Hacker News new | past | comments | ask | show | jobs | submit login

There are a lot of sites that are totally unusable on Firefox regardless how much you use ff.

I do all my mobile browsing on FF yet when I try to use some websites I always get this Recaptcha failed error(1) while it works flawlessly on chrome though I never use it often. Try it, maybe it will happen for you too.

Same happens on most sites which show you that "checking your browser" page via cloudflare too.

The web is very unusable unless you're using chrome because of such antics.

(1) https://cdn3.imggmi.com/uploads/2019/6/27/0dd96b25707ce6e236...




It's even worse when you're running a VPN (especially one of the major public ones). When I see reCAPTCHA I basically give up as sometimes I have to go through 6 or 7 full sets to be let into a site. It's the evil of the internet this.


reCAPTCHA on VPN is difficult, but on the Tor network, they are downright impossible. I've never been able to get past it, even after a few dozen painful attempts. That means Google services are entirely off-limits over Tor, even Search, which is a disgrace.


> That means Google services are entirely off-limits over Tor

If only it was Google services alone. CloudFlare loves serving up a ReCAPTCHA for Tor users before they can even passively read site contents. That hugely expands the damage done.


Install the PrivacyPass Firefox or Chrome extension. It was developed by Cloudflare, Firefox, and Tor in partnership. It has you answer a ReCAPTCHA and using some crypto magic, generate a bunch of CAPTCHA bypass tokens that can't be traced to your specific computer.

https://support.cloudflare.com/hc/en-us/articles/11500199265...

https://blog.cloudflare.com/cloudflare-supports-privacy-pass...

https://blog.cloudflare.com/privacy-pass-the-math/

https://github.com/privacypass/challenge-bypass-extension


Does not work with Tor.

The plugin requires "privacy passes". Those passes can be obtained by solving captchas, but when trying to do so, one is greeted with this message about being blocked: https://i.imgur.com/qXJfl6J.png


Slightly off-topic, but the users who use Tor regularly, how do you do that? For me, it has been terribly slow every time I tried to use it.


On Tor I get roughly 700 KB/s speeds, which isn't terrible for me


And what is that compared to any regular browser?


Try rebuilding your Tor circuit when this happens.

https://tb-manual.torproject.org/managing-identities/


This sort of breaks tor though, doesn't it? Tor works really well if you stay on the same circuit for a while since it reduces the chances you have a compromised circuit. If you start getting recaptcha to block every exit node except those you control, you essentially have amplified your effective strength on the tor network.


Tor is already broken for an adversary with that capability.


This sounds pretty good, but you still have to pass a captcha in order to get a pass, and sometimes that is impossible (or at least I just give up because I lost interest after 20 puzzles).

If it was developed in conjunction with Tor, how come it doesn't come bundled with the Tor browser or Tails?


they have a patent on giving out unbeatable challenges when the computer thinks it's dealing with a 'malicious agent'.

https://patents.google.com/patent/US9407661B2/en


So if you're running the wrong combination of addons/VPNs/browser you're denied access to half the web because Big G says so? And now they're aggressively pushing sysadmins to install silent data harvesting scripts on every page of their sites? WTF more will it take to get people interested in breaking up these monopolies?


Not denied access, they just keep serving up challenges to you until you give up, WAY worse than saying "You appear to be a bot, sorry".


I hear Google is a fun place to work and that they pay well.

Until software developers care -- nothing will happen.


Were Carnegie Steel or Bell fun places to work? Probably, they had cash spilling out their ears.

Monopolies need to be broken up because they threaten the free market and consequently our way of life - not because employees revolt.


From what I've seen (and most of it's anecdotal) things do appear to be changing. There are already people who won't go anywhere near Facebook now for personal ethical reasons, and even concerns that it might hurt future career prospects.


That's Juniper, not Google.

Juniper patented saying "No" to a client.


oh, sorry about that, it's conveniently grayed out in the corner :)


Tor users don't want to be running reCAPTCHA at all. There's a few privacy problems for people who run that or other ambitious cross-site snooping. Usual stuff (requests, cookies, JS fingerprinting, etc.), behavioral fingerprinting, and very detailed monitoring of what information you were accessing/reading and possibly even entering.


You can hardly blame anyone for blocking Tor traffic. You might not be using it for abuse but a large volume of abuse originates from it.


>You can hardly blame anyone for blocking Tor traffic.

Yes I can and do. It's bad enough that some websites won't let you do certain things over Tor, but preventing access to the website entirely is unacceptable. I made this account and comment entirely over Tor.

