Glad to see I’m not the only one who’s getting tired!
As a uMatrix (and former NoScript) user, I've long noticed that many sites make calls to ajax.googleapis.com for I have no idea what. Quite often the site will refuse to work without that.
That's actually not cool: recruiting your time under false pretenses to create value for themselves.
It's not as bad as you're making it out to be.
If that's what I'm helping you do then tell me that and let me opt-in. Maybe I want to contribute. But, don't instead throw up a road-block to the service I'm actually trying to consume, under the guise of providing that service, then double my required effort to help you provide some other service.
It's actually implemented as a dark pattern. If you want cheap labor then use Mechanical Turk or otherwise. But, don't steal thousands of hours of your customers' time under misleading pretenses.
You should complain to the site that decided to offload their captcha costs to you.
Your relationship is with the site, and so it should be their responsibility to inform you of the "bill" you'll have to pay to Google for using the site's captcha-protected services.
And, Google is definitely employing a dark pattern here. This is designed to be a stealth tax, to go largely unnoticed by anyone, including the site operator.
Even Google's selling of the product doesn't make clear that users will be doing additional work; instead suggesting that saving the world will be a by-product of a normal captcha process. 
Now, I use DDG and fall back to Google search with !g if I can't find what I'm looking for.
Enter your first captcha wrong and then half the times, on the second one it won't say you did first wrong. (it's because first was a learning set). do the second one right and then you're good.
I deliberately mark the exact opposite of right boxes in the first captcha at times, takes me the same time but at least I can say I delayed skynet.
Too me it seems that if you take your time and try to answer them properly they will try to get you annotate as much data as possible. While if just click though it fast it'll let you pass.
Was mildly infuriating because what constitutes a storefront seems pretty culture specific, and I got shown a bunch of buildings, where half of them i had to go 'well, that MIGHT be a storefront, it looks kind of commercial, but it doesn't appear to have much explicit signage...god dammit..."
This is wrong on so many levels.
There's no decision yet, and the process is still running.
I learned this the hard way on a forum I built and ended up painstakingly building a feature that lists all moderator actions and a "Reverse" button next to them. ...Among many other similar features.
It's funny to think back on the day I decided to build a forum: "How hard could it be?"
On my part it is a direct reaction to developers and their employers cutting corners and adding these challenges to login forms and anything else you can imagine. It's entirely reasonable to show a challenge after a couple of failed login attempts, but they should never be part of the default login flow. These decisions hurt users.
If you work on a product that shows a CAPTCHA while logging in, please discuss this issue with your team and consider not challenging your users during their first login attempt.
And, if I don't use the captcha, we get flooded with spam. We are using Google's "nocaptcha", which is usually unintrusive, but is a pain for anyone not logged into some Google property.
Sucks for users with JS disabled though.
I also use the hidden field trick, but I label it phone number and fill it with zeros. Then I hide it with an external stylesheet. I don't actually want a phone field, its a decoy. If it is changed from zeros, it is spam. Most spam bots don't seem to parse external stylesheets.
I've had zero contact form spam with this method. Mind you it is a very low volume site.
I was just having fun with it, making a php-style contact form backend but using node.js. I read lots of those old blog posts you mention.
Make some text asking a question "What is five plus 2?" And there's an empty text field next to it that on the backend looks for the trivial right answer.
That should reasonably stop spam, and still allow a field based html mail sender. And eliminates a dependency on Google.
EDIT: Have you considered putting the messages in a pending state instead? You could ask for their email in the contact form, and send a confirmation link that needs to be clicked for the message to be validated. Unvalidated messages could be deleted after a week, without any human interaction. I'd expect this to have comparable effectiveness against untargeted spam.
Nope, that only works if there weren't botnets that just multiplex millions of requests over thousands of websites.
Anyone who has tried IP-blocking bots has run into this where 50k+ IP addresses just need to send you one request per couple minutes.
Your posts in this thread show how easy it is to be against recaptcha without addressing why people use it, or you suggest it's a flawed security model when people use it. It's kind of hard to take your advice seriously when I think of real world websites fighting real world abuse.
In another post of yours, you recommend the web developer to just expend more and more effort to circumvent abuse without recaptcha. Like creating a whole pending message system for, say, a forum instead of just a contact form. In fact, you'll find that there's no shortage of work for you to do once you attract abuse. And that's an easy solution to prescribe when you have no skin in the game. God forbid the site doesn't even make any money.
What would your advice achieve?
