Hacker News new | past | comments | ask | show | jobs | submit login
Google's Captcha in Firefox vs. in Chrome (grumpy.website)
1343 points by kojoru on June 10, 2019 | hide | past | favorite | 483 comments



I was going through the same ordeal as a Firefox user, so I've made Buster to solve challenges and reclaim some of that lost time: https://github.com/dessant/buster

If you're a developer, please consider replacing reCAPTCHA on your site with an alternative. reCAPTCHA discriminates against people with disabilities and those who seek privacy, and it gaslights you into thinking you did not solve the challenge correctly, which is plain cruel.

Here are some reCAPTCHA alternatives: https://www.w3.org/TR/turingtest/


The problem with recaptcha alternatives is that they either are insecure or require time and money to continue to be ahead of bots.

All of the "interactive stand-alone approaches" from that page can be beaten with run-of-the-mill OCR (other than perhaps the 3d challenge) and with almost any mobile phone speech recognition engine (and, if the attacker has the money, can send it off to Google's cloud speech-to-text).

All of the non-interactive approaches from the page require this constant tuning and upkeep to make sure bots aren't able to sign up/abuse systems. There's also not \that\ secure if your website is targeted and scripts are made specifically to avoid your anti-abuse methods.


> The problem with recaptcha alternatives is that they either are insecure or require time and money to continue to be ahead of bots.

Sure great, but when I see behavior like the above, I just hit back and add the site to my routers firewall black list. If its this much of a PITA to "solve" a captcha, CORRECTLY but I keep getting the middle finger I don't give a crap anymore. Your site isn't worth going to if I have to spend literally minutes "solving" captchas for googles stupid ai which is treating me like prove i'm a bot even when I prove i'm not.

Just realize by using recaptcha this is what you're forcing some users to deal with. And I deal with it by making sure I never come back to your site ever again when you've wasted minutes of my time just to try to get to your page. Even if its googles fault for being jerks, I don't care. You choose to implement it.

Ok rant mode off and stepping off my personal soap box.


Your site isn't worth going to if I have to spend literally minutes "solving" captchas for googles stupid ai which is treating me like prove i'm a bot even when I prove i'm not.

I've run into state and local tax agencies, utility companies, and large healthcare companies that require Google's reCAPTCHA. So, unless you don't want healthcare, to have water service at your home, or you're in the mood to just shut down your business, you have to suck it up.


UK Gov doesn’t allow CAPTCHAs on central gov services: https://www.gov.uk/service-manual/technology/using-captchas


They can still use them if they meet certain criteria, and show that they 'need' them. The overuse probably comes from the incentive - Google is incentivized to encourage the use of captcha because it is curating a data collection for ai training. I imagine some of the 'gaslighting' that people experience is when they are given images that don't yet have a confidence rating high enough. I wonder if answering incorrectly often enough would result in being asked fewer questions?


(I used to work at GDS)

‘Need’ here means exhausted all other opportunities, and have built alternative accessible ways of accessing the same service. I’d certainly have expected a service to have investigated a self-hosted solution, and I doubt a reliance on 3rd party JS from a Google service would fly, regardless of the service, as it breaks a whole bunch of separate resilience guidelines.


The few times I couldn't avoid Recaptcha, I spent 5 minutes randomly clicking on image tiles. Sometimes I got through by this strategy. If it didn't work, I tried a less random approach.


It will let you through eventually, even when intentionally selecting wrong fields, when you do it often enough.


So frustrated people give up, but tireless bots will get through? That sounds like the exact opposite it's supposed to accomplish.


I've even seen state and government sites using Google's reCAPTCHA. People shouldn't be required to hand over their browsing history and other information to Google for essential services, especially to use government websites.


Thankfully, Indian government websites still use their own captchas - which though not as 'secure', works for most of the cases, and don't take minutes to solve.


It this case they get to deal with me offline. Like I'm using a credit card right now without internet banking. They send me letters, on paper, with how much I owe them and then I pay. All because registering for their internet banking was a crazy shitty experience that I abandoned.


I default to paper mail with things like written checks for that sort of thing. Never had a problem.


Of course if it's an essential service like healthcare, formal education, paying bills etc. people will be forced to use it (if there's no option to change that service itself). But for that fancy startup showing some content for to consume when it's not necessary, I will just close that website.


i say the same thing to my friend in a wheelchair -- "suck it up handycapper and pull yourself up the stairs".

there was a time not long ago before wheelchair ramps or accessible doors were commonplace. these people were literally shut out of society.

its the same with captcha forcing privacy-conscious users off the internet.


Uh, using a wheelchair vs walking is a lot less of a personal choice than using Firefox vs Chrome.

Or: people who need a wheelchair are protected by anti-discriminatory laws, while people who prefer not to use Google products aren't.


uh, captchas don't just appear on Google products. Third parties use it -- government services, online shopping, all kinds of things you take for granted because clearly you aren't one of the people affected by it (ie you're fingerprinted). Many things we used to do in physical space now occurs virtually. There is a serious philosophical and moral case to be made for the relevance of privacy and anonymity that captcha is specifically and nefariously working to erode. And in that sense it's worse than bad building codes.


I suspect the Google product that the GP was referring to was Chrome, given that this is a co, ent thread about Firefox vs Chrome, and the behaviour of another Google product (recaptcha) betwee the aforementioned products.


Yeah, but then again, so many times that I run into Captcha issues, it's on a site that really doesn't need Captcha to begin with.

Why make me solve a Captcha to see static content?

Why make me solve a Captcha to log in when I've already completed one to register?

Why make me solve a Captcha to pay utility bills? Is there some underground group of deviants going around surreptitiously paying other people's utility bills? The monsters.


> Why make me solve a Captcha to see static content?

Fair point, I usually run into this when using Tor, or VPN when accessing content behind Cloudflare, and or similar services. This is some anti abuse stuff, but is often overly agressive with giving you captchas.

> Why make me solve a Captcha to log in when I've already completed one to register?

So attackers cannot password spray. This is typically after attackers has gotten access to the latest database breach, and are just blindly trying username/password combinations.

> Why make me solve a Captcha to pay utility bills? Is there some underground group of deviants going around surreptitiously paying other people's utility bills?

Sound like a strange place to have a captcha indeed. What information is needed in the form to submit it? Does it validate stuff that an attacker might want to scrape? I guess they added it for a reason.


> I guess they added it for a reason.

This is not necessarily a reasonable assumption. People often do things because they heard it was a good practice, or because it solves a problem they don't actually have, but think they might, or arbitrarily without giving it much thought.


So attackers cannot password spray. This is typically after attackers has gotten access to the latest database breach, and are just blindly trying username/password combinations.

A simple ratelimit takes care of that. Plus, it's not like attackers would be easily defeated by a CAPTCHA anyway --- there are services selling batches of valid tokens, likely generated by actual humans or very close emulations thereof, for ReCAPTCHA.


CAPTCHA is not a fool proof, it is just the first layer in of defence in the signup/login form. CAPTCHAS increases the cost of password spraying, attackers can't simply fire up Hydra. They'll need additional tools and services which costs money.

Captcha solving service also has other costs than just the money it costs. It adds time costs and additional resource usage on the machines it is running on. A quick look at a service[1] shows that the average response for a challenge was 40 seconds (this value changed a lot when refreshing the page). The attacker has now gone from the 200ms range per attempt to several seconds, slowing the down a lot. This gives defenders additional time to respond, it is also a useful metric for detecting malicious logins.

[1] https://anti-captcha.com/mainpage


Rate limit by what? IP? Botnet traffic will originate at random IPs.


By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

This should waste less time than reCAPTCHAs. I know it's not 1:1 in terms of pros/cons, but it gets a good subset of the advantages without the key disadvantages mentioned above.


First, that's a bit user-hostile (and suddenly a DoS-vector; I can prevent a site's users from logging in by continuously firing bad password attempts).

Secondly, botnets can, and presumably do, randomize which accounts they try, too.


So rate-limiting is "user-hostile", but permanently hell-banning someone because their network is considered "seedy" is user-friendly?

Incidentally, you still need rate-limiting if you use Google's CAPTCHA. If you don't rate-limit CAPTCHA endpoint, an attacker can DDoS you (especially if your server-side captcha component uses low-performance single-threaded HTTP client). Furthermore, an attacker within the same AS as their target can purposefully screw over their account by performing attacks on Google's services until the reputation of the network hits rock bottom.


reCAPTCHA is a rate-limiting measure. Google handles all the heavy-lifting and attacker protection for you, and the slow fade you see in the video is that rate-limiting in action. But if you get a clean CAPTCHA result back from them, then that client is very unlikely to be an automated attacker. It's super easy and scales really well.

Conveniently, normal users with typical browser configurations get nothing but the animated checkbox. For nearly everyone, the whole experience is simple and easy. The only people who get inconvenienced are the low-grade privacy enthusiasts who think that preventing tracking is the path to Internet safety. Ironically, "tracking" is literally the mechanism by which legitimate users can be distinguished from attackers, so down that road lies a sort of self-inflicted hell for which the only sensible solution is to stop hitting yourself.


so down that road lies a sort of self-inflicted hell for which the only sensible solution is to stop hitting yourself.

"Be a good little sheeple and do what Big Brother Google says." Fuck no.


So I can lock you out of your account with 3 attempts from any IP address?


For a minute usually. Prevents flooding. Not a bad approach unless the account is constantly hit. In those cases two factor auth makes sense.


This is obviously a bad idea. It costs nothing for an attacker to send 3 http requests, every minute, every hour, all day. They could lock your account basically forever. IP filtering and locking accounts are terrible ways of preventing password spraying.


> By the account. 3 failed login attempts in a row, and you disallow further logins for 30 seconds.

...congratulations, I just locked out all of your users. Have a nice day.


How did you get the email addresses of all my users, which are used as login name?


From that messed up email from support that leaked them. Or I assumed that you'll have a big cross-section with some other site that leaked.

This is not theory, this is hard-earned experience. Locking-out people is bad, the most that's acceptable is rate limiting to a once every few seconds.


> > Why make me solve a Captcha to pay utility bills? Is there some underground group of deviants going around surreptitiously paying other people's utility bills?

> Sound like a strange place to have a captcha indeed. What information is needed in the form to submit it? Does it validate stuff that an attacker might want to scrape? I guess they added it for a reason.

Ive seen captchas on payment forms to prevent credit card checking. You can take a dump of CC details and try them all out on a site and get back the valid ones. I'd assume they charge $1 to the CC to test it before allowing you to continue and then you could cancel your order before they charge the full amount. However, assuming you have to be logged in to pay your bill that seems less reasonable.


I've even seen people beat captcha in bulk to get to a payment form. My best guess is something along the lines of mechanical turk or a room full of low wage workers doing it manually. I think the payoff of verifying stolen cards is worth enough to justify some kind of workaround.

If you host a payment form that informs the user about whether payment was accepted, you're a target.


> Sound like a strange place to have a captcha indeed. What information is needed in the form to submit it? Does it validate stuff that an attacker might want to scrape? I guess they added it for a reason.

In the past, I used curl to get some billing info, add the money to a dedicated virtual prepaid card, then pay the bill, then send an email to a gmail (+paidinvoice) label. These day, at least for my bills, they have pre-approved withdraw directly from the bank. However I guess this is not widely deployed.

If other people did this, but ended up doing it from an insecure machine and lost the credentials / got hacked, I can see why at least some orgs might want to prevent people from doing this. This is a classic over reaction, but a plausible scenario.


> If other people did this, but ended up doing it from an insecure machine and lost the credentials / got hacked, I can see why at least some orgs might want to prevent people from doing this.

The measure is not really about protecting the user that is using the payment form, it is meant to "protect" the system that is validating the payment data. The payment form may be a target for attacker which has gotten a large batch of credit cards from somewhere else, and wants to validate the data. They then regularly exploit such forms, or other naive payment system to check if the credit card data is valid.

CandyJapan owner wrote some blog posts about the subject.

https://www.candyjapan.com/behind-the-scenes/how-i-got-credi...

https://www.candyjapan.com/behind-the-scenes/candy-japan-hit...

https://www.candyjapan.com/behind-the-scenes/fraudulent-tran...


My electric company requires one to login - but only after a the browser session expires and I have to login again anyway.


> So attackers cannot password spray.

My password's not crackable, so it's annoying to be lumped in to that. I'd happily use a service-generated password to avoid login hassles.


I imagine what you are proposing then is to record the entropy on the password when you first register and for accounts with sufficient password entropy to not ask for a captcha after few failed attempts.

With that, the site gives away whether the account has a low entropy password or not.


> I imagine what you are proposing then is to record the entropy on the password

Or just generate secure high-entropy passwords and force users to use them.

