A separate concern I have is that Web sites running ReCaptcha often require leaking privacy-invasive information to Google, in the course of using the site.
Not only does Google presumably usually know exactly who you are when you visit that site, but even if you normally block other Google hidden Web trackers, you can't block the ReCaptcha tracker, so in some cases Google can have a very good idea of what you do on the site.
So, while this browser extension might relieve some of the visible annoyance, it doesn't relieve the more insidious problem.
Users are punished if Google is unaware of them. I built an iOS app for a major brand but the web view would load with no cookies in a sandbox, and we realized after roll out that all users were needing to solve 10+ hard CAPTCHA challenges to be let through, as Google was unfamiliar with the users. You’ll get a similar experience loading over a VPN. We removed it.
It’s easy to why device attestation is so alluring to these companies. Anonymity and bots look alike.
If only people built reasonable bots. The issue is mostly not with the bots existing, but with them flooding services with traffic without any backoff/throttling. And that's not even just the rando ones - Bing is often just as bad here.
i didnt even think of that but makes sense. valuable pov.
either way im sure most people are just annoyed with the gate code then they are with the tracking and would take the cookie everytime. and i feel like this is similar to many things especially with google.
but people just would rather just believe these companies are against them haha. kinda silly imo
Unfortunately it's not just getting the difficult captchas. If you try enough to maintain privacy and become invisible to the likes of Google/Meta, you have trouble creating accounts.
Like you might create an Instagram account and be automatically banned in an hour for no apparent reason.
Same company. It's a shopping app, with one of its tabs instead embedding the more sensitive pharmacy ecom side. This skipped $millions in build out, but we were perplexed when no one used it.
CAPTCHA was on for this large company because they see a lot of fraud and it removed the simplest cases of it. We turned it off when within the app, but it was a stop gap. Not sure what came after.
Recently I attempted to buy concert tickets from a well known ticket seller. It insisted I was a bot, even after disabling my uMatrix and uBlock Origin. There was no way to prove that I was not, not even a CAPTCHA. So I decided to simply not buy any tickets.
This is just one example. I get increasingly frustrated by how shit everything is and my way of dealing with it is to disengage. It is rather sad, but I was not put on this earth to wrangle apps, QR codes, verification codes, passwords, usernames, e-mails, TOTP codes, updates, activation codes, etc.
I recommend buying tickets directly at the venue instead of ticket resellers. In most cases they will presell tickets at the door and you can almost always buy some at the door on the night of the show - unless it some superstar probably ymmv
I would have done that if the venue were closer to me, but it's just a little too far away for that. There might be tickets available just before the show, but I'm not willing to risk driving all the way there just to be disappointed and drive all the way back.
I am blessed that I have a number of excellent music venues in public transport distance and a very good ticketing agency about 30 min walking from my home.
So I often go there and by them in person - still I also use the online services when in a hurry, lazy etc…
You can have a very hard captcha that bots cannot solve, but that discriminates against the disabled. This gives you privacy and abuse-prevention, but not accessibility. You can have a very easy captcha (or possibly multiple alternative challenges), but bots can solve those easily. This gives you accessibility and privacy, but not abuse prevention. You can mostly have easy, accessible captchas, but rely on invasive tracking and fingerprinting, this gives you accessibility and abuse-prevention, but not privacy. There's no way to have all three.
As AI gets better, traditional captchas get more and more useless, and you need more and more tracking. We'll probably reach a point where there's no task that computers can easily verify but AIs can't easily perform, except being "vouched for" by a company that the website owner trusts.
> The only real value in captchas isn't to stop bots, but to make it more expensive, or slower, for an adversary to abuse your service at scale.
Replace 'bots' with 'bad actors', and isn't that security in a nutshell? It doesn't even have to be computers - every day I suffer having to lock my doors and carry keys because locks are how we deter people from theft.
As an aside, this kind of thing is why I'm a misanthrope. What % of resources are spent on preventing bad actors doing the most basic, bad things? What a waste.
Most captchas don't even come off as actual abuse protection, but rather seem to exist because someone wanted to check some box for more cargo cult "security". I can understand captchas being on login pages, ideally only after a few failed logins. But most usage seems to involve gating simple pages, often on sites that should want to be publishing their data far and wide (like ecommerce). And if your site implementation is that bloated that serving what should be static pages creates significant load, you should work on fixing that rather than adding band-aids that make your site even less usable.