I don't see how it's okay to block Tor. That generic claim is made, but how are your spam measures doing if you couldn't handle Tor spam?

>You might not be using it for abuse but a large volume of abuse originates from it.

There is infinitely more ''abuse'' coming from Google, and yet it seems most every page I visit contains Google malware.

On principle, I hold the idea that Tor should be a first-class citizen and not disadvantaged in any way. Notice that Google's ''HTTP/3'' is over UDP, which Tor doesn't work with; I don't find that a coincidence.


https://blog.cloudflare.com/the-trouble-with-tor/

> like all IP addresses that connect to our network, we check the requests that they make and assign a threat score to the IP. Unfortunately, since such a high percentage of requests that are coming from the Tor network are malicious, the IPs of the Tor exit nodes often have a very high threat score.


And that will never change if significant services keep blocking Tor users. Thus we have a feedback loop effectively fighting privacy...


Somehow I doubt most Tor users are really just in it for privacy for general browsing, especially since it's so slow and limited. You can get a VPN for that. Unless you're a total privacy purist, there's not much incentive to use Tor unless you're buying drugs/something else illegal or just curious to look around the dark web.


Tor is free with no signup / cc required. This makes a huge difference, especially for younger users. Did for me back then, at least.

Initially it was slow, yes. But totally fine the last few years for normal browsing and reasonable downloads. Speedtest.net, speedtest.googlefiber & fast.com just now gave me 5, 6 & 10Mbps for whatever server in Ghana i got. Only the high ping causes loading times to still be a bit annoying.

But right now the biggest reason not to use Tor for anything "legit" is the many services blocking you, since indeed most current Tor users are not what those services want and the race to the bottom of Tor will continue, if we haven't reached it already.


Tor is slow if you're used to browse with a 50 MB internet connection speed.

My own connection doesn't go over 1.6MB download speed, and only if the weather is clear and I have the wind in the back.

You can now achieve a 500KB or more speed in most Tor connection, which is enough to have a confortable browsing experience, imo.

The real downside is the google captcha, which happens sometimes to even denie you to solve a captcha in the first place for web pages where there is no user input.


>You might not be using it for abuse but a large volume of abuse originates from it.

Given that Tor is a tiny percentage of Internet traffic, most of the abusive volume out there has little to do with Tor.


Sometimes Google will flag you as robot and never allow you to pass no matter how many you get right. It's total horseshit


I'm assuming you are not logged into a Google account during this? What happens if you create a throwaway Google account while on Tor? Or is that also impossible?


I remember that these days google requires a phone number. Finding a throwaway number is hard, especially in some countries.


I find they don't want a phone number if you sign up to youtube and opt to create a new gmail address instead of providing an existing email addr. Whether this works consistently, though ...

edit: also didn't try it over tor


Thanks for verifying that for me. I thought it was just me being horrible at figuring out what they want.


No, the same thing happens to me. I often run ProtonVPN + Firefox with uBlock Origin and a couple other privacy-related addons.


I prefer to see the silver lining in this. If Google wants to break the web for Firefox, fine. I'll keep using (and evangelising) FF, and the sites that are broken won't get FF traffic. I believe that FF is doing the right thing far users, and Google, while in a powerful position is currently on the losing side of history with respect to privacy. Apple is taking that fight to them, and putting budget behind inte convincing average internet users that privacy is cool, and Google abuses your privacy.

The walled garden approach worked for a while for Microsoft, and it's working for now for Google, but eventually, it stops working. Once people leave, walled gardens keep them away.


Only the majority of the Internet isn't a walled garden is it? It's more like a minefield because you don't know whether a site is going to use recaptcha and block/hinder your access.

You can't just opt out of using half the Internet because you value privacy, and nor should you have to. This requires legislation to stop.


As long as government sites don’t use it, it’s fine. You don’t need legislation for every single offense, perceived or otherwise. If you don’t like ReCaptcha, block it with an ad blocker and if a site requires it, don’t use it and let them know why. Also let all your friends and random strangers on the internet know why.


I have the same experience, some pages don't work on FF but fine on Chrome. I like to apply Occam's Razor, but with so many users it seems to me as if that's either by design, or certainly there is little desire to fix the issue.


Worst part is my chrome installation is 100% fresh with no browsing history and FF has cookies and history older than an year ago.. still google trusts Chrome more than FF?


If they looked for identifying information in cookies or browsing history people would be even more upset and spammers would just simulate it with browser bots... which is why I believe it takes a black box approach to each detection regardless of external state. Besides obviously the cookies set within the iframe of the recatcha.