Making users look up SMS codes before each login is acceptable. Making them solve obnoxious, long, privacy-hostile riddles is acceptable. But forcing them to use pre-generated secure passwords?! That can't possibly work. They will revolt!


> With that, the site gives away whether the account has a low entropy password or not.

Sure, why not? Way more than half of passwords are low-entropy, so that doesn't meaningfully help them focus attacks.

And they still have to keep solving captchas to make those attempts.


The weirdest one I have ever seen is on frikking walmart.com - here is my cynical paraphrasing of their 'thought process': "We don't want your money! Go back to Amazon! No captchas there cause they are not stupid!" I persist because I don't want to go back to being a 2nd-class non-Prime Amazon citizen but the darned unnecessary captchas really ruin my walmart.com shopping experience to no end.

If anyone from Walmart.com is reading, please please get rid of these useless captchas - it is an incredibly stupid thing that you do and unfortunately you do it too well as well.


The problem with CAPTCHA and the like are they seek to stop programmatic-browsing of websites, that both Firefox and Chrome support out of the box. If companies are concerned about non-human access they should make an official API instead of their website being a de-facto unofficial API. If they are concerned about fraud they will be woefully defended by CAPTCHA, it makes no judgement on the validity of transactions at all and doesn't prevent frauds signing in manually.

Ironically, Google has committed at least $75 million and likely hundreds more of fraud, via stolen refunds and stolen banned-account balances!

https://www.businessinsider.com/google-emails-adtrader-lawsu...

https://www.searchenginejournal.com/adsense-lawsuit/248135/


> If companies are concerned about non-human access they should make an official API instead of their website being a de-facto unofficial API

This is often impractical for several important use cases, like image rendering and PDF generation. Just hand waving away the cost of developing dedicated, pure APIs won't make companies more likely to do so.

> If they are concerned about fraud they will be woefully defended by CAPTCHA, it makes no judgement on the validity of transactions at all and doesn't prevent frauds signing in manually.

There are many different vectors of attack and fraud and CAPTCHA tackles one of them. It's silly to say it's unnecessary just because it doesn't cover all fraudulent activity


I implemented simple question / answer antibot filters on registration forms for a few sites. Nobosy ever made the effort to customize their bot to answer to those very few questions. I guess it doesn't make sense economically. However if a big site would go that way, it would be filled with bots in a day.


I once implemented a "poor man's captcha" that presented a simple randomized question that anyone would be able to answer (ranging from "what year is it" to "what's 2 + 2"). I guessed that nobody would make the effort to write a custom script for this, because the website in question was so niche and the stakes so low -- a very quiet corner of the Internet; I don't even remember what is was, possibly some feedback form that went to a support email. I actually felt some irrational measure of pride when, probably a year later, I was looking at some logs and discovered that some script kid had cracked the questionnaire and was currently using the form to post nonsense text with Viagra links. Someone had actually sat down and written code to crack my terrible solution, and probably spent more time on it than I had (which is to say, more than five minutes). Made my day.


For small scale sites you don't even need to do much that requires human intervention. Most bots (or at least most bot-actions) seem to invest very little in sophisticated techniques and rely instead on finding vulnerable servers by casting a very wide net. As long as that is true, you can filter out 99+% of the noise by applying very simple but slightly bespoke techniques.

As long as there continue to be enough cookie-cutter blog/forum/ecommerce sites out there for the bots to exploit, very simple techniques (JS-populated form fields or request parameters, very basic validation of the HTTP headers, taking into account the rate or frequency at which requests are made, etc.) will quickly and cheaply identify almost all of the bot activity.

Of course sophisticated or dedicated bots will still pose a problem, but assuming you're not just standing up a popular off-the-shelf platform without any hardening or customization, you'll need get pretty big (or otherwise valuable) before attracting that kind of attention.

A reasonable analogy here is the observation that simply running sensitive services on non-standard ports (e.g., not running SSH on port 22) will eliminate a ridiculous volume of malware probes against your system. To be clear, that's no substitute for actual robust security practices -- you almost certainly shouldn't have something like SSH world-visible to begin with -- but given how trivially easy it is do something like to change the default port for services you're not expecting the public at large to reach it's absurd that servers are compromised by dumb scripts blinding probing the Internet to exploit well-known and long-ago-patched exploits every day.


I did that for on an old forum that has been dead for year, I thought spammers would not care enough.

But one of them did! Whenever I changed the questions, bots would stop for a few days, and then start again. Someone cared enough to manually enter the correct responses (no, blind dictionary attacks were not possible)!


This is probably good enough for 90% of websites that accept user content. Then in the small chance it isn't because of growth or some random spammer decided to spend some time on your site, then you can switch to something like recaptcha.


Hobby sites may be in a more difficult position, but businesses may decide between developer convenience and low cost, or excluding some of their users and tormenting them.

There are also ways to reduce the damage reCAPTCHA causes, such as keeping it out of the default UX path. Discord for example will show a reCAPTCHA challenge on the login page only if you are signing in from a new location.

reCAPTCHA cannot effectively defend sites against targeted attacks either.


OK, Discord specifically is terrible. I login in incognito mode from the same location/browser every time, and have to deal with Captcha most of the time.


I use Discord from an incognito Chrome window. I avoid it most of the time, by doing: 1. Email is manually typed, password is copy pasted 2. I move the mouse around in the window in a fairly non-mechanical manner. I don't know if you use Chrome proper for it, so that could still be a point of difference.


I mean do you want Discord to fingerprint your browser so you don't have to deal with captchas? Kind of defeats the purpose of incognito doesn't it?


> Kind of defeats the purpose of incognito doesn't it?

They're going to track my IP whether I want them to or not. So they should go ahead and use it to reduce hassle.


> …only if you are signing in from a new location.

Or you clean your cookies out, thank you "Cookie Autodelete".


I don't understand this. You're logging in from a fresh browser. Do you want sites to fingerprint you in other ways so you can clear your cookies and not have to deal with captchas?


If there haven't been any failed logins on the account since last success, there's no need to throw up a captcha.


Sending my data to Google as a condition of using someone else’s site also isn’t secure. Training Google AI also isn’t something I signed up for.


Not saying I like the precedent of Google being inescapable, you're not "signing up" for anything. A web server is 100% in its rights to refuse to send you a page, on their terms.


That is true. However, if I sign up for a service, for example TransferWise, then later, signing into the account, I get a Google Captcha, now I am engaged in a relationship/data share with Google and if I don’t agree, I lose access to my account. When I signed up, I didn’t have “you must help train Google AI” as a condition of use.


Not sure why you're downvoted, it's a valid point. It feels icky to use a service that you pay for, and incidentally provide free labor to Google's AI which they resell in Google Cloud as a walled garden. The result of reCaptcha isn't public as far as I can tell, and humanity probably doesn't get a net benefit from Google's monopoly on AI anymore.


People talk about "free labor" and forget all the times they were able to do Google searches or use Google Maps for free. It seems rather ungrateful? This isn't a one-sided relationship, both sides benefit.


The difference lies in whether you willingly subjected yourself to this transaction (give eyeballs, get Maps service) or whether it was imposed on you without anyone bothering to mention or question it beforehand.

Also the gratefulness part is strange. The corporation has no gratefulness for me, why should we show it any kind of loyalty. It's not a living entity with a consistent mind or consciousness. It will change its will based on Wall Street's demands. It will ban you silently with no recourse.


Perhaps "ungrateful" is the wrong word. But in a purely transactional society where we charge each other for every little thing we do on the Internet to avoid any "free labor", I suspect that we would be considerably worse off.


Logical error here.

Some people avoid Google Search, Chrome etc. They are still subject to this.


This is simple corporate sycophancy.


You seem to be a bot. Write a poem describing the outage and email it at larry@google.com . We will look at it and unblock you if we believe you are a human.


I believe we agree with you there. OP was just referencing the methodologies people user, often choosing tools like Google Analytics and ReCaptcha that are "free" by virtue of offloading compromises onto the site's users rather than the site itself.

I endorse a site's right to forbid me its content if I can't prove I'm human. I won't endorse a site that accomplishes it by asking me to pay the cost.


Unless you dont want to access to whatever is behind a sites captcha, you are signing up to solving their ai cv problems.


Not entirely accurate. The GDPR restricts the terms they can use, for example. And anti-discrimination law probably also applies. These don't really apply to captcha, of course, under current interpretations.


It's very easy to argue that CAPTCHA is an essential service and therefore not under GDPR.

> anti-discrimination law

Google-avoiders are not a protected class.


> It's very easy to argue that CAPTCHA is an essential service and therefore not under GDPR

No it isn't. In fact, out-of-the-box reCaptcha is not GDPR compliant, and using it on your site will open you up to possible liability. See https://complianz.io/google-recaptcha-and-the-gdpr-a-possibl...

My reCaptcha strategy is to fire off an email to the site owners every time I am subjected to a reCaptcha, asking for all my data under GDPR. Most websites only need a few such requests to quickly start looking for an alternative. Fuck Google and their constant attacks on my rights.


The blind are. And the audio captcha is roughly useless.


That's why I always answer the captcha's wrong. the machine!


It's the only way to stop Skynet!


> The problem with recaptcha alternatives is that they either are insecure or require time and money to continue to be ahead of bots.

You're posting this in response to an automated recaptcha solver. Clearly recaptcha also has trouble staying ahead of bots.

It seems to me that any simple automated test at the entrance is inevitably going to be easy to solve by bots, especially when it's a one-size-fits-all test like recaptcha, so bots have only a single target to aim at. A small-scale unique test will be more successful simply for that reason.

But it seems to me that the better way than to ban bots together with humans who fail to pass your Turing test, is to check for the behaviour you want. If you don't want spam, have a system to recognise spamming behaviour, rather than traffic lights.


wrong. captcha blocks bots and humans alike. so why bother with the fake puzzle at all? just replace whatever triggers your captcha with a straight up block. or else please consider a responsible alternative.


ReCaptcha blocks (or deters) an extraordinarily larger percentage of bots than it does to humans by far.


of course it does. so does an automatic ban. that's precisely not the issue.

i think you probably meant to say recaptcha allows an extraordinarily large number of humans compared to false positives? because that would be the relevant metric. you sure about that one?


> and with almost any mobile phone speech recognition engine

My only problem with recaptcha is when audio doesn't work (google decides I'm spamming their network… sure…). Because their audio validation seems to use only one rule that says "letters where typed". So I'm not sure how being able to beat it with voice recognition makes it worse.


How hard would it be to create an alternative using GPT-2 or the like?

Create a dozen models based on different things. Street signs, cats, houses, cars, etc. Then show the user a random selection of images generated from different models and say "select all the cats" and they get it right if they choose the images generated from the cat model.


To understand the depth and complexity of Captcha2 I highly recommend this:

https://www.quora.com/Why-cant-bots-check-“I-am-not-a-robot”...

Was posted on HN a while ago.


So the short version is that they try to fingerprint the user and then distinguish fingerprints that seem like humans from fingerprints that don't.

The interesting question then becomes how this is going to interact with future browser anti-fingerprinting measures whose purpose is to prevent just that.


I don't doubt that it's far easier to abuse traditional captcha systems, but I wonder how wide spread that is. A while ago I did a test with securimage and tensorflow/python/opencv/keras after I read a Medium post. While it could solve captchas with a little distortion when I added squiggles, dots, and more distortion it was unable to solve the captchas. I'm sure you could spend more time and create a system that can solve these captchas, I wonder how much effort some random spammer will put in to attack your blog. Yandex uses traditional captchas, and they don't seem to have any issues.


Honest question: can we start a class action lawsuit for psychological damages due to this? I've experienced this firsthand when trying to use a service through a VPN. I spent legitimately 5 minutes trying to get through only to get "Please try again" every time even though I selected them meticulously. It is infuriating. I thought I was going crazy


In fact, Google has a patent on blocking users by means of CAPTCHAs that always return failure[1].

[1] https://patents.google.com/patent/US9407661


> In fact, Google has a patent on blocking users by means of CAPTCHAs that always return failure[1].

Erm, unless I'm mistaken, that patent says it's owned by Juniper, not Google. Google is just hosting the patent document.


You cannot make an appointment on the california dmv website without using google services, in particular recaptcha. Also, just browsing the website, it tries to log you in.

https://dmv.ca.gov

additionally, lots of schools now require their students to use google services.

I hope there is a privacy lawsuit in the future to stop this sort of nonsense.


I just click randomly on Chrome and get trough .-.


I've recently had issues with buster where Google detects it, giving me this error:

"Your computer or network may be sending automated queries. To protect our users, we can't process your request right now".

Is there a solution for this?


It may not be buster causing that. I see that sometimes on a VPN, but also when not on a VPN but using Firefox with ghostery/ublock origin, etc.