Have you ever run a website or online service? Whenever I've put something online, there's inevitably at least one person out there who's bored and unemployed with technical chops, who makes it their full time mission to abuse it for months until I figure out how to outsmart them. The Internet is full of these micro-tyrants and I never see anyone complaining about them. Most operators just throw their hands up in the air and depend on protection services like reCAPTCHA to make the pain go away, which always want something in return. Google is like what Paul Erdos called the "Supreme Fascist" (SF) for that reason. Every time you do something bad on the web, Google gains a little more power.
> The Internet is full of these micro-tyrants and I never see anyone complaining about them.
I'll complain about them. They're, at best, poorly-informed people who don't understand the ramifications of what they're doing as it winds up as abuse, or worst they're malicious actors who I hope are condemned to a life of a 300 baud modem over a rural telephone line in a lightning storm.
The hiccup is, these are two different problems. I'm not the service administrator; I'm the user who has to put up with the absolutely onerous "bot prevention service." Frankly, if you're a private entity, I'm mostly of the mind of do what you like. If I encounter a CAPTCHA, I will probably just bounce off the page. Except, of course, that Google penalizes me for doing that, too, because I Might Be A Bot That Got Stymied(tm).
Where my hackles are truly raised is when the government requires me to work through these moronic puzzles. I shouldn't have to do a CAPTCHA to log in to my transit pass or look up county records!
Finally, it's everyone who will handwave away "well, it's inaccessible but whachagondo" without the acknowledgement that we are all on varying levels of "abled" and that level changes throughout our lives, and not just as it relates to age.
I've worked on implementing captcha in a few situations. In every case it was with great reluctance, and we tried to limit it to places that were absolutely necessary.
But the alternative was to go down, or spend an order of magnitude more on abusive requests than legitimate ones, or allow spammers to use our commenting system to send emails.
I don't like the situation any more than you do, but that transit site might have captcha to protect it from getting DDoSed and becoming unavailable. That county records site might have captcha to protect personal information from getting scraped for usage in phishing attacks and other unsavory activities.
Sometimes there might be other ways to provide protection from bots, but those can have their own inconveniences for users. Or they could be prohibitively expensive.
I'm not saying we shouldn't try to find better solutions, or that captchas are always necessary. But in many cases, they are there for a reason.
The problem with the government is that the internet breaks assumptions that the government really doesn't want to break.
Let's take court cases as an example. Imagine your jurisdiction always let people look up cases that they had a case number for, but didn't let them search for all cases involving a specific person to protect the innocent. This worked fine when looking up a case involved taking a trip to the court, scheduling an appointment, giving the case number to an employee and waiting the for the documents to be brought into the reading room.
Then, somebody got the bright idea to move all that to the internet, making life easier for both the people who needed access to cases and the employees who used to provide it. There's one problem, however, a computer system won't stop an unsavory company from the Maldives from querying all the case numbers and building an index of all the cases and their participants, letting people search for all cases involving a specific person, something which the government specifically wanted to avoid. Captchas are the only real way to stop this.
> without the acknowledgement that we are all on varying levels of "abled"
I get this argument, and I even use it myself (it's great for getting through to people who find empathy hard), but shouldn't this be irrelevant? Even if 5% of people were born disabled, and the remaining 95% were abled for their entire lives, shouldn't disabled people still matter?
This gets an Internet Academy Award... or whatever they call it. So much of the Internet is controlled by these folks. See also: Wikipedia. Ever try to make an edit? It will be reversed 6 seconds later. Conflicts with another page? They don't care, because it is a different micro-tyrant.
A lot of captchas are out there because their business model requires wasting human time - they call it "engagement". Captchas are there to ensure human time is wasted and can't be worked around by automated means.
> often on sites that should want to be publishing their data far and wide (like ecommerce)
Mismatched incentives within the companies mean this may not actually be the case. A situation where customers come in and buy on their own (because they've heard from elsewhere how good/cheap the products are) sounds great for business (and is great) but that's absolute doom for the marketing department for example because not only it's clear they're not actually needed, but they get little of that "engagement" they so desperately need to justify their careers/promotions if people just come in, buy and leave.
With such a situation, the marketing/product department would rather have someone that buys very little but "engages" a lot than the other way around, as said engagement can be (mis?)represented in various ways to benefit their own careers, where as raw sales profit doesn't go into their pockets. Thus, captchas are one possible way to ensure this "engagement" is up, even if it overall leads to lower sales.
Can't we have some kind of a crypto scheme, which proves to the web site I am a good boy, without revealing my identity and without enabling the website to link my current visit to my previous visits or to visits on other websites?