I changed the "you" to "your advice", but I think that's a petty distraction since I'm making specific points against your advice, not you as a person. And this comment is an example of what seems to be a disconnect between your understood attack models and the attacks that people actually need to defend against.
How do you do this on account creation?
But yeah, it's free so you can't resist using it. Have you ever stopped to wonder why google gives this service out for free? When you integrate reCAPTCHA into your website, you're selling your users out.
Making CAPTCHA solves take 30 seconds or a minute instead of 5 seconds is the state of the art.
And if throttling attempts is in fact the state of the art as you claim, you can do that without pulling in google code at all. I trust you are that competent at least. However the fact that the noscript version doesn't make you wait at all leads me to conclude your excuse for google's behavior is bullshit.
It sucks that abuse exists, but it's a real problem and it's only getting easier to do and harder to avoid.
After all, what also bones users is having a platform that's trivial to attack because the developer thought abuse wasn't going to be a problem.
For example, for the one with traffic lights: Am I supposed to just mark the light bulbs or also the poles and beams?
I have a feeling that that they've switched from a human source of truth (e.g. 3 other people got the same tile and consistently classified it as X), to a machine source of truth (e.g. their image classifier says it's X).
Now instead of thinking like a human to solve a captcha, you have to think like their sort-of-shitty "AI."
Also, the recaptcha puzzle I hate the most was the one where you had to classify street signs--but then it showed you foreign signs in foreign alphabets. Street sign conventions can vary so much around the world that the puzzle was manifestly unfair. I haven't seen this one in a while, so I do hope they retired it.
Of course, being logged in to your google account, preferably in chrome, and not blocking any of their scripts or cookies, would also go a long way for that. wink
Multiple challenges aren't there for more security, they are there to get more free labor out of the human. And the tile fade-in is to punish the human for not using the web in a Google Approved™ manner.
The proof of this assertion comes when you manage to enable the noscript version of reCAPTCHA (which is only available on sites that have opted to use the lowest security setting). Once you start using noscript reCAPTCHA, you discover that your correct answers are accepted the first time every time. The challenges have the same format; click the cars, click the traffic lights, etc. There are two differences: the tiles don't fade in slowly, and the correct answers are always accepted.
(By the way, the noscript version will accept either sort of answer. Only the bulbs, or the entire enclosure. Both answers are accepted.)
In reality, I think they are telling people they were wrong in order to extract just a little bit more free machine learning data from them. And really, they don't actually tell you that you are wrong, they just keep feeding you new questions. This is most likely because they don't know whether your answer is correct or not. They are giving this specific question to a bunch of people, then comparing the answers to get a correct response for later.
So you might get a few training questions first, then end with a question that they already know the correct answer to so they can decide if you are trying or not.
It's quite brilliant and is going to really catapult Google ahead of the rest of the world when it comes to self driving cars. The cars will be able to use all the captcha data to not only train their ML models to recognize things like signs and whatever, but the ML won't even be fully necessary since they have the re-captcha volume to basically directly identify every roadside visual on the planet one by one.
I doubt it because I've been seeing the same images for several months.
I think Google (or someone) sponsored the name "dark patterns" so they can be accused of it all day long and no one will really care.
Manipulation, lying, deceit, stealing, call it it what it is. Not some watered-down marketing phrase to let these guys off the hook.
Accessibility guidelines used to mandate that content was accessible without JS, which may be the reason why the noscript version exists, but it seems the latest revision has unfortunately removed that requirement. No, I will not run arbitrary code on my computer just to access your site...
What people actually don't seem to realize ITT is that abuse is becoming so easy and such a problem that we are becoming increasingly reliant on centralized services like Cloudflare and Google.
You used to be able to just generate your own captcha on the server with simple libraries, but Xrumer (mass website-spamming software) could crack those 10 years ago.
I'd like to see more comments addressing the ever-lowering barrier of online spam/abuse instead of opting for the low hanging fruit of condemning people for trying to save their websites/platforms from it.
But now all this damn clicking of hydrants, crossing, traffic lights, store fronts, vehicles etc. etc. is becoming really irritating.
And no, I disagree that we have no option but to rely on "centralised" services like cloudfare or Google.
Like I said, popular spamming software like Xrumer could crack those captchas ten years ago.
> And no, I disagree that we have no option but to rely on "centralised" services like cloudfare or Google.
Can you pitch alternatives, though? For example, an attacker can still spoof IP addresses in 2019 and create volumetric attacks that you certainly cannot endure without someone's help upstream (i.e. centralization). No need to bother with spoofing though since you can rent a botnet for peanuts. Attackers have decentralized attacks but there is increasingly only centralized defense.
A DDoS on a static site cached on just about any CDN that runs logic exclusively on the client is much harder to pull off successfully because it's so much cheaper (practically free?) to mitigate, and doesn't affect any existing users who would already have the necessary resources cached locally.
AWS did let me report these DDoSes and they would reimburse me, but it felt wayyy too precarious and I ended up switching to Cloudflare (free).
And I think that should worry us all.
Also, only the most trivial sites can be 100% cached. And those are the sites who need Recaptcha the least (or need a server to get a challenge from). Abuse is not a simple issue to solve.
It pollutes the original intention with a different goal. Is the goal to easily distinguish between bots and humans, or is the goal to trick people into doing free classification work for Google? Different intentions lead to different incentives which may lead to different results.
Uber business case: driverless cars. Users who are already uber users can bypass it.
Facebook: can sell datasets. Can authenticate users. I wonder if fb is used on more sites than Google?
Toyota: Aside from driveless, they would have a weak case but case nonetheless for starting a captcha service.
The idea that this problem results from heightened security measures is wrong, but it’s not laughable; it’s just sad.
Their No CAPTCHA's are very rare for me when I'm browsing logged in to my personal google account under the same session, on a normal browser.
They can be confident I'm not some kind of a bot, yet they still require me to solve on average two different tests to train their "AI".
An aside from the corporate dystopia at hand: I do not know as much as I wish about how this works, but am intrigued at how the objects so often bleed into other “boxes” at just the right amount to demand multitudes more cognitive energy to negotiate with myself over what side of this false binary to place my bets on.
Back to corporate dystopia, my awareness of the procedure and intent is so blackboxed that I feel like a mule. Since I started approaching them with sloppy selection and minimal to no discern, I’m doubtful that the length of the challenge has any correlation with a measurement of suspicion at all. Rather, those liable to be this considerate will similarly recognize identify the wrath the cookie monster.
Consider this a canary that Tor is working as intended. If you get past Captcha on Tor, to me that is a sign something is terribly amiss.
It would be cool if they released the gained data as open source, but that might compromise the service, and I guess someone has to develop and host this thing, so keeping it to themselves is fair enough.
The only issue is the conflict of interest (they benefit from giving me more captchas), but they don't seem to be abusing it for that end. They sure abuse their position of power by hellbanning you when they suspect foul play, but I doubt that it's because they want you to do more work.
> The only issue is the conflict of interest (they benefit from giving me more captchas),
The current one helps in identifying and navigating streets, useful for maps and autonomous driving.
You'll notice that recaptcha always has a direct effect on current projects of Google/Alphabet: Google Books, Google Maps, Waymo.
I for one hope that AI gets to the point that it can effortlessly beat them, so we can stop dealing with them.
Well, they absolutely do work. They work so well that they've reduced bot actions by almost 100% on our sites.
We wouldn't use Recaptcha if there wasn't abuse on the internet. But, unfortunately, there is. There is a sobering amount of it.
I'm actually curious about all these posts suggesting that websites use Recaptcha for no real reason or for some trivial reason. To me, it suggests a massive misunderstanding that people have about the internet.
It's certainly something to worry about, but how about this angle: abuse is getting so cheap and hard to prevent that we're electing the aid of complicated systems engineered by large corporations like Google. That scares me, but not from a Google=bad standpoint. It indicates that the internet has fundamental problems that make abuse trivial, and that's a different discussion worth having, but it's a much harder one than Google=bad. Probably less cathartic, too.
Obviously it comes with downsides, but it's a trade-off. Nobody uses Recaptcha for fun.
As I reminded a sibling comment, even HN uses Recaptcha on its login/register page. There's no telling how many fewer spambots we have to deal with every day because of it, yet we're somehow here discussing whether Recaptcha servers a purpose while profiting from it. :)
Or we’ve just managed to notice that CAPTCHAs don’t seem to keep millions of bots, spammers, dummy accounts, shills, etc off the net. I’m glad you’re having such perceived success, but it’s not a universal phenomenon.
Do you run a service that needs to prevent abuse at scale? What exactly is your Recaptcha replacement?
It's very easy to complain about the inconvenience of Recaptcha, but I'd like to see less of that and more constructive conversation about what all these supposed alternatives are, because all I see is "you don't need it" which is merely a reminder that, understandably, most people aren't running sites at a scale that attract abuse.