It may not, but Ive seen the same. Only with Buster. And only since recently.


It may help if you go to the extension's settings and enable user input simulation and install the client app.

Though Google may block your access to the audio challenge regardless of the browser or extensions you use, see more details here: https://github.com/w3c/apa/issues/25


I also get this sometimes, not even using buster. Once I was not able to access package tracking information, because Google blocked me completely via recaptcha from that.

I actually do a lot of automated queries from my computer.

I like to scrape and save content that may disappear. Just recently one psychology website I liked years ago where I put a lot of effort to comment on, silently deleted all 60k user comments, including 100s I wrote, and started putting old articles behind a paywall. My activity is perfectly legal, as I'm doing all this for my own personal use.

Thankfully I have all the content locally in the database.

Does it mean I should be prevented from accessing third party services that use recaptcha?


reCAPTCHA also just doesn't work in the most populous country in the world. translate.google.cn does, but Google's reCAPTCHA does not. This is a big pain point. Thanks for the link to turingtest, I will certainly test it.


To be fair, lots of things on the internet don’t work in the most populous country in the world.


> the most populous country in the world

The United Nations estimates the current population of China around 50,000 more than the population of India. Given the uncertainty of these numbers, I can't exclude that India already has the most numerous population.


Could be, I don't know. 50,000 is a village in these contexts! I'd really like to explore India, it is, also, vast.


You're correct, quite a lot of things are not accessible in the most populous country in the world.

However, federated things are accessible. The big names Facebook/Twitter/Youtube/Google are blocked, and the services below them. However it is a blacklist of blocked not a whitelist of accessible. Putting google analytics traction in a header of a federated blog, meaning it's actually not federated, is indeed a stupid pain. China internet is restricted, but it is only restricted 'enough' for the current power.

Edit: And that seems good enough for now. Wechat 'moments' and use of Tiktok, from my observation of friends or even taking the train, are on a steep decline. Wechat's future seems mainly as a commercial P2Passist or very simple blog platform. Both dropped the ball and mobile payments will not disappear but the tide has turned (NFC, anyone? this was an already solved problem. The only real challenger bank China has is China Merchants Bank but they're after merchants, the clue in the name. For customer service and being one to perhaps pull a rabbit out of the hat, China Construction Bank. I have no idea how BEA didn't grab mobile payments.


Could it have something to do with the most populous country in the world blocking the rest of the world? For fear someone might massacre square...


Hmmm.. ok.. I could and should write something on this a lot longer.

The government facilitate corruption. The government is a hegemony.

Aside from that broad shot, 10 years ago you enter the aforementioned square freely, not only after going through a 'police' security check, bags x-rayed, IDs checked.


I thought recaptcha provided alternate domains/hosts not linked to Google so that you can use it in China. Is that not the case anymore?


reCAPTCHA does not work in China mainland (it does in HK, but that's different for now). But translate.google.cn (note the .cn) works fine. Similar visual recaptchs used on Chinese services tend to focus on Chinese characters on a low resolution picture background. Training for street names? I don't know

Resolving to google.com does not resolve (gmail does, a bit, IMAP but only every few hours or days, depending on connection sans VPN).


if this is true, I'd love to hear the alternate! I use recaptcha and hate that my chinese customers need to do wacky stuff to circumvent it.


See: https://developers.google.com/recaptcha/docs/faq

Look under the section "use recaptcha globally" -- this is what I was referring to. However it's not clear to me if this approach enables use in China or not.


Thanks for that. Changing to www.recaptcha.net right now!

Could be a while before I get enquiries from China but there is only one way to find out.

Google did say 'globally'...


Just out of curiosity, why do you use reCaptcha?


Not sure if this is "officially" supported but I believe you can proxy the `api.js` file yourself without issue.


The photos or voice still needs to come from from somewhere. The somewhere is google.com. The .com is blocked.


Please see my other reply in this thread: "recaptcha.net" can also be used. Is that blocked in China too? I can't find a clear answer.


I pinged recapture.net and got a 50ms response time. Baidu would give a 20ms response time. That's on WiFi. That leads me to think the server responding to these pings is in certainly in mainland China, I think in Alibaba's IP range, but probably not a CDN. Interesting, thanks.


I find it ironic that out of all things google, it was translate.google.cn to be given an exemption. There is a meme going around that this was country's chief censor's personal decision.


reCaptcha works just fine in India. It does have some troubles in the world's second most populous country.


Source for India being most populous?

All sources I can find say that population of China is bigger than India.


reCaptcha may be racist against black people. I hear a lot of AI is, google dropped the ball here.


> reCAPTCHA discriminates against people with disabilities

It discriminates against people who value their time. Who in the right mind thinks that spending several minutes on captcha is ok?


Without taking any moral stance, it should be noted that accessibility was (and is) the most successful attack surface of anti-bots measures.


Recapcha is absolutely heinous on an iPhone SE. The pictures are way too small and blurry to figure out what they are looking for half the time and it’s really not built well for zooming.


If you want a good look at the state of the art in this field, look at Ticketmaster.

Ticketmaster uses both recaptcha and a pre-filtering solution they supply based on their own heuristics, as well as a complex user activity tracking system to determine whether you're a bot or not based on the activity you present and traffic you pass, so even if you pass all CAPTCHAs, they still might tell you to pound sand if you try to reserve something.

In the last few weeks, for select sales, they've even required unique phone numbers which they will SMS a number to or call and relay a code to which you need to enter just to get a single place in line for a sale.

I'm not sure of any company more actively on the forefront of prevented automated access than Ticketmaster (which makes it kind of funny when everyone chimes in about how Ticketmaster doesn't do anything to prevent brokers from getting all the tickets).

The problem is that what Ticketmaster is up against is people running specialized software that's able to emulate a browser, which ties into services that are specifically designed to beat CAPTCHAs in an automated manner using mechanical turk type solutions, but at a very low cost.[1] I have reliable testimony that some people spin up the largest AWS instance for an hour or so as needed, run this software, use a proxying service, and make 8k connections to queue up for tickets on a sale. Each AWS machine is another 8k positions in the queue. Every new layer Ticketmaster throws into the verification process knocks these people out for a couple weeks, until the company providing the software (which I believe charges a small percentage for every ticket purchased, so they fix problems fast) works around it. The arms race metaphor is very apt.

That's just one of the companies trying to circumvent Ticketmaster's road blacks for brokers. There are others that try to automate their purchasing to varying degrees. I myself work for a broker that takes a very different approach, where we use (relatively) very minimal automation, and have a person in front of a browser for every purchase (and we don't have many people at all), and instead try to make select purchases based of complex analysis and lots of data. Even that's gotten much harder in the last few years as venues and promoters have learned to play with the allocations of tickets, and hold large chunks of the inventory back to be released later at higher cost. I don't really see anything wrong with that, it's a market response to supply and demand, but it is unfortunately hidden in a purposeful manner, which affects not only brokers but the the end consumer, as market information is purposefully obfuscated (which makes the markets less efficient).

I've written on this multiple times before, so if anyone finds this interesting, just do an HN search for my username and Ticketmaster together.

1: https://anti-captcha.com/ (Scroll down and read their animated infographic for what is possibly the most amazing graphical metaphor of this I can imagine at step 4. It's so disturbing it's funny).


> it gaslights you into thinking you did not solve the challenge correctly, which is plain cruel

That's interesting. Unless you are talking about having to click on more than one "page" of tiles (as illustrated in the video in the OP) guess I don't run into reCAPTCHA often enough to have noticed this phenomenon. Can you elaborate on what you mean by that?


reCaptcha v3 works well for me. There are no challenges anymore and it just gives you a score based on whether it thinks the user is a bot/spammer, then you can do whatever with that. Personally if the score is low enough I just place the user in a restricted user group that needs approval on certain site actions.


Was just looking into using v3 today. Can you share what you consider to be low enough? I haven't seen any guidance on thresholds


Yeah I have the threshold set at 0.6. Anything below that gets put in the restricted usergroup.


Google recommends 0.5 as a default threshold, and you can then tweak it based on your analysis of the scores in the dashboard.


Audio is not offered if you have non-default privacy settings, so this doesn't work when you're getting the most time-consuming captchas. So your extension is good for the captchas which take 15-20secs but not the 1minute+ ones, unfortunately.


Thanks for this. Extensions like this one make Firefox for Android worth it despite all the quirks.


I just wanted to say thanks for posting this. I installed your addon when I first read the HN comments yesterday, and looking forward to testing out your work. It looked great!


just adding another thank you. it has made the internet accesible to me and other humans again. cheers!


None of your complaints are applicable with reCAPTCHA V3.


>If you're a developer, please consider replacing reCAPTCHA on your site with an alternative

I second this (for the same reasons that you cite), and it's fresh in my mind as I just recently began reimplementing authentication for my personal CMS. reCAPTCHA is not a nice thing to do to your users. And I also don't want to feed The Beast.


> and it gaslights you into thinking you did not solve the challenge correctly, which is plain cruel.

It's good to see some confirmation that you're not insane. Google's ReCAPTCHA is plain EVIL.


I've never understood what happened to reCAPTCHA, it was originally so great and is now just so, so toxic.

Originally it was an awesome solution based on OCR'ing books that usually worked quickly on the first try, and almost never took more than two.

Then it turned into a single checkbox (analyzing mouse movement) so it was even faster... and I remember some simple image-based like "select the images of cats" that were also easy to get right. So even better.

But THEN... in the past couple of years, the image-matching started asking exclusively for analysis of street images, that has two huge problems:

1) The images are so blurry and ambiguous it's really hard to get right, it feels like a test designed to make you fail

2) You never know how far you have to go -- you keep clicking items, they keep replacing them with new ones, and there's zero indication of if you're almost done or if you're getting better or worse.

Once I did one for three minutes straight, neither passing nor failing, until I just gave up and left the page... if it's a bug, that should never happen. If that's supposed to be able to happen, that's the apex of asshole design. Either way, it's a failure in every way.


There's a third problem: quite a bit of the stuff they present is (almost) uniquely American and presents a recognition challenge in other cultural contexts. That yellow vehicle? Looks nothing like a bus in most other parts of the world. And so the rest of the world gets to learn what an American Bus looks like... Not, I think, what was intended.


Or it tells you to pick out pictures of cars and shows you a pickup truck. Now you have to figure out if people would call that a car or not. How about a delivery truck? A motorcycle?

Or it will ask for pictures of crosswalks, and you have to decide if 3 pixels of a crosswalk in the corner of one of the pictures counts.


If it makes you feel any better, I'm fairly sure the answer to those questions don't count. I know I've gotten some reCAPTCHAs "wrong" and gotten marked as a human. It's picking up on a lot of signals, not just whether or not you're "right". So, the good news is you can relax, and safely rewrite all the questions to "Do I think this is a store front?" or "Do I think this square counts as a crosswalk?" or whatever without loss.


My "favorite" is the one where you have to select the boxes with traffic lights. Does that mean just the actual lights, or the entire structure? More importantly, what does Google's AI think the answer is?


crosswalks are also an american term for pedestrian crossings.


I often get asked to identify store fronts. They are the worst.

The pictures are blurry and positioned at weird angles. There are lots of signs with east-asian letters (I'm not informed enough to guess what kind of alphabet they belong to) and I have no idea wether they are store fronts or not.

Is a sign to a dentist's office a store front? Generally it seems like anything with a sign above some sort of door or window qualifies as a store front.


Came here to say the same thing. It's literally impossible to distinguish a store from any other kind of business in many of those pictures. If Google wants to do behavioral fingerprinting they should just say so instead of pretending to do image recognition. But I guess some people just lie so much that they forget how to tell the truth.


What makes you think any store is not a store front? I realize that’s part of the problem, I’m just wondering why you wouldn’t assume the very literal “it is the front of a store” interpretation.


A commercial building with a sign on it might not be a store. They didn't ask for officefronts or warehousefronts. What about a bank or brokerage? A dental office or urgent-care center? Those can look a lot like storefronts, but whether they're considered such is pretty arbitrary.


I understand where you’re coming from and I’m having difficulty explaining the difference... it mostly comes down to what you consider a store (or a shop or whatever you call it). I know they could localize it more, but I feel like it should be pretty obvious what they’re talking about - a place of business selling good to the general public. Whatever you call that, banks and dentists and warehouses and medical facilities don’t really apply.

So yes, it’s arbitrary, but it’s supposed to be. It’s about your gut feeling as a human because that’s the whole reason they’re showing you any of these images.

If it “looks a lot like” a storefront then you’ve really got the same problem as everyone else in the comments: they’re small, blurry, images and it’s hard to tell what it is. That’s also the whole point: their algorithms can’t tell, so they want a general consensus from users. There are images they know and use as a control, but some percentage of the ones you see they’re legitimately not sure about.


