in the
world: botnets and the compute of honest actors.

Add in the mobile-device issue and you quite literally have a solution that's
lose/lose.

------
canadapups
While we hate Google for the privacy invasion in advertising, reCAPTCHA is one
the areas that is a definite positive. Google has the data and the unique
position to make the web safer. I wish they did more.

Need to give them credit for fighting: hurting malicious websites by not
sending them traffic, keeping search results relevant against SEO abuses,
cutting down email spam effectiveness, ... and reCaptcha.

All of this becomes very relevant when you run our own online business like I
do. You can lament that google knows you're shopping for a new car, but my
users lose real dollars if a scammer gets on my website - and google provides
the tools to combat this.

And, no you can't implement your own captcha. No matter how smart you think
you are, you don't have the data that Google does.

~~~
bassman9000
Poe's law?

[https://siftery.com/recaptcha/alternatives](https://siftery.com/recaptcha/alternatives)

------
superasn
Their recaptcha is broken and causes a lot of pain especially when you're on
an ISP that may have had some bad apples (pretty common in India where ISPs
don't care about spam or piracy). It's like the whole neighborhood is paying
the price of someone else's crime and it feels like the digital version of
being racially profiled.

Worst part is even after solving dozens of images (which keep refreshing by
the way to no end) you still sometimes get we don't believe you're human
comment and no way to go forward.

Cloudflare and this recaptcha can really break the internet for some people,
esp in small Indian cities.

~~~
avip
I'd be surprised if recaptcha uses IP reputation. That being said, a
classifier is not "broken" for introducing false-positives. If you read the
post, you see that's one of the issues v3 tries to address.

~~~
superasn
It certainly does use IP because switching from broadband to 4G (hotspot)
fixed the issue even when I didn't clear the cache/cookies.

The captcha is broken because at least in my case even after solving dozens of
images (which keep refreshing now btw) it still can't be convinced I'm human.

------
zawerf
I got hit by "Distributed Spam Distraction" recently.

It works by having a bot signup on thousands of websites at once with your
email. The purpose is to flood your email with hundreds of welcome message
emails every minute so you will miss the real security message emails (such as
someone resetting your password).

What makes this attack so evil is that these are real sites you have to
individually unsubscribe after the attack is over. This includes many sites
from countries without email unsubscribing laws. So to this day, I still get
hundreds of emails everyday from these sites who think I have signed up for
their newsletter/product/etc.

I would not be against enforcing a captcha on every site out there just to
prevent these kinds of attacks.

~~~
tinus_hn
How would that be enforced if you can’t even enforce confirmed opt-in?

------
vtail
In addition to the problems already mentioned (Google collecting more data,
Google making ad blocking harder), let me share another issue I have with
this: Google is becoming a de-facto gate keeper to your website, turning bots
away.

Do you get it? A company whose business model is based on their bots ability
to crawl the web will now have more power over _other_ bots.

Brilliant.

------
ksangeelee
The language used seems alarmist, particularly given the extent to which
Google use bots themselves.

For example, "the new way to stop bots", "alert you of suspicious traffic",
"identify the pattern of attackers", "pages are being targeted by bots", "stay
ahead of attackers and keep the Internet easy and safe to use (except for
bots)"

Many companies have built valuable services by automating HTTP requests. One
might even think that Google would like them to stop.

Two things that particularly worry me about this are a) encouraging sites to
apply captchas to pages that have nothing to do with authentication and form
inputs, and b) the hint of requiring two-factor authentication and phone
numbers to proceed. [edit] will Google be offering to handle this on behalf of
sites?

~~~
candiodari
But you can't seriously expect site owners to just deal with the amount of
spam bots can generate because it'd be 1% more equitable to users (that would
be driven out by those very bots reCaptcha protects you from btw)

And who pays for those costs ? Who eliminates the tons of spam posted ?

~~~
ksangeelee
You seem to think that I'm against spam protection mechanisms, which I'm not.
I am concerned that this will be used to 'protect' GET requests rather than
POST requests, so to speak.

------
esotericn
Can someone explain to me why CAPTCHAs are used all over the place for sites
that don't have user interactions?

I understand it for account creation. I understand it a bit less for login
(seems like a lazy way of preventing automated attempts).

But for simply accessing a site? What gives?

I'm increasingly starting to find that only tech blogs, the odd big site I'm
logged in on like Amazon, and sites like HN are usable lately, because
anything else seems to require a 1 minute + gateway of CAPTCHA + GDPR +
whatever else before I can actually get to the site.

Is it some way of filtering out users the sites don't want without expressly
having a "403 Forbidden" or whatever?

~~~
KenanSulayman
It's people afraid of others crawling their content.

------
brianolson
Slightly creepy, they want to track users around your site to see if they go
page to page like a human or like a bot. (Instead of just checking before
form-submit or some other action.) But if you already have Google Analytics
you're probably not giving up any more information by adding this.

~~~
fotbr
Great. That means that if you're after a specific piece of information, and
you don't waste time clicking on "ooh shiney" stuff on your way to find that
piece of information, you get flagged as a bot and treated as hostile.

Why do we want this version of the web again?

~~~
wild_preference
Abuse exists, so there is then demand to prevent it.

Your anger would be better directed at the bad actors who ruin things for you,
like how you need to buy a lock for your door. How much time in your life has
been wasted by slotting a key into a hole? Ugh, doesn't anyone know this isn't
the world I asked for?

~~~
rcMgD2BwE72F
Gotta feed the machine right?