I hate the webassembly ones which force you out of "Safer" mode to pass on TBB. I get the bad feeling they fingerprint hardware which is why they're in webassembly.
In my experience with ubo on desktop FF, whith settings which block all that crap by default it suffices to allow the domain EnCraptcha, loudblare, and others are coming from only temporarily, meaning only for the timeframe to have that captcha functioning. Not even reloading the site, and after completing it, unchecking that (single) domain entry. Falling back to forbidden, again without reloading the site. This is usually enough for the site to work, be it in reader mode, or 'native' without JS.
If not, I usually don't care, and go elsewhere on my list of distractions :)
It's not even complicated, just one click in ubo, after looking at the usual suspects, making the stupid machines feel happy, next click to deny that happiness, making ME happy, moving on.
Just out of the corner of my eyes, muscle memory, whatever...
If this is true, why hasn't there been a huge fine against Google for it? At this point, the net of GDPR is so wide as to be useless to me. If I see one more fucking cookie disclaimer, I will snap. Is this really making us "safer" or "more secure/private"? I doubt it, but lots of small software consultancies in the EU made a bundle charging everyone to upgrade their websites to make them GDPR-compliant!
As many have said here, this should be arranged at the browser level. But personally, I hate the disclaimer and having to wade through the options (although the reject all becomes more common, at least on serious sites), but I do like that now I see who is tracking and not allow it while still seeing a functioning site.
And although I am from the EU, my company is not, but I still have to comply with EU rules. Our product has no cookie or consent banners as I choose to make sure we comply and not have tracking products (or collect anything not needed for the functioning of the site) at all on our sites; this is sometimes a little bit more work but I believe the world is better for it. You don't need to track your users and you definitely don't need to pass that valuable data to Google (or CLOUD act; the US gov etc etc) for free so they can make money with your clients.
Pushing for things to be handled at the browser level is a fundamental misunderstanding of the GDPR.
Browser-based identifiers such as cookies are only a very small part of it. Furthermore, tracking goes way beyond just cookies, and is done with things like IP address/user-agent tracking and browser fingerprinting - neither requires the cooperation of your browser, it can't do anything about it.
If you're talking about codifying the various data processing categories and let the browser communicate that via a header, it's already been tried with Do-Not-Track and was either 1) ignored, or 2) used as one extra part of the browser fingerprint.
The root cause is that there's an entire industry of parasites that make their money on breaching the GDPR and have no incentive to implement it. GDPR enforcement itself being lax means that they can get away with such non-compliant implementations.
If the GDPR is ever enforced properly, the problem would quickly resolve. The consent flows would first become compliant, and a few months later would be removed entirely along with all the tracking because the opt-in rates are so low that it's pointless to have it. But this would also spell doom for a huge industry of scum, so expect hard pushback at every step.
The browser would work if enforced. So not very different from not enforcing gdpr in it's current form.
And I am not only talking about cookies; I am talking about that the browser should convey what I want instead of me clicking on buttons every site I get to. But yes, if not enforced, the scum will win anyway.
Cookie disclaimers are not GDPR. They're also completely optional; you can have a fully functional modern website that stores state in cookies and not put in a cookie banner. Businesses make choices not to do that and we've become stuck at a local suboptimum.
It depends what you store and what you use it for if it touches the gdpr. You can run entire SaaS products profitably (as we do) without gdpr violations while having no cookie or consent banners. Just don't track users or store information you do not strictly need for your saas. Sure there are many more considerations, but this is a basic consideration.
> you can have a fully functional modern website that stores state in cookies and not put in a cookie banner.
Strictly-speaking, notification before cookies are set is required by the 2002 ePrivacy directive (article 5(3)), which includes cookies (and related technologies) under the banner of the 1995 Data Privacy Directive (later superseded by the GDPR).
The intent of the ePrivacy law is clearly not "have a banner that yells about cookies". The intent is that you only set cookies when someone, say, clicks on the Dark Mode toggle, or does something else that sets a cookie, and that when they do that, they know the data privacy implications.
Traditional uses of cookies aren't affected: "Add to basket? (this uses cookies: learn more)" isn't that onerous, nor annoying. It's a pain for our dark mode toggle, but the law was written back in the day, when the expectation was that we could actually customise our user agents.
Can you elaborate on why these are violations of GDPR? I presume Google handles the data for EU customers in a manner compliant with GDPR (one would think).