E.g “Spot the fire hydrant” - oh, it’s those things that cops drive over in Hollywood movies. I don’t know if other counties have them too but it seems distinctly American and this capatcha is oddly common


Are you in america or using a vpn that shows as in america?


NZer here. The captures are usually American places with American themes.

I have definitely seen the "fire-hydrant" one, and we don't have fire hydrants (they are underground below well marked covers that are illegal to park on or placed where you can't park).

And coming from a first-world Western country, I have definitely been flummoxed by at least one that was too American for me to decipher. I feel sorry for anyone that doesn't watch American media.


Huh, there's fire hydrant here in Brazil. Although not as common as it was a time ago!


I see that stuff too. Not American.


I am from India, not using VPN. Except for storefronts, everything I get looks like from US-traffic lights, cars, buses (including yellow school buses), cross walks etc.


That hasn't been my experience. Most of the "storefronts" are (from what I can tell) based on Asia. I almost never see English signs. I'm still able to complete these challenges with only a little bit of difficulty.


Because it’s still created in an entirely American context. For example, the word storefront is an Americanism. The more commonly used word in the UK is shopfront, and in other English speaking countries they may just call them shops or stores, without the addition of the word front.


Fourth problem: How vague the instructions are. When I'm asked to click the boxes that contain signs, do I include the poles?


Yeah, this one puzzles me too. Generally, it seems like signs and traffic lights don't include supports, poles, etc.


Totally this, I'm British and am probably more exposed to american culture than other nationalities on average, and yet recaptcha still sometimes leaves me clueless on some americanism, that is when it's not driving me crazy with it's infinite loop. For other nationalities it must be straight up discrimination.

I sometimes wonder if these projects are actually internal astroturfing, someone trying to make people hate Google from the inside, it's so bad it must be intentional right?


Originaly it didn't belong to google, it was an aquisition. I remember seeing a ted talk about it.

To me it constantly feels like I'm working for google for free for their AI projects which is very annoying comparing to help a smaller company OCR books.


Trying to convince a robot that you aren’t a robot by teaching a robot how to look at pictures is a pretty absurd state of the world.

When they reboot the Matrix, instead of being used as batteries, the machines will keep humans around for machine learning test sets.


I think that was the original story for the matrix https://scifi.stackexchange.com/questions/19817/was-executiv...


Well, it might have been too close to the storyline of Hyperion Cantos (which probably got it from somewhere else).


You aren't working for free. You get access to a website and the publisher gets bot protection. It's a 3 way win-win-win transaction.


I think two things happened:

1) Computer vision got a lot better over the past few years. It's also become way easier for the average Joe bot operator to run cutting-edge stuff. OCR tasks don't cut it for distinguishing people from machines any more. Every time I see a blog post about a new computer vision architecture or how some random developer trained a neural network to get an X% result on benchmark Y, I think to myself CAPTCHAs are going to get more annoying.

2) The frequency at which most people have to solve a CAPTCHA has gone way down. In the beginning, I remember having to solve a CAPTCHA every single time I did anything on some sites. Now, I can't even remember the last time I had to do more than just check the checkbox. So, the amount of annoyance is amortized over a larger number of sessions, and Google probably feels like they can ask the user to complete more tasks as a result.


I've noticed the opposite on #2, especially in the last year or so. I've been solving a lot more captchas than I used to. I run Firefox with a lot of privacy focused add ons and I don't stay logged in to Google, I wonder if those have something to do with it.


Yes, they most likely do have something to do with it. If Google is unable to ID you in some way (e.g. browser fingerprint, cookies, IP, etc) and determine you're a good Internet citizen, they'll assume that you could be a bot and offer challenging Captchas. It's annoying, but on the bright side it proves that your privacy add-ons are working!


Same here. When this highly advertized service was launched ('just a click!') it worked perfectly. Slowly, over the past couple of years, they deliberately replaced that wonderful service with another one where we act as Google's unpaid workers.


Captcha Data has been used to traon ML models for a very long time. What's changed recently is that simple stuff like OCR has already been solved and democratized so the simple puzzles no longer work.


I'm not talking about the simple puzzles or 'words' that reCaptcha initially used to show. I'm talking about their 'improved' way of testing whether you are a bot by just making you click a checkbox. That doesn't work anymore (most of the times).


The frequency goes down as Google identifies you with stronger confidence. Try browsing from a VPN and you will spend half your time solving CAPTCHAs.


I am also getting way more captchas at least since the last 6 months. Exclusively using Firefox with clear everything on exit, multiple profiles, fingerprint flag on, some addons etc. No VPN. I get captcha almost all the time, even for Google searches from Firefox address bar (one out of 10 searches I think). But never gets a captcha for Google websites (gmail, youtube etc).


2) isn't true at all for me. I've always loved captcha and it has become a huuuuuge annoyance as soon as I'm using a vpn, tor, a weird wifi, a non-typical device, etc.

It is so freaking slow. I sometimes lose 60s to complete a captcha.


An insightful remark about ReCaptcha on HN recently (I don't have a link) was that it went from being "are you human" to "which human are you".


Ha, ha, very accurate observation.

And if Google keeps the pressure and nothing hits them back, soon the answer will be "Number 17 of 312 still using Firefox".

I still can't believe how Google has changed their tune - from "dont be evil" to being worse than MS ever was, which is quite an achievement in itself.


Google is in some ways much more adverse in impact than MS, but I suspect that hiring a bunch of people under the "don't be evil" mantra (and baking that "we're the good guys" into culture) has helped hold them back from some bad behavior.

At the same time an implicit belief in "we're the good guys" (combined with indoctrination including interview hazing rituals) can enable bad behavior, because then: "of course whatever we do is good, by definition, because we're the good guys" and then not questioned. MS did some really underhanded and insidious things with its power, and it's easier to see some of Google's behavior as due more to hubris/brainwashing.

I've started to use the CS101 whiteboard hazing as a litmus test for whether there's any point in trying to do good at Google, for my own career. So long as they insist on subjecting everyone to that (starting with people having just spent 4 years and a quarter of a million dollars on a Stanford CS education, and then people with verifiable experience on top of that), and also considering having been caught on abusive hiring/mobility conspiracy at they executive level, I think the CS101 whiteboard ridiculousness is not a good sign for corporate ego and intentions. It's also not great when CS students focus on drilling for that, to the exclusion of other things. For myself, if I applied anyway, I'd be fooling myself that I wasn't mainly after the compensation package, rather than wanting to have positive impact.


> I still can't believe how Google has changed their tune - from "dont be evil" to being worse than MS ever was, which is quite an achievement in itself.

It's called "selling out".


It sounds funny but I don't get it. ReCaptcha doesn't identify you does it?


To the website? No. To Google? Almost certainly given how it works.


I can imagine that, if Google already knows enough about you, just clicking "I'm not a bot" would be enough. Though I wouldn't know.

It seems like another way to punish people for caring about privacy.


There’s also this to consider: Google knowing enough about you to know you’re a human, and then wanting to use you to train. That’s why in some cases you can get away with just spamming whatever the hell you want in the picture grid. Because it trusts you enough to train it.


> 1) The images are so blurry and ambiguous it's really hard to get right, it feels like a test designed to make you fail

On top of that, I think some of the training sets are wrong. Multiple times I've been asked to find traffic signs, but it would only let me pass when including street signs.


There's also the issue that it will lie to you if the alogrithm decides it simply doesn't like you. Which means you'll end up doing at least a couple of rounds before it decides to let you through.


Rather, if it does like you (because you frequently get it right), it'll ask you to give it extra data.


Fascinating. Conspiracy theories around software. Might make for a fun sci-fi creative writing exercise.


I always envisioned their devious model to be something like:

- You want to train on an unlabeled dataset, label it along the way.

- You have a set of untrusted validators, some with no history, some with known credibility and accuracy scores. And you have a lot of them.

- You do kind of a zero-knowledge proof by showing the unlabeled dataset to validators that you know you can trust because of their historical high success rate, which you've already established through asking them to label a dataset that you already have high confidence on.

Kind of like how a blue-green colorblind person could find out which pen is blue, which pen is green if he is surrounded by people he can't fully trust. Ask people around you and maybe even show the same person the same pen (or a really dead-easy captcha) twice in a row. If they lie to you both times, they are not to be trusted.


If you use Chrome or Brave you can get multiple boxes wrong and still get through i've found, even on a cheap VPN IP.


Here's a hint: VPNs do almost nothing to safeguard you from modern fingerprinting techniques. If you're using any browser [1] but Firefox or Safari, Google probably knows exactly who you are and is just doing the boxes for shits & giggles.

[1] except those that reCaptcha doesn't support.


You have to answer the way most people would answer, not what is the most technically correct.

I guess if your adversary is a dogmatic AI then that might be by design.


I keep expecting it to eventually ask me to "click on the pictures of terrorists" and them using it to train automatic drone targeting software.


They also changed it so that if you've seemed human in the past, they're able to determine if you're probabilistically a human now.

This data is a few years old but I imagine it's the same based on my experience.

They're using your cookie + IP + your account data to determine if you're probably a human.

A LOT of reCAPTCHA sites never prompt you. You only know if it's there because you're on Tor or something.


> A LOT of reCAPTCHA sites never prompt you.

That has only happened to me in Chrome, not Firefox or Safari. Which is the subject of this article.


Yea it was much better when it was run by Carnegie Mellon. I guess selling it to Google seemed like a good idea at the time.

Today I feel like Google uses it mostly for their self-driving-car computer vision projects.


I believe even worse than showing you new sets of images is when the reCAPTCHA system gives you a "low trust score" and intentionally fades out the selected images, but very slowly, and replaces them with new images of the same type. Just downright feels abusive to the end user. Good luck if if you have tweaked any browser settings to be more amenable to privacy!

I wish more sites would implement a Jigsaw-puzzle-style similar to the Binance login captcha, but I can't speak to the efficiency of that in defeating bots.


Sometimes it is straight up wrong too. I once got a picture of a sign with a traffic light on it asking me to identify the traffic light. If you selected nothing it wouldn't let you go ahead. So I clicked the squares with the sign and it let me proceed. I don't even think it should be that difficult to see that it wasn't a traffic light since all colors were bright. A typical in use light will only show one color at a time.


>Originally it was an awesome solution based on OCR'ing books that usually worked quickly on the first try, and almost never took more than two.

People kept trolling it by typing the test word correctly, and random garbage instead of the OCR word. It was easy to spot which one was which. Source: I was one of these people.


It is made by google to train their neural networks. Neural networks are evolving and need harder examples for training.


Because it is an adversarial system, the busters are getting better, so reCaptcha needs to catchup.


What happened? The spambot algorithms have gotten better and can now defeat the simple tasks. It's a perpetual arms race of you vs. the spambot developers.


they’re using the service to train self-driving cars to recognize traffic lights, bicyclists, etc


Big rant, there are few things I hate more than filling out their endless useless CAPTCHA's when browsing websites that have nothing to do with Google.

Google is a hypocritical pile of burning . They use bots right? They scrape websites, they infest everything from my banking website to console emulators with their tracking, and yet we little people are not allowed to scrape or interface with the web programmatically.

I want them to burn so badly, I hope the EU breaks them up. Screw captcha, screw AWP, screw them.


It's the web developer that doesn't want you to interact with their site programmatically.


Google and Facebook tend to do it as a matter of policy, and while they say it's to protect privacy and prevent abuse, it also furthers the "walled garden" effect.


> It's the web developer that doesn't want you to interact with their site programmatically.

Yeah because too many people abuse any hint of such functionality to peddle fake Viagra, pennystock scams, MLMs, ICOs or the good old SEO link spam.


> Big rant, there are few things I hate more than filling out their endless useless CAPTCHA's when browsing websites that have nothing to do with Google

In some cases, the blame should be put on the site runners. I get a ReCAPTCHA when logging into my Patreon account. I've been paying then $10+/month for years now, they should know by now I'm not a spammer


They're not hypocritical but cynical. There is an appreciable difference.


I thought you could disallow Googlebot in your robots.txt file?


Google respects robots.txt


I thought this was just me and their stupid caption being impossible for even humans to solve; turns out I was just being gaslighted this entire time and they're just discriminating against Firefox users? How does the EU or someone not shut down this sort of anti-competative monopolostic nosense? I didn't think I could get more furious about having to struggle with these captions all day, but somehow I am. Please everyone stop using recaptcha on your sites, it's not worth the pain it costs your users.


  they're just discriminating
  against Firefox users?
At least part of the behaviour shown in the video depends on factors like cookies, IP address, and whether you have features like anti-fingerprinting protection turned on. [1]

Recaptcha is frustrating and I dislike it, especially the slow fade-ins and multiple challenges, but if you repeat the test shown in the video you won't find it 100% repeatable just because you're using Firefox.