Just so you know, the more you protect your privacy, the more websites,
everywhere, will have Recaptcha requires that you work for Waymo even though
you do not want to work for them (you know, describing road signs, identifying
potholes, finding traffic lights, etc).

Want some privacy? OK, waste 2-3 minutes every 10 articles and work for
Google. Don't want to work for Google? OK, disable all privacy protection and
you're good to go.

Paying a subscription to the website will, often, not even prevent Recaptcha
from popping up.

That's dystopia, both feet in, but somehow it's OK because some "guys" are
abusing the system o_0

~~~
wild_preference
I can enumerate why anything in the world is suboptimal. It's not a very
strong point on its own.

But notice that you haven't suggested an alternative. You're just lamenting
one of the few, generalizable, cheap resources a website operator has to avoid
abuse in a world where it's only getting easier and easier for bad actors.

Your analysis is just as thorough as "but somehow it's OK to put locks on
every door because some guys are abusing the system o_0?!" Food for thought:
Is everyone encumbering their life with keychains for the fun of it? How do
the trade-offs look? Do locks play any role beyond feeding the locksmith
industry? What other options do people have and how do they compare with
buying a $17 lock for their front door and installing it with a few screws?

~~~
rcMgD2BwE72F
The alternative is simple: decentralize the Internet, regulate Google for
abuse of dominant position. Its size and power makes it completely unavoidable
now and force users to work for them. One cannot have basic access to Internet
websites and services without providing Google with personal data or work for
them. If Google wasn't so big and did not collect/treat such a huge amount of
personal data, we would a choice between multiple providers.

To read some articles, I am required to help Google improve its self driving
company (Waymo "identify cars in the picturs", its OCR algo (Google Books,
"write the two words"), its Maps service ("find house numbers" on Street
View), etc. This free work makes Google increasingly competitive vs the
alternatives, so Google can continue offering "free" services (like Recaptcha)
and further compel users to work for them. You simply don't have a choice.

------
sleavey
Recaptcha is a horrible experience if you block tracking. Sometimes I fill in
literally 10 pages of CAPTCHAs and it still can't work out if I am a bot or
not. It's not even clear to me why having tracking cookies is even a sign that
a client is not a bot.

------
singularity2001
Fidor Bank uses recaptcha. WTF, I don't want google to know when I access my
bank!

------
lwansbrough
The interesting thing about this type of heuristic is you probably don’t need
Google to do it for you. Does anyone know of any open source software that is
capable of doing something like this?

------
jraph
I block Google domains on my main browser profile, and JavaScript by default.

I noticed if I encounter a recaptcha on a website, I just tend to abandon and
seek information elsewhere. Last time I was presented with a recaptcha when
setting a search filter on a website. No, thanks. This is too much of a pain
to unblock everything and answer a recaptcha. I'll pass.

When I do answer a recaptcha in despair, this is a pain to do.

------
buremba
Let's say that we're a small startup and we need a reliable captcha service.
What are the alternatives of using reCAPTCHA?

~~~
bassman9000
[https://siftery.com/recaptcha/alternatives](https://siftery.com/recaptcha/alternatives)

Not affiliated with the site or any or the alternatives.

------
shampster
anyone remember the blog from the late 90s or maybe early 00s who just ripped
apart every bespoke captcha that existed on major web sites? It was really
entertaining/interesting/informative to me at the time. Can't find it
anymore...

------
jeromebaek
Related: a guaranteed unbreakable captcha by Scott Aaronson.
[https://www.scottaaronson.com/writings/captcha.html](https://www.scottaaronson.com/writings/captcha.html)

------
akerro
Any time I see their stupid image captcha to find all buses or shop fronts I
immediately close the tab. It's __never __worth the effort of solving 5x image
captcha to read see some stupid website.

~~~
ryanmccullagh
Is that the case for you, the captcha shows up when you’re browsing a website?
For me, it shows up for my more essential services like logging into an
e-commerce site, or my Stripe account. If you had no choice, what would you
do?

------
Yetanfou
Another thing which can be gleaned from the progression of ReCAPTCHA from v1 -
enter street names and house numbers into this box please - through v2 -
identify images with street signs, shop fronts, buses, cars - to v3 - only
Chrome/Firefox/Edge/Safari users welcome is that Google Maps (and related
units) no longer needs ReCAPTCHA users to read those street names and house
numbers as that task is now reliably performed by software, nor does it need
help to separate shop fronts from normal facades or traffic signs from
billboards. Now that these tasks can be handed over from mechanical Turks to
the server farm ReCAPTCHA can be turned to other purposes like giving Chrome
an extra boost.

------
zzo38computer
I don't like any version of recaptcha either. A server-side text-only CAPTCHA
is better.

------
TekMol
What are the most common use cases for captchas?

What do HN users use them for?

------
alexnewman
What do we think about hcaptcha.com ?

~~~
roylez
Just checked the website and it looks like a mimic with payout. I hate them
all the same no matter whether I am asked to click on all the buses or cats.

------
3stax
I really thought they would realise how fucking stupid this was and roll it
back, but I guess they really don't care at all. I feel sorry for anyone who
has opted out of the Google ecosystem so far and is now going to be penalised
by not being able to access many websites

~~~
candiodari
The problem with this reasoning is the alternative. If there was no reCaptcha
but a low-quality broken captcha (like almost all of them), you would not be
visiting those sites. They'd all be the sort of abomination that ebay is these
days.

BUY ! BUY ! BUY ! Penis enlargement pills ... sorry to put it bluntly, but
it's either that or reCaptcha.