This of course doesn’t help explain why Firefox is so heavily targeted by what’s supposed to be a neutral utility like Google Analytics...


I've heard that being signed into your Google account can make the challenges simpler, presumably reducing things like the noise and the slow-fade load animations.


That too could be isolated to a single reCAPTCHA session, keeping within the scope of a single iframe or page load.

The idea of tracking your history across multiple reCAPTCHA loads across multiple domains to build a user profile is what sounds like a giant privacy red flag, even though it's entirely possible given the current implementation.

Additionally asking hosts to include JS directly onto their domain which sets 3rd party cookies/data across every page in addition to tracking referring domains is equally a bad idea. reCAPTCHA 2/3 does require loading 3rd party JS directly on page, which I'd imagine is necessary to create callbacks in the frontend upon verification (as iframe content messaging is very awkward):

https://developers.google.com/recaptcha/docs/v3

Ideally the JS simply loads an iframe of the captcha HTML and handles the callbacks from events in the iframe. That's it. It shouldn't be touching anything else on your website. I'd be curious to see a reverse engineering to see how much the JS really does...


To be fair, its not super-hard to follow the incentives there...


reCaptcha isn't able to read your non-Google cookies or history, so most of that isn't being considered.


https://codelabs.developers.google.com/codelabs/reCAPTCHA/in...

Yeah, no. It certainly can read non-google cookies on the page (not httpOnly cookies, though).


I'm not sure what the link is meant to show, but "cookies on the page" is very different than the years worth of user history and cookies that GP mentioned.


I was under the impression sites using Google Analytics were included as a reCaptcha signal.


The signals aren't documented (for obvious reasons), but I'd be surprised if Google Analytics were a signal. These things are usually kept separate, and Analytics is a lot less user-specific under GDPR as the anonymizeIP flag is now very common.

That said, I've no evidence one way or the other!

My understanding is that it comes down to information they can read about your browser (does this look like a bot environment?), and heuristically how the user has behaved since the JS has been loaded (mouse movements, time between actions, etc).


I know if I was running a mechanical turk or bot farm, I'd be using a Chrome user agent via puppeteer. I'm not sure WTF they are doing other than being malicious against non-chrome.


Also Google punishes Firefox users by forcing them to click on pictures 2-3 times more than Chrome.


Same with Brave: I'm logged in into a gmail account and a custom domain hosted on gmail, yet every time there's a reCAPTCHA widget on the site, I have to do it 2 or 3 times before I'm let in.

One trick that seems to help fool that awful piece of tech: click slowly on the images, as if you were thinking a second or two before each click. Maybe click a wrong image and deselect it again. In other words, behave like a slow human, and it seems to work better than if I solve it as quickly as possible.


I also have the feeling that making mistakes — selecting an image that looks like a traffic light but isn’t — sometimes results in faster admittance than being surgically accurate.

Again, being slower and more error prone seems to be rewarded.


I don't even know what the right answer is in a lot of cases. There's a bit of the traffic light casing at the edge of a square, does that count as a traffic light, or only the lamp itself?


The right answer isn't what it is looking for. Its more looking for the way you try and work out the answer.


Which I intentionally and repeatedly fail anyway, because I'm not training Google's AI so they can sell it for use in drone strikes.

If this reduces the world Google allows me to access, it doesn't diminish mine because of it.


Other than the occasional reCAPTCHA gaslighting (which does occasionally block some service if it gates logins behind it) that we're all familiar with, I have completely excised Chrome from my life and am able to go to most any website without issue. That's with uBO and Privacy Badger running


That's odd. I never had issues with it on Firefox. Most of the time I just check the box and it's happy, sometimes I have to do an image puzzle. And that's with ublock origin. Maybe it depends on country or isp? My work place has its own /16.


Kickstarter's login has not worked for me with firefox for over a year. People just don't test with anything but chrome and it shows.


Funny enough I had to wait on the 5 second Cloudflare check to access that image. However I am using Chrome. That check I have found to be rather annoying. I assumed it would do it once, but it seems I have to go through it daily on sites I use regardless of which browser or device I use.


That image link is protected by cloudflare too! Irony intended?


The sad and depressing state of the Web in 2019: proprietary third-party JavaScript and cookies are required to view a simple, innocent JPG.


And it'll only get worse. From the article:

> "If you have a Google account it’s more likely you are human"

So, in the future if we don't keep signed into our google account(and let google know every article we read and every website we browse), we'll be cut off from the half of the internet or even more. The amount of control a handful of companies have over the internet is suffocating to know!


I have better luck if I log into Gmail :(




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: