And I never figure out how to solve the traffic light riddle.
But I can't figure out why they make a 'delay'? Why not just show the next dam image?
(And yes, I'm also driven to rage by slow-fade animations. A practice I can date back to Microsoft's Clippy, which, when you punched it in the fact to go away, had just one more gratuitous animation just to twist the knife that just more.)
To reiterate: the primary goal seems to be slowing down bots.
If you have one IP, there's a limit on captchas solved that you're going to blow through with or without the delay.
If you have a bunch of IPs, you can multithread the solving.
Not necessarily, contrast adds detail and mistakes are expensive, so bots too are incentivized to wait for the final picture (this assuming that network communications aren't monitored to get the incoming image out of the request).
Also clicking on that image too early is a good signal that it's a bot.
Unless Google is literally streaming in the image frame-by-frame, I'll admit I haven't looked into the details but this doesn't seem likely as it's pretty complicated compared to just using an image.
The fade in is actually a nice gesture to the human to show them that an image will be there soon, while still slowing them down to rate limit the bots.
... it really doesn't make it that much more expensive for bots, it's just a short delay. In fact, I doubt it makes a difference at all.
But it makes things really annoying for humans.
So I don't see any advantage in that trade-off.
For a fair comparison OP would need to use clean browser profiles on fresh IPs. Like this it is just fan-service for Google Captcha victims (like me).
It felt like staring into the soul of evil.
I've had to pay 100x bills on my monthly quota once too often, and as a hobby developer, I just can't afford trying to fight off people abusing my website every day.
Yes, resorting to fingerprinting is not ideal, but what's better, asking everyone to solve that hard captcha, or only some users?
In the end, a custom captcha is probably a better solution, even if it is easier than google's.
My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places.
> What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?
Easy to do but hard to do with computers. My second favorite are the math problems one.
However if these become popular people will just write bots for them and were back to square 1.
> My favorite CAPTCHA is the one on the Arch Linux forms but I realize this cant be used many places. > What is the output of "date -u +%V$(uname)|sha1sum|sed 's/\W//g'"?
> Easy to do but hard to do with computers. My second favorite are the math problems one.
> However if these become popular people will just write bots for them and were back to square 1.
Interesting...I wonder if they show destructive commands below a certain threshold. It would be funny if a captcha caused a bot to delete itself.
But you don't know who had it before you, what Google thinks of it ("known Spammer", "legitimate User") etc, so that's not going to help in this case.
One of the things, if it ever gets there, would be for the anti-trust probe, if any, to look at how Google shares data between its browser, Chrome, and it's other services.
Disclaimer: We built a solution at SerpApi.com to solve those offline using ML. Timing of solving doesn't matter. It will be odd that they do that just to annoy user when it's not a technical limitation.
Do other non-American's get this as well?
The captchas are completely non-localised as far as I can tell; as others have pointed out the 'store-fronts' tend to be non-American.
I’ve noticed that in the last week, Google no longer provides a link to the non-amp version of pages. Previously, you could press two button taps to get to the non-amp page, but now that ability has been removed. This sucks because Amp doesn’t always support all the features of a normal site, like Reddit or blogs (commenting).
I worry how Google will abuse this in the future. Right now they control the first page you visit after leaving Google through AMP, but you can usually find a link to the home page of a site. In the future, they may restrict it further.
"Speed Up Google Captcha"
"Makes Google Captcha works faster by removing slow visual transitions and unnecessary delays."
You're moving too fast; your mouse and mouse clicks are "too good" to be human. Try solving the reCAPTCHA slower and you'll see wildly different results, or, purposely fail one reCAPTCHA to get easier ones.
Google should absolutely not be in a position where it can be inadvertently rate limiting your attempts to rotate passwords on different websites across the internet.
1) Try to login
2) Login doesn't show up--go to uMatrix and whitelist some crap.
3) Try to login again.
4) First phase of login completes, now blank when site tries to load Google captcha.
5) Whitelist Google captcha frames in uMatrix and reload again.
6) Login for the third time, Google captcha now displays properly.
7) Spend 10 minutes solving captchas. If I'm lucky, the first "Verify/Submit" will work. If not, I probably need to whitelist cookies for it within uMatrix and reload/try again.
8) Get notification from HumbleBundle that "You have not logged in from this browser before" and wait for a Verification email to hit my inbox.
9) Enter verification code. Site usually then logs me out for some reason, even though it was successful.
10) Login again. Solve Google Captchas again. Finally allowed to login.
11) Finally buy the goddamn thing I was there to buy.
12) Search Amazon for wig.
Funny you should mention that, I actually wrote an email to support asking them to have frickin mercy with the google captchas. The response was as you expect "we do this for safety and protection, yada yada" which to be fair, I obviously didn't expect them to change anything, although I hope it did help raise some awareness.
The interesting thing I got out of it was that they mentioned that google captcha for logging in is disabled so long as you have 2FA activated on your account, which certainly helped, at least a little bit. You do still have to use the captcha to buy anything from the bundle (at least if you're using something like paypal, anyway).