The website has to inform its users that recaptcha does track and if they are ok with that. Many sites don't inform their users about this which is a violation. You have to inform and ask consent before you show the page with recaptcha on it.
Using reCaptcha to stop attacks might fall under legitimate concerns, as the site isn't using it to track visitors. If reCaptcha does track, that's Google breaking the law, not the website.
The website has to inform its users that recaptcha does track and if they are ok with that. Many sites don't inform their users about this which is not Google's fault. You have to inform and ask consent. Same for analytics, google cdn fonts, embedded youtube videos etc. google sucks they track everything but they are not liable if you put this on your site; then it's you.
Yes, but because recaptcha is often such a simple integration on 'some page somewhere' it is overlooked. Or people just think 'it is Google, they must have got it covered'.
> reCAPTCHA challenges remain a considerable burden on the web, delaying and often blocking our access to services and information depending on our physical and cognitive abilities, our social and cultural background, and the devices or networks we connect from.
I'm a visually impaired user, and watching captchas get more and more hostile to people like me has been... difficult.
I imagine it’s going to result in some ADA suits sooner or later, like when people went around suing business who didn’t have a ramp alternative to stairs.
I suppose because a bunch of the automated solvers use the audio as a workaround, the audio ones have become borderline (or even over the line) unlistenable.
The most recent few I've done have sounded like someone whispering "they threw their hair through the chair there" next to a propeller plane in a heavy thunderstorm.
I'm kinda surprised captcha still exists. It's pretty clear that the robots have beaten it, and when they haven't you can hire armies of humans for the price of a latte.
Not that I want trillions of bots hitting up every resource on the Internet. But I don't see how to stop it at this point except by excluding a fair number of regular people.
For big sites I agree, but for small to medium it's clear to me. The amount of shit thrown your way drops dramatically with a captcha in the way. It's enough to stop the barely interested scanners/attackers, which in my experience is a huge number of people.
Countering advanced bits is a game of economics. Sure, we know that they can solve the captchas, but they usually can’t do so for free. Eg. Typical captcha solver services are around $1/thousand solved. Depending on the unit economics of a particular bot that might be cheap or it might completely destroy the business model. I’ve definitely seen a lot of professionally operated bots where they invest a lot of effort into solving the fewest captchas possible to keep the cost down.
That captchas are completely useless is a popular myth.
That depends what problem you're trying to solve. I've seen web applications deal with someone throwing rockyou at hundreds of users on the logon form. This sort of large scale brute forcing was completely arrested by captcha, the workarounds just aren't worth it at the scale.
There's proof of work schemes to slow the requests. People point out these would drain mobile batteries to fast but don't mobile devices usually leak so much data they don't need to solve captchas as often anyway?
This argument might have flown a decade ago, but our current economic environment is largely characterized by ignoring reality - creating vibes for upper management and shareholders is what really matters. And telling them we implemented a CAPTCHA solution creates that vibe.
I've tried throwing CAPTCHA challenges at gpt-4o, and it has so far solved all of them for me, except for OpenAI's challenge (the one where you align a hand with an object).
I'm assuming they fine-tuned the model to make it less capable of solving those.
An issue with the extension mentioned here is that it's not helping against the fingerprinting... it's actually leaving even more of a fingerprint.
It's even worse if you enable Firefox's fingerprinting resistance. For example Drupal.org is essentially unusable with Firefox anti-fingerprinting (even for basic things like patch information). Ditto Zillow.
I have to use a separate "fingerprint me" profile.
I use Firefox exclusively with default anti-tracking settings plus CookieAutoDelete. But I guess I see less than 1 captcha a week.
AWS on my private, hardly used account was the most annoying one in the past because I had at least a 50% chance to get it wrong. But that does no longer come up after I enabled 2FA.
Because part of the purpose of the captcha (or at least most of their uses on the modern web) is to ensure human time is wasted. It’s “proof of suffering” more than proof of work or proof of payment.
More and more botnets are being sold as a service. By that, I mean things like DDoS as a Service. So it's not quite correct to say there's no cost to the hacker.
How do captcha's work on Tor webites? It has to do with CSS magic and presumably OpenResty (or without). Anyone familiar with it? I think we should diverge our attention to that.
Not only does Google presumably usually know exactly who you are when you visit that site, but even if you normally block other Google hidden Web trackers, you can't block the ReCaptcha tracker, so in some cases Google can have a very good idea of what you do on the site.
So, while this browser extension might relieve some of the visible annoyance, it doesn't relieve the more insidious problem.