Even HN uses Recaptcha. Check out the login/register page.
RECAPTCHA is no longer doing what it promised, and that's the general thrust of the article; the bots are just getting too good for it.
And I'm from a major Western European city, which is about the closest I can get to American culture without being not, I wonder if they present the same captchas if they think you're from rural China or Uganda.
> While a bot will interact with a page without moving a mouse, or by moving a mouse very precisely, human actions have “entropy” that is hard to spoof, Ghosemajumder says.
It's bad enough that systems working from this (highly dubious, IMO) premise will force us all to use the mouse even if we're used to the tab and arrow keys; much worse is that there's no workaround for people who _can't_ use the mouse and rely on switch control. It sounds like an accessibility nightmare.
I wouldn't be surprised if in the not too distant future they were hauled up before the courts on discrimination grounds, and not before time. There's something very wrong when a human consistently fails CAPTCHAs. For one thing I've tried selecting all boxes containing parts of a traffic light/fire hydrant, and only the ones that mostly contain parts of the object and have failed both times.
Ublock never seems to matter too much for me, but the IP address used can matter a lot. Whether you're logged into gmail/Google seems to affect it positively also.
I suspect the specific VPN you're using is the source of the lion's share of the RECAPTCHA problems you're having. They are probably utilizing a range that was or is used in a way that RECAPTCHA doesn't like.
Correct. Your reCAPTCHAv3 (which is the new completely challenge-less version that doesn't even make you click a checkbox) score is a good indication of how much reCAPTCHAv2 (the clickbox version) will fuck around with you.
In case anybody is wondering, v1 was the two-word OCR version and got shut down last year.
To me it feels similar to the duality of gas station "cash discounts," which have also been perceived as "credit card penalties." Or mobile providers' "free data for the music streaming service of our choice."
For captcha's in general, I think we should stop pretending that we can prevent bot traffic from a dedicated attacker without annoying the users.
A simple captcha from the 2000's (the ones with lines over a word or number of letters and numbers), should be good enough to hold off basic script kiddies. Same for a basic TTS audio clip.
The problem is that while the kiddies may not be sophisticated their scripts can be - the solutions will work its way in the scripts sooner than later.
Any dedicated attacker can nowadays circumvent your captcha solution, it's at best now to get the low level background noise to go away, similar to IP blocking SSH when an IP makes too many attempts.
If your site security relies entirely on the captcha not being broken, your site security needs an update.
eg: if you're not browsing the web signed into a Google account and allowing all their tracking. Fuck that.
My working theory was that companies like Google were using the capchas mostly to generate AI data, so only a few of the images on any given test were actually already labeled. Any of the other images (particularly the really grainy ones) would accept any answer because they were genuine classification questions.
Reading this article, I wonder if it's not even that -- that companies like Google are assuming, "you're not going to get everything right, so we'll give you some leeway."
Come on HN, lets all do this for a few days, you know we can do it ;-)
The solution is to make captchas that are bespoke to each site, since it means the same bot or script can't be used on every one and spammers have to go out of their way to crack each one. You can already see this right now; sites with their own systems generally get no spam at all.
But given that most people aren't programmers, well it means they're stuck with mainstream captcha systems which present a giant target to the internet's never do wells.
Niche sites can avoid the issue with topic specific questions though.
1. It's not feasible for various website to implement their own custom CAPTCHA formats. Building custom CAPTCHAs is a lot of work.
2. The custom CAPTCHA tasks wouldn't be that different from each other. As the article discusses, image/text/audio recognition are some of the only universal tasks that can work for CAPTCHA.
3. Nothing is stopping a malicious actor from implementing a "check which type of captcha" function and then selecting one of several CAPTCHA cracking functions. Fragmentation of CAPTCHA format just delays the cat and mouse game.
4. Some custom captchas, like the chess captcha, are actually not even that difficult for computers to solve. https://nakedsecurity.sophos.com/2013/03/12/chess-captcha/
3. You could ask them niche specific questions instead of requiring them to do general tasks. This is what I do with all topical internet forums and sites; have a wide array of custom written questions on the topic in place of stuff a bot can easily figure out. For instance, all questions on Wario Forums are about Wario Land and WarioWare games, not things meant to be 'culturally neutral'.
I rotated questions on the /register page for a large forum I run, but as my forum became more popular and more of a spam magnet, my attackers simply built a lookup table of my questions->answers. I regressed back to Recaptcha.