I wonder if it's just incompetence at the developer stage or a management decision to annoy users that have ad block etc. Neither really makes sense, I'm a paying customers, they shouldn't take it personally that I don't care for ads, and they are multi-million (or even multi-billion) companies, surely somebody there knows that ad blockers exist.
Just what the world needs, another tracking script...
Also, they're doing away with the questionnaire. It works by using a scoring system or something similar since it loads on the pages leading up to form fills.
Edit: Source for you disbelievers - https://developers.google.com/recaptcha/docs/v3
>reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take an appropriate action for your site.
right. until it doesn't, like it wouldn't for someone who actively avoids feeding their personal information to the goog. and it is sounding an awful lot like the fail case is full denial of service, without any option for the user to prove themselves.
Recaptcha doesn't care. But totally unrelated, it just accidentally worked out to be awfully convenient for Google's other surveillance products embedded on the same sites, which do care quite a bit about how long and how often they can follow me with a single unique identifier.
Edit: This is a joke, I am joking.
So most of them will have already been classified and those are used to test your integrity (and verify you) but an occasional new one will be presented that won't count towards your verification and if enough people agree on it it'll be classified.
The voters seem to have formed a consensus that it was not a joke, unfortunately, so your humor has failed the test.
(This was a meta-joke, and I too am joking.)
Aside from the the obviously concerning censorship that happens if you try to access reCAPTCHA-locked sites over Tor, it is literally forcing internet users to do free labour for Google so that can train their AI for whatever project they're doing.
So not only is it a tax on using the internet (paid in seconds to minutes of human existence each time -- I bet reCAPTCHA has collectively cost humanity thousands of lifetimes of wasted effort solving stupid puzzles) and it creates censorship, it also is an act of charity on our part that we provide Google free work with no benefit for ourselves. Given that they literally pay people to do (something similar to) what we are doing for free, I wonder it there are labour law arguments to be made (we aren't paid anything for this work which Google clearly is willing to employ people to do).
reCAPTCHA used to be far more reasonable and ethical when it was being used to digitise books. And when you got reCAPTCHA'd constantly as a Tor user, it wasn't so bad. These days I have to spend several minutes of my life giving training data to Google on every site which uses reCAPTCHA, with nothing in return except for the privilege to be able to access the internet.
I solved the problem by using an extension that toggle that flag: https://addons.mozilla.org/en-US/firefox/addon/toggle-resist...
- is generally easier to solve (download the sound clip using curl or wget, type in the nonsense it says, done)
- does not turn me into a mechanical Turk training Google's AI
- works in 'any browser' by circumventing the browser (by using wget/curl), thereby not allowing Google to punish me for not using their dragnet/browser.
I’ve been wondering about that. Are you sure you’re not training their speech recognition AI?
Somewhat akin to labelling your pet dog a support animal or using a disabled bathroom.
I was thinking maybe something that has 10 difference Google sessions, and shards them depending on the website, deciding which to send to the Captcha. You'd build reputation at 1/10th the speed, but you'd still potentially build it. Or, one that allows you to create a random Gmail account and then use that as your identity across the different sites. Perfect privacy would be hard, but improved privacy should be doable.
Alternatively, getting something like blinded identity tokens widely used would be good.
2016-2019: working for google - analyzing street footage for implementing AI for self driving cars.
Maybe I should also invoice google for the effort.
I was thinking something more along the lines of sponsoring them to take Google to court ;)
It makes me sad that they are so pervasive or I would categorically refuse to engage with any site that uses reCaptcha.
This whole captcha joke and firefox made me hate Google more than anything else.
If it's your bank's site, move a bank. You say "oh, it's a lot of work just for some captcha"; yes it is, but this is the only way this clowns will learn. When 1000 people leave a bank for a competing one and say "I left because your site employs captcha", it will magically disappear. I've seen it happen.
For reference I post regularly on 4chan (not compulsively but maybe a dozen comments a day on average) and if you don't have a pass you have to fill the captcha every time. I only use Firefox. I definitely experienced what this video shows on Firefox in the past (the super-slow loading images) but it felt more like a bug than anything else and it doesn't represent the typical experience. Maybe I tripped one of Google's bot filters somehow and I ended up with a reinforced captcha, or there was a bug somewhere.
The Chrome section of the video is a lot closer to what I see usually, but they make me go through two challenges in a row typically (although that might be 4chan's settings at play).
I'm all for the Chrome hate if it means that people switch to Firefox but I think we need harder data than a short video to call shenanigans on that one.
Off topic rant: the fact that a post with such lack of substance manages to reach 700 votes in 3 hours is frankly depressing, it has no place on this website IMO.
The starting level, I suspect, is heavily influenced by browser settings and many other factors. With that in mind, and assuming that
1) trust inversely correlates with anonymity,
2) people using Firefox tend to be more tech-savvy and careful about their privacy, and
3) tech-savvy people using Chrome probably won’t bother locking it down, since it “talks to Google anyway”,
I’d be disinclined to believe Google actually discriminates against browsers—no matter how compelling a narrative this may seem—until I have a complete picture of OP’s setup (from browser settings to OS and connection).