[1] https://github.com/google/recaptcha/issues/268#issuecomment-...


I just wasted ~15 minutes on doing the disqus login captcha under different conditions .. turns out that as soon as uMatrix is enabled (and blocks 18 cookies from google.com and 5 more from www.google.com), it starts to act up and get annoying..at least for me.

It then takes between 1 minute and 1 minute 30 to get past the recaptcha when blocking those cookies - and I was certain to be 100% correct in most cases and it kept asking me to solve more and more ..

most of the time spent solving the captchas is from the countless '4s fade ins' via inline style when cookies are blocked (as opposed to 1s fade ins via css, when cookies are set).

I'm curious why they would add 3s to the fade in if their cookies are blocked .. does that help to fight off bots, or does google just want to punish me for blocking their cookies?


That's what I don't understand. If you're building a bot to get past reCAPTCHA then you're almost certainly in some selenium/chrome headless environment, with full chrome support of cookies, Javascript, you name it. There's certain methods of detecting such environments based on their environmental variables there were again more work around to patch those.

Also the fade is irrelevant because the bot already has access to the image without the fade (although it still has to await the fades completion to continue).


The fade thing is to rate limit attackers.

By blocking specific cookies you're making yourself look like a certain kind of botnet, so obviously you're going to have a difficult time convincing the site that you're a legitimate user.

Most users don't block normal cookies, so if you go tweaking the machinery that manages the relationship between your browser and the site, then be prepared to deal with a buggy experience. This is what it means when they say that what you're doing is "unsupported." Nobody is going to spend any time optimizing for your weird setup.


Once again, Google obstructs the web for people who take even basic privacy measures.


As far as I can tell it's 100% repeatable, every now and then one works the first time on Firefox, but it almost never does. If I use it in Chrome on the same sites, it works. Then I go back to Firefox, and sure enough it doesn't work again. Maybe there's something else making it work for you? I don't know what other factor there could be; some privacy settings in Firefox maybe?


After a a couple of minutes they sure should have an idea that I am a human, right?

Especially when I'm logged in with my 12+ year old paid account?

Won't say anything bad about googlers but in between this and the deeply irrelevant ads I get despite all yheir metrics the company seems deeply dysfunctional these days.


If it can be statistically proven that this is occurring more on Firefox than Chrome then Google has a really, really big problem. The burden to make sure it isn’t is on them, most especially in the EU. Google is facing a very real future where they will have no web browser and possibly no operating system.


It absolutely is happening more on Firefox. I open Chrome almost exclusively to bypass CAPTCHAS, and I doubt they will get in trouble because Chrome gives more detailed data due to its invasive lack of privacy. You can't really blame Google for using its own tech to provide "better" results, but it is high time we started blaming them for the massive privacy violations they use to make their convenience work.


> You can't really blame Google for using its own tech to provide "better" results ...

Sounds like antitrust to me.


Safari too. If it also happens in the new Edge, I will be sad but not surprised.


The website author seems to be Russian which might be an indicator. But not a good enough excuse for such terrible UX.

Using Firefox shouldn't be an indicator of anything malicious.


EU may end up dealing with it, they need complaints first. You’d be amazed how few people fill out complaints with the government. I just filed a complaint about this with the US department of justice antitrust division, feel free to do so as well so they realize how abusive this is!


> EU may end up dealing with it, they need complaints first. You’d be amazed how few people fill out complaints with the government. I just filed a complaint about this with the US department of justice antitrust division, feel free to do so as well so they realize how abusive this is!

How do you go about filing this complaint? I'm sure many others (myself included) are interested


Here’s the page with the instructions: https://www.justice.gov/atr/report-violations In this case, I let them know that Google was using their position as the market-dominant browser company to make it more difficult for consumers to use alternative browsers by making captchas much harder to use on alternative browsers. I explained what a captcha was and how it affected me as a consumer using Firefox.


Care to share your complaint?


In Chrome Incognito mode, I saw it a few years back, but less frequently recently, it also happened to me with other browsers like Edge, Chrome in iOS, etc.


Google Captcha is a complete mess at this point and I often leave websites that use it if it's not essential to what I am doing


I don't log in to Google Captcha sites anymore, unless I absolutely have to.

Their discrimination against FF users has been fairly evident over the past year or so.

It's amazing how my identification abilities improve exponentially by using Chrome instead of Firefox.


Reading these types of comments on HN, you'd think HN doesn't use Recaptcha for login/register. ;)

Easy to hate on Recaptcha while reaping the rewards of participating in a community that deals with less automated spam because of it. :)


> HN doesn't use Recaptcha for login/register

I just created a new account to check; not even so much as a Recaptcha url in the page source.


Hi there!


Really? I use a VPN most of the time and have not once had a captcha for logging into Hacker News.


I signed up years ago, and never have to login really, and have never see a captcha on HN. Not saying it doesn't exist, but I've had myriad captcha issues on other sites, but never once here.


Even more annoying are those sites that insist on using it, even though they know I'm human -- for reasons like I've paid them some money or jumped through their KYC hoops. At that point it's just being rude and exploitive, and, personally, I've reached the point where I'll simply take my business elsewhere if a site chooses to treat me with so little basic respect.


There's a case for preventing bot action even if the bot is willing to pay. Though putting a captcha right after a payment step is borderline fraud.

What's KYC?



Oh you mean like Mongodb Atlas? (Although looks like they've gotten rid of it or toned it down). There were days where I couldn't log in because recaptcha just refused to let me.


I will cancel services that use it too. I am not wasting 5 literal minutes to solve impossible captchas because I don't use Chrome.


My power company (the sole government-run provider in my area) now has reCAPTCHA on their payment form.


Which was my point from my earlier downvoted comment. The idea that training Google AI is a condition of use is ridiculous. You have to provide free labor to Google as a condition of paying your electric bill. You also have to share your data with Google — even if you decide not to complete the Captcha.


The newest version is going to be invisible - i.e. it just "works" without a questionnaire. It's based on a scoring system that doesn't prompt users unless the website owner wants to prompt them below a specific score. You've likely already used it but don't remember it because it was invisible.


That was supposed to be what this version was (reCaptcha v3). As a matter of fact, however, quite a few of us get extremely long or unsolvable captchas every time.


No, the OP is showing v2. v3 doesn't have any UI for end-users: https://developers.google.com/recaptcha/docs/v3 It is simply a scoring system, applying an ML model to typical actions for your website.

It's up to the site owner to determine how to handle those that don't meet v3's score, which can be a traditional CAPTCHA or hopefully something more effective and forgiving to humans: https://www.w3.org/TR/turingtest/


I was assuming that most people were using v3, my browser was flunking the scoring test, and v2 with the UI was being shown as a backup. Did everyone decide not to use v3 for some reason?


v3 is the newest version that came out only recently, and requires changes to the front end implementation. You have probably used it but because it didn't prompt you, you don't remember it (i.e. survivor bias).


I see - I assumed your top level comment was talking about something after v3, since that's already out. It would be interesting to see which sites have already implemented it. Maybe there's a userscript or something that can detect it in the page?

Personally I'm skeptical it will ever work correctly for me without tinkering, because I block third party requests (especially to Google) by default.


Same... so frustrating. If it's Google's goal to create frustration for non-Chrome users that would be evil :'(


Turbo Tax uses Google Captcha when trying to import information from financial institutions.

While filing taxes, on several occasions I had to just give up and try again after several hours because the Captcha won't let me pass through and after several attempts Turbo Tax will throw an error - to come back later.

It was literally a Nightmare


TurboTax itself is a dumpster fire, too. I recommend doing taxes on paper just to avoid touching Intuit or Google in any way.


I don't think that's an option for anything other than 1040-EZ. I get lost filing with turbo tax, I can't even imagine how it'll be on paper.


It's not that hard if your taxes are simple (standard deduction, maybe some capital gains). Keep in mind the filing companies have an incentive to make the process complicated.


I don't think the filing companies are actively making the forms harder to fill out by hand, but the problem is that the IRS has no incentive to minimize the time it takes to file taxes.


Actually, big accounting firms and tax automation companies spend a lot of money lobbying congress to keep the tax code complicated. It would save everyone a lot of time and money if the IRS would just tell us what we owe - they already know the answer, it's not like they just blindly accept whatever we say.


It's a bit more expensive, but for this type of thing and other reasons, I now use a CPA.


... who then use an Intuit product to file your taxes


If it's a CPA that's not on their own, there's a good chance they're using something vertical market instead - Wolters Kluwer, Thomson Reuters, not sure what others.


Interesting, I wonder if this is something TurboTax itself is doing or if it's something the banks are going and TurboTax is making you bypass it in order to scrape it.


Not really sure, it was shown after the credentials for the financial institution were entered.

However, it was shown for each financial institution. So it is possible that the financial institutions (or the API provider) were doing it, though it is equally likely that turbo tax just has a bad implementation. Because TT can make an assumption that I'm a human, I wonder if there is a regulatory requirement or the API provider is doing that.


The slow animation is the worst. You really want to punch someone responsible in the face.

And I never figure out how to solve the traffic light riddle.


The worst part about the slow animation is that when an image you've clicked is fading out, you might think you've completed everything and then click the "Verify" button at the bottom. But then that causes you to have to restart if that wasn't the last image. This is the part that convinces me that ReCAPTCHA was made to fuck with people.


I've never understood why they don't just say what you're supposed to select - it it just the lights, or the poles too? What if part only enters a box by a few pixels? Just tell me what you want, dammit!


You're not supposed to figure out the traffic light riddle, you're not a human if you do.


Yes, it's the most obvious internet rage trigger.

But I can't figure out why they make a 'delay'? Why not just show the next dam image?


To make it more expensive for bots to try this at scale, obviously. Unfortunately it's making it more expensive for humans too.


you may be right about the fade-out and delay but the time spent fading in only hampers humans not bots. As soon as it starts fading in the image is present in non-faded form and the bots can start processing it.


You realise you've just described why this would distinguish between bots and humans.

(And yes, I'm also driven to rage by slow-fade animations. A practice I can date back to Microsoft's Clippy, which, when you punched it in the fact to go away, had just one more gratuitous animation just to twist the knife that just more.)


No, it doesn't help distinguish the two, because this check can be easily circumvented by adding a small, random delay.

To reiterate: the primary goal seems to be slowing down bots.


But does it slow the bot down in a meaningful way?

If you have one IP, there's a limit on captchas solved that you're going to blow through with or without the delay.

If you have a bunch of IPs, you can multithread the solving.


> the time spent fading in only hampers humans not bots

Not necessarily, contrast adds detail and mistakes are expensive, so bots too are incentivized to wait for the final picture (this assuming that network communications aren't monitored to get the incoming image out of the request).

Also clicking on that image too early is a good signal that it's a bot.


The bot presumably is running in something like chrome headless or selenium (if you're processing JS), so it would have access to the image the moment the response is received.

Unless Google is literally streaming in the image frame-by-frame, I'll admit I haven't looked into the details but this doesn't seem likely as it's pretty complicated compared to just using an image.


The bot would just read the unfaded image from the DOM.


> Clicking the image too early is a good signal that it’s a bot.

The fade in is actually a nice gesture to the human to show them that an image will be there soon, while still slowing them down to rate limit the bots.


I don't agree that's it.

... it really doesn't make it that much more expensive for bots, it's just a short delay. In fact, I doubt it makes a difference at all.

But it makes things really annoying for humans.

So I don't see any advantage in that trade-off.


Include the traffic light poles.


I've never included the traffic light poles.


If I don't include them, I get asked more. (Or occasionally 'select ALL the...'.) If I include them, it usually goes away.


I don't include the poles, how about wires? What about pedestrian lights, are they "traffic lights"?


While relatable, this is just a low effort post more suited for Twitter or Reddit.

For a fair comparison OP would need to use clean browser profiles on fresh IPs. Like this it is just fan-service for Google Captcha victims (like me).


FWIW I encountered the same problem this weekend. On a fresh Firefox profile (no prior browsing activity), reCAPTCHA just wouldn't let me log in to a website! Out of curiosity, I wanted to see how long they deny me -- well over ten minutes before I gave up in shock and horror.

It felt like staring into the soul of evil.


This is a common problem with FF if you have any privacy settings enabled. ReCAPTCHA does deep fingerprinting. If you block that fingerprinting it punishes you.


If you come up with another way that is as effective in an ever growing world of bots trying to break anything in their way, I would love to use it.

I've had to pay 100x bills on my monthly quota once too often, and as a hobby developer, I just can't afford trying to fight off people abusing my website every day.

Yes, resorting to fingerprinting is not ideal, but what's better, asking everyone to solve that hard captcha, or only some users?