Another problem is that I was surprised how many legit users would be pruned out by a simple question like the equivalent of "what color is Wario's hat?" for, say, a forum that covers games in general. I did basic stat tracking on the pass-rate per question to know which were bad ones, and it seemed pretty random which ones users had trouble with. Or they'd accidentally be riddles like (made-up example) "How many triangles in a triforce?" 3? 4? 5?
And people would finally register and complain on the forum that a seemingly trivial question was too hard. Or they didn't know what "the website footer" was.
At a point, especially if you're not so extreme on the niche/theme spectrum, Recaptcha was the better trade-off.
I've said this in another comment, but I'd love to see an HN submission where we discuss anti-spam/anti-abuse strategies instead of just doing the easy thing of bashing Recaptcha.
And you've also got a point that a certain percentage of legitimate users would be pruned out by a simple, topical question. There are probably a few people who couldn't register on Wario Forums cause of this sort of thing, and there were probably a few who couldn't join my previous sites cause of it.
So your questions would have to be very much tied to the audience. General gaming site? Asking who this is with a picture of Mario, Link, Pikachu or Sonic the Hedgehog would work pretty well. Niche site? A bit more obscure, to go with the audience likely to be visiting there.
That said, I think a few things will need to kept in mind:
1. Firstly, a lot of niche sites already have fairly strict requirements to get in, and have a more drawn out approval process than the norm. For example, quite a few I know of have you required to post an intro in an 'approval' forum in order to get access to the rest of the site or server. So I suspect users on these sites may be more used to having to think/research the process to join a forum than those on Facebook.
2. To some degree, it also filters for people who are genuinely interested in the topic to a more than average degree, which may overlap well with 'people likely to stick around for the long run'. For example, the people likely to remember King K Rool's guises in Donkey Kong Country 2 and 3 may be good users at DK Vine, someone who could identify Rawk Hawk or Flavio would be more likely to be a good Mario RPG forum member, etc.
It's a bit like the comments I've heard about Ling's Cars... the only people who shop there really, really need a car.
Actually, maybe a bit like Hacker News too. The people most likely to 'tolerate' the old school design here are well, web developers, old school hacker types, etc.
Either way, it definitely all depends on how niche the site is.
However, you should never need CAPTCHA to login (except possibly anonymously; Fossil requires a CAPTCHA to login anonymously), or to do stuff while logged in. You should not require CAPTCHA to read public information either, or to download (since you may wish to use external download management; for example, I prefer to use curl to download files rather than using the web browser, and it seems that I may not be the only one).
Of course manually entered spam will still get through even if you do use CAPTCHA.
When you look at it that way, the whole captcha approach, no matter how clever, seems doomed to fail.
Why not simply allow bots? If it is because bots exhibit behaviour you don't want (like spamming), why not filter them based on the behaviour you don't want? Learn to recognise spam rather than fabricating some test. And when bots are truly indistinguishable from people, is it really a problem that they're not real people?
newegg lost some of my business recently after thinking it was a good idea to make me fill in a captcha before taking my money.
Probably they are combatting fraud, especially the variant "check if the credit card is still valid". There's not much defense against a botnet operator trying out a 100k dataset of stolen CC numbers other than captchas :(
For the interested, this kind of fraud simply orders cheap (on the order of 1-2$) stuff online to check if the card/cvv is valid. Doesn't draw much attention unless one of the victims has transaction notification active or diligently checks their CC bill.
In my experience, buster also works better when you don't use the Google Speech API but any of the other ones so Google can't correlate.
I wonder how tracking-based captchas can be compatible with privacy regulations like the GDPR. Do you have to positively opt-in to a website seeing whether or not you're a robot?
We're basically moving towards a world where the venn diagram for the web and privacy no longer intersect.
I personally found tesseract to be incredibly good, and have even used it in non-traditional OCR applications for doing things like reading signs.
Tesseract is incredibly good... as long as your lines of words are straight.
Reposted in 2014, 190+ comments:
I hope the EU fines Google for leveraging their security library prevalence to coerce people to use Chrome and/or open Google accounts.
I also wonder if that’s GDPR compliant: unless you accept Google’s data collection terms on GMail and/or Chrome products, they will use their position as security authority to degrade your browsing experience on third party sites.
A few days ago, I signed up for some service on a new-ish laptop, and it made me pass the storefront captcha three separate times.
This is yet another example of the social credit score being implemented in the US; in this case punishing users for opting out of continuous tracking (which will in turn be used for price discrimination or worse).
The good news is that this is almost certainly going to lead to a massive backlash as it becomes more common.