 Last year there was a period I was getting many captchas (either my location or AWS VPN caused me to be considered “untrusted”); I actively tried to figure out how to get past it without giving the algorithm what it wants, so I could go through a dozen of these captcha screens in one browser window. I use Safari, Firefox and Chrome routinely.
On a different note, this also makes it difficult to use such websites if you block google domains in your adblocker for non-Google sites.
I honestly think this was the reason why Captcha's bot was so passive-aggressive :D
When logging into an account I needed to log into, maybe a couple years ago, they'd jerk me around in the manner of this grumpy.website example, but more. One time, it went on for several topics, for what seemed around 10 minutes. I pay money for that account.
This obnoxious annoyance is in addition to the offense of some company letting third-party code from a mass-surveillance company not only into their pages (which almost every company with a Web site does, sadly) but also into their authentication page. Much more important services on the Web do not need captchas for login to accounts that were paid for. Now, every time I get a hassle to log in to my account I pay for, plus directly leak that info to a surveillance company. It makes me regret paying money for the account, like the company are oblivious or don't care, and I won't have much loyalty when the right competitor appears.
It’s because Google can’t read as much about you in more privacy based browsers, so you have to prove yourself.
Not saying it’s right, but that’s the reason. It needs to be changed.
We've seen this before. We'll probably see it again.
Here's an extension to use those services in the browser so you never have to solve one again: https://addons.mozilla.org/en-US/firefox/addon/recaptcha-sol...
That's assuming you can't get Buster to work.
But in fairness to Google, the promise of their new Captcha system is that it uses all of your previous browsing history across the web to determine how likely you are to be a bot. You can't do a fair apples to apples comparison unless the browsing history and behavior is the same across both browsers.
I keep seeing reCAPTCHA installed on very low security sites that don't seem like targets for automated bots. I'm wondering if they have some external incentive to install it.
And btw I hate reCaptcha. Is it really only option to fight with spam? When I see it on sites, like dhl parcel tracking, I get mad. I always ask why? Can they just block suspicious traffic, or at least not display captcha on first attempt.
I get the first few selections right, so the algorithm knows I'm trustworthy. Then I purposefully get the last ones wrong. This way, I'm still validated by the captcha and I get to show the middle finger to Google.
Now I smile every time I'm faced with reCaptcha :)
Highly recommend. It does take some time to figure out the patterns (when to get it right and when to get it wrong), but once you do, it just works.
This is why Google should be broken up -- it should be forced to spin off Chrome into a separate company with a business model similar to what Firefox has.
I am working on a micro-payments system (based on mutual credit) that should allow to pay something like $0.001 instead of solving a captcha. If this would introduce zero extra friction, would you consider using this kind of solution over the traditional captcha?
Funny thing is I haven't used chrome in months so it should be the other way round!
If you’re primarily trying to stop bots and similar take a look at https://www.kasada.io/
Site owners can choose not to use google's recaptcha2 but it has become the de facto standard now so no one cares.
I'm not sure whether I'm glad to find out it's (also? only?) because they hate Firefox.
Also, good to see that it's a more widespread issue with these captchas too, I somehow thought that I am just bad at solving them :)
Of course, you need to have cookies enabled.
If you do any browser in ignonito mode and/or use VPN or Tor you are going to get persona no grata treatment because it is likely your source network and IP address have caused a lot of problems before. The only way to go around is to have some permacookie on your browser saying you are a good citizen.
Has anyone posted a technical analysis of the changes? I’d love to read more about it.
maybe it's because i don't use umatrix (i only use ublock origin)? maybe because i'm always logged-in in at least one google account?
That's likely a primary reason.
Does this mean that Google knows enough about me (ie, privacy leak) that it's choosing to not having infuriating UI?
I feel like every captcha is about a street scene of some sort... house numbers, cars, motorcycles, hydrants, stop lights etc.
I filed a bug report, only one version of it is fixed, later versions were just displaying same old pages.
That said, it still forces you do to work for its self-driving car effort.
After reading comments in this thread, now I realize this is intentional thing against Firefox.
Damn Google. what happened to your "Don't be evil" beginnings ?
It's thanks to reCaptcha that I know what a 'crosswalk' is.
It's not Firefox that's the problem; reCAPTCHA works just fine on Firefox. It's all those anti-tracking measures you installed and enabled -- they work by making your browser indistinguishable from a low-quality bot, kicking the website into self-defense mode. The slow fade is a rate-limiting measure. It's annoying to you, but it's more annoying to people trying to automate login attempts.
The site is attempting to protect your account by preventing automated attacks against it. Meanwhile your browser is doing it's best to look like a shell script, refusing to send any sort of behavioral feedback or distinguishing characteristics that might give away the fact that you're a human.
So the question is: is it really worth alienating those quirky, paranoid users who take extraordinary anti-tracking measures, just to protect your normal users from automated attacks?
Of course it is.