Considering how easy it is to use real chrome with puppeteer, I'm inclined to not give the benefit of doubt on this one to google.

In the end, a custom captcha is probably a better solution, even if it is easier than google's.


Use self-hosted CAPTCHA with simpler solutions. They still keep out the stupid bots that can't get past ReCAPTCHA.


> Use self-hosted CAPTCHA with simpler solutions

My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places. > What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?

Easy to do but hard to do with computers. My second favorite are the math problems one.

However if these become popular people will just write bots for them and were back to square 1.


> > Use self-hosted CAPTCHA with simpler solutions

> My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places. > What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?

> Easy to do but hard to do with computers. My second favorite are the math problems one.

> However if these become popular people will just write bots for them and were back to square 1.

Interesting...I wonder if they show destructive commands below a certain threshold. It would be funny if a captcha caused a bot to delete itself.


It would not be funny if even just one person ended up with that so I hope not. A bot would not end up in that situation anyways, either the earlier commands were already evaluated or your proposed remote kill would also not work.


Surely the same is true if you block these things in Chrome?


I kept looking for the article. Surprised to see such a low-effort post submitted to HN.


Users have the option to flag submissions


Okay, I will flag it. This submission still received almost 400 comments. That's pretty disappointing.


How can you have a fresh IP which isn't in your control?


Many of us have control of our IP Address within a certain range. In fact I have to specially request a static IP and pay money for it. A dynamic IP that changes when I refresh DHCP on the edge router is free.


> A dynamic IP that changes when I refresh DHCP on the edge router is free.

But you don't know who had it before you, what Google thinks of it ("known Spammer", "legitimate User") etc, so that's not going to help in this case.


Maybe try buying up some unclaimed IPv6 space and test from there?


The slow reloading of images is just intentional harassment. There's no other explanation I can think of.


I disagree about the more appropriate for Twitter/Reddit than HN. But that's because my immediate interpretation, while not spelled out in the "article", was within the context of anti-competitive behavior by Google in making non-Chrome browser perform more poorly with google-created content.


The topic itself is definitely super interesting and relevant. But the submitted post is pretty much a meme.


That's a good idea for a research paper. Not something I'd OP though :-)


being logged into gmail and the status of that account affects captcha as well


Not only that, you need to run multiple trials and average them. The post obviously picks the slowest most painful instance of a reloading captcha, where they got really unlucky. I've had those slow captcha's on Chrome too, they are not inherent to the browser.


FYI. Title is misleading. This experience has nothing to do Firefox vs Chrome. Result is because of 3rd party cookie and tracker blocking. I had same and even worse (I was not able to get through captcha) experience on chrome itself because I have 3rd party cookies disabled and couple privacy oriented extensions running.


No, I believe it is because the Chrome as a browser works in conjunction with Gmail and other google properties' logins to kinda figure out that you're a human.

One of the things, if it ever gets there, would be for the anti-trust probe, if any, to look at how Google shares data between its browser, Chrome, and it's other services.


How would the website code communicate with the browser, unless it was some open API you can refer to. As for "in conjunction with Gmail", yes that's called cookies.


Goole websites (and frames in other websites) share information with Chrome browser. That's what the Chrome Login brouhaha was all about.


From my understanding, that's just expanded cookies. The Chrome frame can see the cookie from your Gmail, and also log you in the browser, and vice versa. Nothing magical going on, just cookies.


This! I have a Chrome development profile which I primarily use for testing. When I encounter a captcha it's the same painful experience as the OP's FF video. I don't have restrictions around cookies or tracking either. My best guess is that I just don't have as much "usage history" on that profile for Google to just declare me clearly human. Alternatively, on my main profile that I use for normal browsing captcha (which it still sucks) is never as painful.


But I never touch cookies in FF and never install any privacy features. I have been facing the same for years.


This cannot be entirely correct as I use Chrome and Firefox with as close as possible configuration, with uBlock Origin with exact same settings, and the behaviour I've encountered is very similar to the one shown here. I'm logged in to my google account in both browsers as well.


Probably you are right. I use tracker and 3rd party cookies blocking in FF and I often spend 30-60 seconds solving captchas. Often Google says that I solved it wrong (although I try to be careful) so I have to solve it 3-4 times, sometimes with those slowly appearing images. Upgraded my skills of recognising bridges, buses and fire hydrants but still struggle with searching storefronts.


Your comment is correct, Firefox now blocks trackers and it's probably, and hopefully, blocking whatever recaptcha uses to determine you're not a robot. So using firefox you get the harder recaptcha because it's blocking Google from spying on you.


reCAPTCHA needs to be re-engineered to work even in the face of privacy measures in browsers. Otherwise it will be better at distinguishing expert humans from ordinary humans than at distinguishing bots from humans.


I'm sure there's room for improvement but at some point this is paradoxical. Users who want data privacy want their presence and behavior obfuscated, which is fundamentally opposed to anti-fraud systems which are designed to analyze the presence and behavior of users to determine if they are fraudulent.


The way recaptcha happens to work now, and its purported goal - to differentiate humans from bots - are two different things. Privacy is not fundamentally opposed to anti-fraud in the slightest.


I said that privacy is fundamentally opposed to anti-fraud systems, not the general concept of anti-fraud. To an automated anti-fraud system, there is no difference between a user who obfuscates their identity because they want privacy and a bot who obfuscates its identity because it doesn't want to be revealed as a bot.


The user is complaining about the slow CSS animations. It's definitely a bug though not something they did on purpose. I remember having the same issue on Chrome as well.


IIRC, it is something they do on purpose, to make it clear to the user something is happening while rate-limiting challenges given to the user.


Oh no Google ReCaptcha doesn't work that way. In case of rate limiting, they will just throw an error. It's probably some clever JS or CSS that got a bug in it. Here's the official thread on GH: https://github.com/google/recaptcha/issues/268

Disclaimer: We built a solution at SerpApi.com to solve those offline using ML. Timing of solving doesn't matter. It will be odd that they do that just to annoy user when it's not a technical limitation.


They’re slow because it’s live-challenging two or more recaptcha users at once with an unknown image, right?


It's not a bug. Its part of a patent Google holds designed at frustrating access for bots.


I'm from the UK and often get very American questions. Such as "select all the images with cross-walks". This isn't really a phrase we have over here, so when I first got this I had no idea what I was meant to be looking for in the array of random pictures and actually had to look it up to get past it. If you're going to force me to do a captcha, at least localise the damn questions.

Do other non-American's get this as well?


American storefronts are always an interesting guesswork for me. "Is this a rundown shack or an actual store?"


Or fire hydrants, which don’t exist in the NL. I only recognize those from US movies. Or taxi’s which can be any brand, model or color here. Sigh.


American here: I when given the challenge of "select all the images with storefronts", typically they are not US based. I almost never speak/understand the language, but if there's a big sign on the building, I select it because it's most likely a storefront.


They're zebra crossings, but I suppose you know that by now.

The captchas are completely non-localised as far as I can tell; as others have pointed out the 'store-fronts' tend to be non-American.


Generally it's not too hard to find something in a picture that is from another country, but the actual request text should really be localised. I usually go for the audio ones now though rather than the visual ones.


Another Brit here, and yes this does annoy me a bit.


I believe this is part of a greater Google strategy of using their monopoly power.

I’ve noticed that in the last week, Google no longer provides a link to the non-amp version of pages. Previously, you could press two button taps to get to the non-amp page, but now that ability has been removed. This sucks because Amp doesn’t always support all the features of a normal site, like Reddit or blogs (commenting).

I worry how Google will abuse this in the future. Right now they control the first page you visit after leaving Google through AMP, but you can usually find a link to the home page of a site. In the future, they may restrict it further.


For Google Recaptcha, I use GreaseMonkey with an user script:

"Speed Up Google Captcha"

"Makes Google Captcha works faster by removing slow visual transitions and unnecessary delays."

https://greasyfork.org/en/scripts/382039-speed-up-google-cap...


I'm really surprised that works, as I assumed the delay was random and it was looking for bots who were completing the image processing before the image has actually faded in. Huh.


Ha! Been there, done that. I registered with Patreon (using Firefox), then tried to login (using Firefox) after verifying my email address. Nineteen (19) Captcha screens later and I gave up. Seriously. Bastards (and apologies to the Creatives I was trying to contribute to).


As a developer who has worked with reCAPTCHA in the past and as a diehard Firefox user, what likely happened here is a form of shadow banning.

You're moving too fast; your mouse and mouse clicks are "too good" to be human. Try solving the reCAPTCHA slower and you'll see wildly different results, or, purposely fail one reCAPTCHA to get easier ones.

reCAPTCHA tech is crazy; reCAPTCHAs are not simple web forms and Javascript, they're a sandboxed and monitored 'window' to a Google server. If you solve too many reCAPTCHAs too quickly (ie. when you are testing a web page, or are rotating your passwords on many websites) then Google's servers will try to rate limit you with slow animations and harder reCAPTCHAs.


> reCAPTCHA tech is crazy; reCAPTCHAs are not simple web forms and Javascript, they're a sandboxed and monitored 'window' to a Google server. If you solve too many reCAPTCHAs too quickly (ie. when you are testing a web page, or are rotating your passwords on many websites) then Google's servers will try to rate limit you with slow animations and harder reCAPTCHAs.

Google should absolutely not be in a position where it can be inadvertently rate limiting your attempts to rotate passwords on different websites across the internet.


The fire hydrant example... I deal with this every day. It takes soooo looooong to load, it's really ridiculous.


There have literally been times where I debated whether or not I wanted to purchase something because of the knowledge that I would have to solve Google's captcha. Humble Bundle, in particular--the login process for me (due to uBlock+uMatrix installed) is like this:

1) Try to login

2) Login doesn't show up--go to uMatrix and whitelist some crap.

3) Try to login again.

4) First phase of login completes, now blank when site tries to load Google captcha.

5) Whitelist Google captcha frames in uMatrix and reload again.

6) Login for the third time, Google captcha now displays properly.

7) Spend 10 minutes solving captchas. If I'm lucky, the first "Verify/Submit" will work. If not, I probably need to whitelist cookies for it within uMatrix and reload/try again.

8) Get notification from HumbleBundle that "You have not logged in from this browser before" and wait for a Verification email to hit my inbox.

9) Enter verification code. Site usually then logs me out for some reason, even though it was successful.

10) Login again. Solve Google Captchas again. Finally allowed to login.

11) Finally buy the goddamn thing I was there to buy.

12) Search Amazon for wig.


>Humble Bundle, in particular

Funny you should mention that, I actually wrote an email to support asking them to have frickin mercy with the google captchas. The response was as you expect "we do this for safety and protection, yada yada" which to be fair, I obviously didn't expect them to change anything, although I hope it did help raise some awareness.

The interesting thing I got out of it was that they mentioned that google captcha for logging in is disabled so long as you have 2FA activated on your account, which certainly helped, at least a little bit. You do still have to use the captcha to buy anything from the bundle (at least if you're using something like paypal, anyway).


I've emailed them about it as well. Totally sick of having to grind through Google to sign in to HB, I've not bought stuff because of the effort too. I also really don't think it's appropriate to include Google as a third-party in login processes anymore.


I wrote to them asking to close my account for exactly the same reason. Recaptcha was making me less inclined every visit to buy something.


It always amazes me that companies, especially those that know their audience is tech savvy, don't test their sites/shops/systems with common things like ad blockers or privacy plugins. I often run into hidden problems on sites that go away after I allow some third party domain.

I wonder if it's just incompetence at the developer stage or a management decision to annoy users that have ad block etc. Neither really makes sense, I'm a paying customers, they shouldn't take it personally that I don't care for ads, and they are multi-million (or even multi-billion) companies, surely somebody there knows that ad blockers exist.


I _have_ multiple times walked away from a purchase due to reCAPTCHA at the login form (Sony - PSN). It makes me think "You know what, this isn't worth it", and I don't want to help Google out anyway.


I tried sending an email on their support page to complain about it as they are likely losing customers like me but it was behind a captchas and I gave up.


I'd be cool with it if it didn't fade out the selection and load new images. Fine, you want to do that, Google? I think some of these other images are hydrants, too!


The point of the challenge isn't really to get the "correct" answer. It's for the captcha to be sufficiently confident that you're a human.


I face that example everyday too. I'm really curious this does not appear in Chrome.


It does. I've run into it plenty of times with chrome.


The Google captcha enrages me. Why should I train their stupid AI?


there are updates coming that will make it much more tied to your google account. i fear that it will mean anybody not currently logged in is assumed to be a robot. (even more so than now, i mean.)