And, I would add, you're in part trivializing the horrendous impact of the social credit system by making this comparison, because it gives others the impression that this is merely a difference of degree, rather than of substance. It allows people to make arguments like "Oh, the US credit score is just like China's social credit score, so the social credit system can't be that bad." Yeah, NO. You don't get denied freedom of movement between cities or states because you owe a few dollars, you don't have your passport revoked because you don't use Google cookies, you're not forced to sit in the back of the bus because of something vaguely political you posted on twitter, you don't get denied the ability to send your kids to certain schools because you rolled a stop sign.
The social credit system is not a _tracking system_, it is a _legal system_ (made possible by surveilance), and while the US may one day be there, to suggest they are anywhere even on the same planet yet is laughable. Your average person in the US still, even after decades of abuse, has innumerably more rights than your average Chinese citizen.
This is not entirely correct. I have seen recaptchas that simply deny access without giving any option to solve them when browsing with Tor. The message says something like: automated systems detected unusual activity, try again later
>People get very excited about China’s social credit system, a sort of generalization of the “permanent record” we use to intimidate schoolchildren. And ok, it does sound kind of dystopian. If your rating is too low, you aren’t allowed to fly on a plane. Think about that — a number assigned to every person, adjusted based on somebody’s judgement of your pro-social or anti-social behavior. If your number is too low, you can’t on a plane. If it’s really low, you can’t even get on a bus. Could you imagine a system like that in the US?
>Except, of course, that we have exactly this system already. The number is called a bank account. The difference is simply that we have so naturalized the system that “how much money you have” seems like simply a fact about you, rather than a judgement imposed by society.
Forcing users to prove their not bots is totally the wrong approach. They should be forcing bots to prove they're human so that real humans don't see this nonsense. Easier said than done, but that's not my problem.
How do you tell who's the user? A bot can look like a user and a user can look like a bot.
They already are forcing "bots" to prove they're human, to the best of their abilities. At some point their measures dictate that traffic from VPN = bot, until that "bot" can prove otherwise. If you're blocking whatever mechanisms they use to identify "human" then it shouldn't be a surprise that they can't differentiate you. Their only interface is whatever traffic happens between you and them, not any intention or motivation behind your actions.
They have a negative interest in blocking people from accessing anything, since pageviews = ad views = dollars. The only time they have an incentive to block anyone is for click fraud, or for any similar reputational damage from a person / bot / IP.
As a case in point, the same issue crops up with lots of users going through the same corporate proxy.
And it's the same reason that you can run Netflix (for example) through a personal VPN with no issue but will run into problems if you use a popular, retail VPN service.
Also, there is also no reason, though it would be a PITA, that you can't add your own measures to a private VPN, whether that's rotating IPs or some other measure. Is it going to keep your illegal activities truly anonymous? No, but neither is a retail VPN. It is a matter of degree and what tradeoffs you're willing to make.
As far as uses for a private VPN, the most obvious is to ensure intermediate parties, particularly on the same subnets, can't snoop on your actual traffic _content_. This isn't going to keep you anonymous from the NSA, but it sure will help against corporations (ISPs and their numerous corporate parents/cousins/siblings). Another benefit is that by protecting against packet level inspection, you are protecting yourself from many current forms of traffic shaping and bandwidth metering/throttling, as well as from limits on services you are running or the content of files you are downloading, as well as from intermediaries (e.g. ISPs) from inserting ads or additional tracking or whatever else into your (mainly web) traffic. This also comes into play not just with your normal ISP but any you are using while traveling (coffee shops, airports, hotels, and other untrusted networks).
It's not perfect but leaks will end up being pretty minimal, even in accidental situations.
I used to run my own DNS server when I was on Comcast. Now that I have a real ISP run by people I trust who have the same opinions on privacy that I do, it's no longer worth the hassle.
Well, but it is. Spammers and abusers have directly made it so. "This is why we can't have nice things." It's not your fault that thieves exist, but you've decided it's your problem enough to put a lock on your door.
And if a website has deficient measures against spam/abuse, it becomes your problem again when you have to see it or deal with it. Turns out that Recaptcha works pretty well in a world where it's only becoming easier and easier to abuse web platforms. And that's become a problem for all of us who want to participate online.
It's easy to be dismissive here, especially because you can just put Google in your iron sights and fire away instead of acknowledging why people use Recaptcha. Or you can just say "I'm sure there's a better solution" and leave it as an exercise for the reader. But I think you're barking up the wrong tree.