ReCAPTCHAv3. It will differ from ReCAPTCHAv2 in one important respect: it will no longer ask you any questions, meaning it will no longer give you the opportunity to appeal it's snap judgement of you.

https://developers.google.com/recaptcha/docs/v3


> "reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion. reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics."

Just what the world needs, another tracking script...


According to the recent Planet Money podcast on Captcha, the upcoming changes will only use the signal of whether or not you have an account, and not any account-based data, since it will be domain based on the website or something.

Also, they're doing away with the questionnaire. It works by using a scoring system or something similar since it loads on the pages leading up to form fills.

Edit: Source for you disbelievers - https://developers.google.com/recaptcha/docs/v3

>reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take an appropriate action for your site.


> It just "works" by default.

right. until it doesn't, like it wouldn't for someone who actively avoids feeding their personal information to the goog. and it is sounding an awful lot like the fail case is full denial of service, without any option for the user to prove themselves.


>the upcoming changes will only use the signal of whether or not you have an account, and not any account-based data

Recaptcha doesn't care. But totally unrelated, it just accidentally worked out to be awfully convenient for Google's other surveillance products embedded on the same sites, which do care quite a bit about how long and how often they can follow me with a single unique identifier.


You still believe PR fairytales?


And the alternative is believing something else with no evidence. Is that better?


I use https://github.com/dessant/buster to avoid captchas and swear by it. It uses google's speech to text to transcribe the captcha audio element, and posts it back as an answer so you don't have to do the annoying images.


Because you're not providing advertising revenue as a non-chrome user ;)


To provide compensation for the websites use of their free, and effective, service designed to combat bots?


What's funny is that the AI needs to be trained...yet it already knows which choices are correct and incorrect. So, is it really necessary?

Edit: This is a joke, I am joking.


I don't know how the image captchas work but the old-fashioned type-the-words captchas asked you one it knew the answer to and one it didn't. By giving unknown words to multiple users and finding a consensus they could move words from the unknown to known set.


If they do it the way that the OCR recaptcha works, it allows some new ones to go through and uses consensus to classify them.

So most of them will have already been classified and those are used to test your integrity (and verify you) but an occasional new one will be presented that won't count towards your verification and if enough people agree on it it'll be classified.


I suspect it knows the correct choices for some of the little pictures it shows you, but for others you are training it.


This is the natural question to ask. I finally decided that they probably compare your answers to several other humans to validate training data.


> Edit: This is a joke, I am joking.

The voters seem to have formed a consensus that it was not a joke, unfortunately, so your humor has failed the test.

(This was a meta-joke, and I too am joking.)


I find it incredible that modern reCAPTCHA exists and is legal.

Aside from the the obviously concerning censorship that happens if you try to access reCAPTCHA-locked sites over Tor, it is literally forcing internet users to do free labour for Google so that can train their AI for whatever project they're doing.

So not only is it a tax on using the internet (paid in seconds to minutes of human existence each time -- I bet reCAPTCHA has collectively cost humanity thousands of lifetimes of wasted effort solving stupid puzzles) and it creates censorship, it also is an act of charity on our part that we provide Google free work with no benefit for ourselves. Given that they literally pay people to do (something similar to) what we are doing for free, I wonder it there are labour law arguments to be made (we aren't paid anything for this work which Google clearly is willing to employ people to do).


You're barking up the wrong tree here. reCAPTCHA is a free service that developers implement. If you don't like that, complain to them. Companies aren't compelled to use Google services - they have no choice because the bot issue is untenable without it.


Yes it's a free service which developers choose to use (though many sites use it without knowing through CloudFlare), but that doesn't change the fact that Google has decided to use it as a method of getting free labour out of internet users.

reCAPTCHA used to be far more reasonable and ethical when it was being used to digitise books. And when you got reCAPTCHA'd constantly as a Tor user, it wasn't so bad. These days I have to spend several minutes of my life giving training data to Google on every site which uses reCAPTCHA, with nothing in return except for the privilege to be able to access the internet.


This is the experience with the `privacy.resistFingerprinting` flag set to true. A while back I made a few try to see how the behavior change with different settings and extensions, you can see the result here: https://github.com/google/recaptcha/issues/268#issuecomment-...

I solved the problem by using an extension that toggle that flag: https://addons.mozilla.org/en-US/firefox/addon/toggle-resist...


Would it be possible to build a Firefox plugin that creates and isolates the requisite cookies to allow reputation to be built, but at least partially maintains privacy?

I was thinking maybe something that has 10 difference Google sessions, and shards them depending on the website, deciding which to send to the Captcha. You'd build reputation at 1/10th the speed, but you'd still potentially build it. Or, one that allows you to create a random Gmail account and then use that as your identity across the different sites. Perfect privacy would be hard, but improved privacy should be doable.

Alternatively, getting something like blinded identity tokens widely used would be good.


I doubt it's easy, so I prepared such a setup myself, i.e. I keep a separate browser with a Google account and use it only when I really need to. Helps in cases like this one, but of course you give up some privacy - hopefully just the minimal bit.



I'd love Apple to throw their weight behind this. Maybe this + bundle it seamlessly into iOS Safari.


I'm fairly sure (but admittedly not certain) that captcha uses non-cookie and non-account based methods for identifying users, so I don't those methods would work.


I suspect it falls back to the other methods, but if there are Google cookies, I'd have thought it starts with them cookies.


Sounds like Firefox containers should support this kind of usage.


I consider putting the following on my cv:

2016-2019: working for google - analyzing street footage for implementing AI for self driving cars.

Maybe I should also invoice google for the effort.


Would a class action lawsuit for unpaid wages be plausible?


I there any anti reCaptcha or anti Google, that I can donate to? I want to donate a small amount every time Google forces me to solve their problems.


Pay the website owner to remove reCaptcha from the sites you use?


Get a disabled person to take them to court for discrimination.


> Get a disabled person to take them to court for discrimination.

I was thinking something more along the lines of sponsoring them to take Google to court ;)


Are you using Canvas Blocker or similar extensions ? As a FF user I also have to go thru 3-4 captcha everywhere and I'm pretty sure it's because the system is having trouble giving me a stable fingerprint.


The latest captchas are so hard that when I encounter one, it really feels like I am engaged in an unpaid labor relationship with Google.

It makes me sad that they are so pervasive or I would categorically refuse to engage with any site that uses reCaptcha.


This is especially prevalent in the Google mobile site tester in Firefox. In FF you have to do the Captcha almost every damn time. Switch to Chrome and it stopped immediately for me.


Sometimes it's stairs, and they ask you to click all the stairs, but there's an inch of stairs overlapping one window, so you aren't sure if you should click that window because of the pixel or not.

This whole captcha joke and firefox made me hate Google more than anything else.


It's simple; any shitty website that uses this garbage—don't use it. If there is a "contact us" page or email, tell them why you will no longer use it.

If it's your bank's site, move a bank. You say "oh, it's a lot of work just for some captcha"; yes it is, but this is the only way this clowns will learn. When 1000 people leave a bank for a competing one and say "I left because your site employs captcha", it will magically disappear. I've seen it happen.


Are you against all captcha then? How do you suggest websites deal with automated spam or other attacks?


I'm a Firefox user and I did encounter some issues with reCaptchas in the past but this video doesn't convince me at all.

For reference I post regularly on 4chan (not compulsively but maybe a dozen comments a day on average) and if you don't have a pass you have to fill the captcha every time. I only use Firefox. I definitely experienced what this video shows on Firefox in the past (the super-slow loading images) but it felt more like a bug than anything else and it doesn't represent the typical experience. Maybe I tripped one of Google's bot filters somehow and I ended up with a reinforced captcha, or there was a bug somewhere.

The Chrome section of the video is a lot closer to what I see usually, but they make me go through two challenges in a row typically (although that might be 4chan's settings at play).

I'm all for the Chrome hate if it means that people switch to Firefox but I think we need harder data than a short video to call shenanigans on that one.

Off topic rant: the fact that a post with such lack of substance manages to reach 700 votes in 3 hours is frankly depressing, it has no place on this website IMO.


In my experience[0], the captchas are rotated regardless of the browser. The captcha shown each time seems to be chosen based on some sort of hidden “trust level”, which fluctuates across attempts based on your choices.

The starting level, I suspect, is heavily influenced by browser settings and many other factors. With that in mind, and assuming that

1) trust inversely correlates with anonymity,

2) people using Firefox tend to be more tech-savvy and careful about their privacy, and

3) tech-savvy people using Chrome probably won’t bother locking it down, since it “talks to Google anyway”,

I’d be disinclined to believe Google actually discriminates against browsers—no matter how compelling a narrative this may seem—until I have a complete picture of OP’s setup (from browser settings to OS and connection).

[0] Last year there was a period I was getting many captchas (either my location or AWS VPN caused me to be considered “untrusted”); I actively tried to figure out how to get past it without giving the algorithm what it wants, so I could go through a dozen of these captcha screens in one browser window. I use Safari, Firefox and Chrome routinely.


Those storefront photos were remarkably clear/unambiguous, compared to some I've gotten.

When logging into an account I needed to log into, maybe a couple years ago, they'd jerk me around in the manner of this grumpy.website example, but more. One time, it went on for several topics, for what seemed around 10 minutes. I pay money for that account.

This obnoxious annoyance is in addition to the offense of some company letting third-party code from a mass-surveillance company not only into their pages (which almost every company with a Web site does, sadly) but also into their authentication page. Much more important services on the Web do not need captchas for login to accounts that were paid for. Now, every time I get a hassle to log in to my account I pay for, plus directly leak that info to a surveillance company. It makes me regret paying money for the account, like the company are oblivious or don't care, and I won't have much loyalty when the right competitor appears.


This is why once I switched to FF I also switched to DuckDuckGo


The captcha has nothing to do with Google the search engine. Google's catpcha is used on a lot of websites which are not connected with Google.

On a different note, this also makes it difficult to use such websites if you block google domains in your adblocker for non-Google sites.


You would think that they wouldn't block search. But Google kept throwing me at captcha when I was in FF and not signed in. The biggest pain so far has been the lack of map integration.


They actually block you from search if you're connecting from a VPN and have uMatrix enabled.


It looks like the user missed one fire hydrant in the middle left square. If you look closely there is a tiny fire hydrant in that picture.


I laughed when mouse hovered over it like the user was deliberately looking for fire hydrant on this one and then just moved on with rage, waiting for other images to load :D.

I honestly think this was the reason why Captcha's bot was so passive-aggressive :D


This is bullshit. I regularly experience the "Firefox" example in Chrome, but only in incognito mode. Either way, it's not something Google does deliberately to disincentivize other browsers.


I get this all the time with Safari.

It’s because Google can’t read as much about you in more privacy based browsers, so you have to prove yourself.

Not saying it’s right, but that’s the reason. It needs to be changed.


Every website that uses this fingerprinting abomination, should be ashamed.


1. Big company browser attains majority market share. 2. Big company browser's quality starts to slip, but they are not so powerful, they don't have to care. 3. Big company browser starts to work against the common good.

We've seen this before. We'll probably see it again.


Based on some CAPTCHA solving sites it costs about $3 per 1000 ReCAPTCHAs solved. That shows you how worthless adding ReCAPTCHA to your site is. All it'll do is slow bots down a bit and cost $0.003.

Here's an extension to use those services in the browser so you never have to solve one again: https://addons.mozilla.org/en-US/firefox/addon/recaptcha-sol...

That's assuming you can't get Buster to work.


Or even pay, I wouldn't mind paying 0.003$ at each Captcha as long as I have an anonymous payment system.



I see a website with google captcha I just close it. Not going to waste time and also train this huge monopoly's AI further for free.


I have experienced the same behavior when trying to complete Captchas in Tor Browser. However the vast majority of the time it just says "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now." so I cannot even attempt to complete the Captcha.


I barely use Edge in Windows 10, but whenever I do and I go to any google site I get constantly badgered about 'downloading chrome' even though, a) I've already downloaded Chrome and have it installed, b) I've click such notices away 1000 times. More than mildly annoying and aggressive.


I think what most people don't realize is that you don't need a good captcha to stop most abuse. Even the crappiest of captchas will stop 95% of the bots out there. Unless your site is a high value target, you don't really need a great captcha.


Happens to me in chrome every single day. I think it's a bug in how they're detecting potential bots. Of course no one at Google will listen when you submit reports. Especially the one about selecting street lights/stop lights/crosswalks.


the concern here is about super-slow loading and more tiles to verify when you use Firefox than when you use Google Chrome browser


All of which I see in Chrome as well. Literally the same experience in the linked post.


I absolutely hate CAPTCHAs and have done my best to persuade developers to never use them (1).

But in fairness to Google, the promise of their new Captcha system is that it uses all of your previous browsing history across the web to determine how likely you are to be a bot. You can't do a fair apples to apples comparison unless the browsing history and behavior is the same across both browsers.

1) https://www.onlineaspect.com/2010/07/02/why-you-should-never...


From my experience, it's the "Access-Control-Allow-Origin: *" response header that causes the problem. So, it's in the way Chrome uses/enforces cross-origin HTTP request/response headers.


Do websites get paid to run reCAPTCHA?

I keep seeing reCAPTCHA installed on very low security sites that don't seem like targets for automated bots. I'm wondering if they have some external incentive to install it.


I'm not sure what the comparison is on Chrome vs. Firefox. I've had the pain of these slow animations, with a follow-up captcha, and it's infuriating - On Chrome. Is it better on Firefox?


The mainstream internet of today exists to serve the advertising industry (including but not limited to Google) and things that don't so serve will be marginalized like an organism rejecting a foreign body or disease. It's funny, because really the thing that makes users "more significant" than bots for the average website operator is that showing ads to real people has a monetary value attached to it. That is the only reason you prove your humanity to a machine: to validate your suitability as a target for ad spend.


This doesn't make sense to me. Making reCaptcha work worse in FF without telling user that if he/she used Chrome it would be better. Only few tech savvy people (hn readers), will eventually realize that. And it doesn't make them to switch to Chrome (or does it?). They'll just be angry.

And btw I hate reCaptcha. Is it really only option to fight with spam? When I see it on sites, like dhl parcel tracking, I get mad. I always ask why? Can they just block suspicious traffic, or at least not display captcha on first attempt.


If you increase user friction enough, subtly, eventually the affected user is going to look for something else, and now there's only one real something else - especially for non-techie users.


That's exactly what happens to me on an almost daily basis. But then I decided to change my feeling from rage to revenge. Here's how:

I get the first few selections right, so the algorithm knows I'm trustworthy. Then I purposefully get the last ones wrong. This way, I'm still validated by the captcha and I get to show the middle finger to Google.

Now I smile every time I'm faced with reCaptcha :)

Highly recommend. It does take some time to figure out the patterns (when to get it right and when to get it wrong), but once you do, it just works.


This could either be some of Firefox's privacy features genuinely making it look more bot-like to Google, Google accidentally or deliberately sabotaging Firefox, or some combination of the two. It's not really possible to tell from the outside, but it's clear that Google's incentives are for Google's products to work better with each other.

This is why Google should be broken up -- it should be forced to spin off Chrome into a separate company with a business model similar to what Firefox has.


The thing that happens to him in firefox, it also happens to me in chrome.

misleading


I experienced a similar problem. I'm using Firefox. Two websites I have great difficulties logging into are twitch.tv and italki.com, both require solving a google captcha that can sometimes take more than a minute to solve.

I am working on a micro-payments system (based on mutual credit) that should allow to pay something like $0.001 instead of solving a captcha. If this would introduce zero extra friction, would you consider using this kind of solution over the traditional captcha?


I decided to test this for a good hour once. I was suprised how little it actually matters whether you're on a cheap VPN (although i do think they limit TOR) or are actually getting the answers correct. Load up chrome or brave, and it almost instantly solved, whereas Firefox on default privacy settings is a total pain. The worst thing is how they purposely try to just waste your time with the fading images, like in OP.


The Recaptcha 3 is even worse. For example go to truecaller.com and enter a phone number to lookup in Firefox (android). You won't be able to, it will say Recaptcha had failed. Now do the same in chrome on Android and it works. It's because on ff it gives a low score (i. e user is a bot) while on chrome it passes without a hitch.

Funny thing is I haven't used chrome in months so it should be the other way round!


If you’re looking for a good commercial alternative that isn’t turning you into a mechanical Turk to train/classify ML: https://funcaptcha.co/

If you’re primarily trying to stop bots and similar take a look at https://www.kasada.io/


This reminds me of ticketmaster.

Site owners can choose not to use google's recaptcha2 but it has become the de facto standard now so no one cares.


This is exactly what you would encounter if you access Google services using TOR. It's actually even more frustrating than this.


There have been many discussions on HN about this before. Google is making us its free slaves, when they can clearly know in the first click that we are not a robot (it used to work perfectly! How can it unintentionally become that worse?) Is there no Google employee here that sees how absurd this is and get this message sent across?


Antitrust investigators should look into captcha stats for at least browser, ISP, mobile device, IP address, and referer header. It would be better if they could just get Google's algorithm, which I assume is based on more data. I'd be very surprised if Google popped captchas less for non-Google IPs, devices, and browsers.


This happens even on Chrome. If you're logged into a Google account, it seems to know that you're not a bot since your Google Account is tightly integrated within Chrome. If you try the same captcha on an Incognito page on Chrome, you will have the same experience as on Firefox. Atleast, that's the case for me.


Omg I knew I wasn't imagining things...I reached the point when I don't bother anymore...captcha means no !


Oh wow, I assumed it was just my combination of ublock origin + privacy badger + accelereyes + privacy-first settings in FF (block all 3rd party cookies, containers, resist fingerprinting, etc.) that caused many hits.

I'm not sure whether I'm glad to find out it's (also? only?) because they hate Firefox.


I have noticed that Google often signs me off from my multiple Google accounts on FF too :/ While Chrome (which I use only for Hangouts) remains logged in. A bit annoying! :D

Also, good to see that it's a more widespread issue with these captchas too, I somehow thought that I am just bad at solving them :)


Human seems able to see face on anything. WOuldn't be a good idea to use this as a way to make a captcha ?


The worst part is that fading effect is completely useless because a bot can wait too if it doesn't detect a proper image. When I tried to exploit Google recaptcha for fun it was an easy task for me to implement a timer that will wait for the image to appears correctly.


I never use Firefox, but I'm pretty sure I've seen this same format before in Chrome. No?


reCaptcha v3 fixes this behavior. Instead of having one gateway test to determine if you are a human or a bot, it collects data on a background on your browsing behavior. Thus, it has a longer browsing behavior sample for heurestics.

https://developers.google.com/recaptcha/docs/v3

Of course, you need to have cookies enabled.

If you do any browser in ignonito mode and/or use VPN or Tor you are going to get persona no grata treatment because it is likely your source network and IP address have caused a lot of problems before. The only way to go around is to have some permacookie on your browser saying you are a good citizen.


HN previously, when Google released RCv3: https://news.ycombinator.com/item?id=18331159

Has anyone posted a technical analysis of the changes? I’d love to read more about it.


I can't tell for sure, but it looks like middle row, first image might have a fire hydrant


Is this ISO52600 image thick with grain at 200% crop a car?


now that's weird. firefox is my main browser (developer edition on linux, windows and macos) and i never get captchas.

maybe it's because i don't use umatrix (i only use ublock origin)? maybe because i'm always logged-in in at least one google account?


> maybe because i'm always logged-in in at least one google account?

That's likely a primary reason.


I use a plain FF and I'm always logged in the Google account but I face this annoying captcha everyday.


I use ublock but stock Firefox otherwise. I am also logged into a Google account most of the time, but still get impossible captchas unless I switch to Chrome.


It's easy to configure umatrix to let Recaptcha through.


My company proxy kept triggering endless Google captcha games. I switched to DuckDuckGo.


I've noticed this effect as well. The white boxes, waiting and waiting, four or five different consecutive tests. All in all a terrible user experience. I thought it was because I used VPN, but this is another explanation.


I use a site frequently and am on the latest FF and I don't see this behavior - the refresh is quite quick.

Does this mean that Google knows enough about me (ie, privacy leak) that it's choosing to not having infuriating UI?


As a Brave browser user, I go through this partial behaviour every single time.


My default approach is to leave site that require reCaptcha (meaning, when ticking the box triggers the challenge) but when I do need to take the challenge I make sure I sprinkle my results with subtle errors.


Does Google use this data to help train its self driving cars and maps for identifying information?

I feel like every captcha is about a street scene of some sort... house numbers, cars, motorcycles, hydrants, stop lights etc.


I'm frankly surprised there has not been an ADA-based lawsuit against Google. I can't tell you the number of times the audio captcha has been unavailable for "reasons".


Oh, I thought it was me... seems like it was my choice of browser. In any case, perhaps Google has a harder time telling me apart from a computer. I guess that is a plus for FF then.


I've had this a lot, thought this was a bug in firefox's rendering or something. Glad to know it isn't, but now I'm somewhat more annoyed to know the real issue.


This also happens in Chrome when 3rd party cookies are turned off.


So basically Google is abusing it's monopoly as a captcha provider to inconvenience users into enabling enhanced tracking in their browsers under the guise of "security"?


If you can, skip the visual CAPTCHA and just go for the audio version. You’ll help train Google’s speech recognition bots, but you’ll get through the CAPTCHA faster.


Can someone from recaptcha team respond to this? Because this happens to me all the time and it's ridiculous


This fits the pattern of Google consistently going "oops we broke Firefox" (or otherwise made it worse than Chrome) to the extent it raises suspicion of a deliberate strategy, as described by this former Mozillian: https://twitter.com/johnath/status/1116871246510264320


I got same thing in Chrome too, so I guess its related trackers, not just for firefox lol.


I've never run into these image captcha things before. Where do they get used at?


It's the same widget as the checkbox but it throws the images at you if it has doubts.


I guess maybe because I don't have all the privacy extensions installed that some people use?


I've seen that behavior using chrome on linux when using public wifi networks.


I can replicate this same thing in a chrome incognito window...


A class action for drudgery needs to be started.


reCAPTCHA is malware. If a site uses it, I (usually reluctantly) stop using the site. It's not even a privacy issue anymore - I'm logging into the site, usually so I can give them some money (bandcamp, humble bundle) - I just don't want Google all up in my business. Is that too much to ask these days? In order to not have some creepy giant corporation overseeing everything I do, I guess I just have to not use the Internet.


This looks suspiciously like slowbanning.


i shifted from Chrome to Firefox a few months ago. been facing this super-slow Captchas. I simply assumed this is due to some network slow / server slow / browser slow. I didn't even bother to go back to Chrome to compare this.

After reading comments in this thread, now I realize this is intentional thing against Firefox.

Damn Google. what happened to your "Don't be evil" beginnings ?


Google chrome can already identify who you are and it knows you're not a robot.

That said, it still forces you do to work for its self-driving car effort.


I saw both variants in both browsers.


I don't have this issue.


nah i just need to use tor with chrome to get the same effect as firefox.


Someone explain to him that you have to click the Verify button on both browser.


reCaptcha's not all bad guys, it's actually educational.

It's thanks to reCaptcha that I know what a 'crosswalk' is.


Also how storefronts around the world look like.


this is just unacceptable


When confronted with reCAPTCHA I always switch to the audio-version as that:

- is generally easier to solve (download the sound clip using curl or wget, type in the nonsense it says, done)

- does not turn me into a mechanical Turk training Google's AI

- works in 'any browser' by circumventing the browser (by using wget/curl), thereby not allowing Google to punish me for not using their dragnet/browser.


> does not turn me into a mechanical Turk training Google's AI

I’ve been wondering about that. Are you sure you’re not training their speech recognition AI?


No, I'm not sure. It deem it unlikely though as those sound snippets are rather short and uncomplicated, something which I'd think any reasonable STT-system should be able to handle - which makes it vulnerable to those systems as well.


I'm using the audio too. The image captcha is simply broken, it often doesn't let me pass even though I've provided the only valid answer.


While you find this convenient, others may find it imperative.

Somewhat akin to labelling your pet dog a support animal or using a disabled bathroom.


More like walking up the handicapped ramp because the stairs are covered in oil and slippery.


Why are we labeling images for free for google?


Not for free. It's a service the owners of the website give to Google in exchange for letting you post. You are the product here.


Google search results page in Firefox mobile browser looks like it is from 2010.

I filed a bug report, only one version of it is fixed, later versions were just displaying same old pages.


Dear developers, if you want to avoid most of the bots use only HTTP/2 and only TLS v1.3. Don't support lower protocols than these ones and your bot problem will decrease greatly. Even GoogleBot won't be able to crawl your web site.


Congratulations, you played yourself.

It's not Firefox that's the problem; reCAPTCHA works just fine on Firefox. It's all those anti-tracking measures you installed and enabled -- they work by making your browser indistinguishable from a low-quality bot, kicking the website into self-defense mode. The slow fade is a rate-limiting measure. It's annoying to you, but it's more annoying to people trying to automate login attempts.

The site is attempting to protect your account by preventing automated attacks against it. Meanwhile your browser is doing it's best to look like a shell script, refusing to send any sort of behavioral feedback or distinguishing characteristics that might give away the fact that you're a human.

So the question is: is it really worth alienating those quirky, paranoid users who take extraordinary anti-tracking measures, just to protect your normal users from automated attacks?

Yes.

Of course it is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: