💾 Archived View for dioskouroi.xyz › thread › 25004476 captured on 2020-11-07 at 00:54:21. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
________________________________________________________________________________
I'm happy to hear Google is charging for ReCAPTCHA. I hope they make it completely unaffordable and get rid of any free tier.
Any disincentive for sites to force users to train AI for Google is a good thing.
Every time I run into it, it makes me hate the site I'm on. Google punishes my crimes of Firefox use and not being logged into Google by giving challenge after challenge - along with those infuriating "slow fade in" images to take bigger bites out of my day.
The world would be better off without ReCAPTCHA.
And it also opens the chance for innovative (or not) competition. Hard to compete with a free Google service.
reCAPTCHA
anonymous
Pick one. reCAPTCHA is based on tracking users in countless unknown ways, which is why it's basically unusable with any kind of known proxy (i.e. Google usually classifies Tor users or users from 3rd world countries as bots by default). It may be stopping "dark web hackers", exactly because it's unsolvable by anyone Google decides to be a potential threat, and that also includes bots.
Honestly, I feel like everyone would be better off if instead of reCAPTCHA, websites just used some service that automatically blocks proxies. That way you aren't getting Google to track legit users, and still forbidding potential users from joining who would otherwise be blocked by reCAPTCHA. And maybe if Google isn't watching me on your website, perhaps I'll be more inclined to visit you from my actual IP.
Or just use something that is actually solvable by humans, like hCaptcha. Cloudflare did that and it's wonderful (well, compared to reCAPTCHA), I can solve it in a few seconds, unlike reCAPTCHA which I can keep clicking on for countless minutes only to get told that "my network is sending too many requests" or something.
Tor/VPN/proxy users _are_ legit users, for fucks sake.
They can't be distinguished from bots with tracking, and tracking is pretty much all v3 does. Google doesn't seem to care about collateral damage, I suppose it's the "why use VPNs/proxies if you have nothing to hide" mindset.
Maybe because not all countries function like yours.
Maybe they are studying security in a country where that is considered illegal hacking.
Maybe not everyone wants their data sold to parties that sell the ability to manipulate them to the highest bidder.
Honestly people that even think about blocking Tor reek of privilege and an assumption that they are above being manipulated by well trained AI fed a lot of their data.
Personally I use Tor on most devices and refuse to use sites that block it.
>why use VPNs/proxies if you have nothing to hide
https://www.bbc.com/news/technology-50150981
Here's a pretty decent list that I usually use when demonstrating to people that the "deep web" isn't as nefarious as it is made out to be.
https://github.com/alecmuffett/real-world-onion-sites
> _no sites with an "onion-only" presence_
> _no sites for tech with less than (arbitrary) 10,000 users_
> _no nudity, exploitation, drugs, copyright infringement or sketchy-content sites_
Keep trying however you think best to convince people, but I don't see why this list would be very persuasive. With these rules, it's impossible to find anything that would make someone go "oh, that's something I want to use TOR for" if you're only considering sites that can be easily reached without TOR. In fact, I'd argue that sites on such a list are not really part of the "dark web" at all.
If you can't access them, then they are dark web, but if you access them, who knows what you access, maybe you're sending bombs somewhere.
ReCAPTCHA demonstrates exactly what we all have to hide - being pervasively tracked by surveillance companies such as Google.
My only browsing activity that exits from my direct ISP's IP is my online banking VM, and that's only because one site got insistent about hard blocking everything else. These companies don't understand that they're screwing over real customers with this crap.
It's especially galling when my long lived static IP VPS exit [0] gets hassled. It's clear there isn't abusive usage from this IP, since I control it. I've had it for years, so it doesn't have a bad reputation. Yet these sites still want to fuck with me for their snake oil.
[0] Which doesn't win any awards for nym rotation, but at least hides my location and disassociates activity from my direct ISP IP.
Yes but we're a business. They're not profitable users.
edit: Downvote and be mad if you want, but payments made through known tor/vpn services are not getting through fraud review.
> Honestly, I feel like everyone would be better off if instead of reCAPTCHA, websites just used some service that automatically blocks proxies.
That's even worse than reCAPTCHA. At least as a human using Tor you have _some_ shot at solving a captcha, even though you usually have to try 5 times or move to a different end node.
I've been caught in captcha loops before. It will flat out refuse to let me in and I will solve captcha after captcha after captcha. This has happened to me when using Tor, being prompted by that annoying Cloudflare "Attention Required!" page both when they were using reCaptcha AND when they more recently switched to hCaptcha.
It would have saved me quite a lot of time if those sites had just flat out said "403 Forbidden".
I also can't get through Google recaptcha. Proxy services rotate their up blocks so you can't simply block them all.
Captchas are in their infancy. We need to move beyond something that involves simply clicking to identify images - we're providing free training for AI, not to mention the fact that it's incredibly inconvenient for blind people.
I think a measure of uniqueness is required based answers to questions that don't necessarily have correct answers. The distance between the question and answer would be the measure. Identifying questions that provide consistent distances for individuals would be the hard thing.
Captcha have audio versions for the blind, no?
Yes, and it's absolutely solvable by bots (there's even a browser plugin for it[1]) so it isn't available if Google decides you are one. But it does work if you aren't that suspicious, so most of the time it should let blind users through. Well it's a bit more complicated because there are scores and such, but from an end-user perspective that's how it usually works.
Though if you aren't considered suspicious, image captchas are way less ridiculous, too. The scoring system goes all the way from .1 to .9, but usually you're either in one or the other category based on who knows what (probably mostly ip addresses, but Google doesn't tell us so who knows?).
So in the end the service is mostly just something that arbitrarily classifies users as one or the other, bots can absolutely solve them when classified as "probably human" and they're impossible for humans when classified as "probably bot".
If you want to actually present users a challenge to verify they're human, you're even better off giving them something like captchouli[2], or just a good old scrambled letters on a picture thing (which is what Google uses for their login as well, BTW). hCaptcha is also a great alternative (anything is, really) since it's still mostly about classifying users by making suspicious ones solve challenges. reCAPTCHA is absolutely not, it judges you before the challenge.
And that's fine, some websites want that. It's their choice, I'm not mad if they ban me for not wanting to be tracked, it's probably for the better. What does make me angry is that reCAPTCHA is advertised falsely, that the challenge is a joke and a crime against humanity at once, and that despite that, people seem to believe that it's the challenge that is magically blocking the bots without realizing they're also blocking legitimate users.
[1]:
https://github.com/dessant/buster
[2]:
https://github.com/bakape/captchouli
So if you are blind and privacy concious enough to use Tor... No internet for you.
Yes, and that's a serious problem. For a while, I had to use networks that I knew were monitored, so I automatically reached for TOR for some stuff, but no luck. Cloduflare beat me.
It's not so much different from the sighted reCAPTCHA+Tor experience, it just wastes less of your time by straight up telling you you're a bot. Also, for some reason, if you press the audio challenge button through Tor, it immediately bans you from the image selection one as well.
I like the idea of captchouli as it plays on the weaknesses of ML in differentiating between similar images. However, I still think advances in AI will force us to go further and use philosophical/psychological based captchas instead of pattern matching.
I wouldn't be able to solve the example captcha. I've liked a few anime. GITS, Death Note, I believe that's about it. I would need to search for the solution. Now, you may argue that is no problem for visitors of an anime board, but I believe its going to scare new visitors away. Due to this, websites would be less inclusive.
My guess about the future path is as follows: your government ID allows you to authenticate to generate a keypair you can use online for services such as Google and Facebook. It would include things such as a nickname, and an e-mail address as a derived public/private keypair you are able to use, including a scope (domain). Then, only such authenticated logins get full access (they are not going to phase this in like a wrecking ball, it would be slowly). Its perhaps a tad dystopian, but it has its pros and cons, and websites like GAB will continue to exist on darknet.
I had assumed in the anime captcha you were given an example of the character and told to identify all pictures of said character. Otherwise I couldn't do it.
A centralised ID system is one solution for authentication online but it's far from ideal.
> A centralised ID system is one solution for authentication online but it's far from ideal.
A much better system is a _decentralized_ pseudonymous ID system where getting an ID is in some way expensive but still anonymous, e.g. proof of work equivalent to $5 in cloud CPU time. Then legit users can create an ID once and use it indefinitely, but also create as many as they like and replace them as often as they like for a relatively low price.
Meanwhile spammers pay $5 for an ID that only lasts ten seconds before it gets banned and has all its messages retroactively deleted, so they go out of business.
Attaching monetary value is one method but you always disenfranchise some people with systems like this. Cory Doctorow explores reputation based identity in his book "down and out in the magic Kingdom" but it seems this also has downsides (tribalism, manipulation of rep).
It's a tough nut to crack. It goes under the term proof of individuality in terms of Blockchain.
> Attaching monetary value is one method but you always disenfranchise some people with systems like this.
This is always the claim but I don't really see it. Obviously if you put something on the internet then you disenfranchise anybody without a computer and an internet connection. But who is it that can afford a $50 device and a $10/month internet connection but not a one-time cost of $5 worth of CPU time?
I guess CPU time is different to actually asking for money. But it would probably just skew so that CPU was incredibly cheap as spammers/bots mobilised to have as much CPU time on separate IPs as possible... Or something like that.
There's always a way around incentive based methods.
> But it would probably just skew so that CPU was incredibly cheap as spammers/bots mobilised to have as much CPU time on separate IPs as possible... Or something like that.
If they had that amount of CPU time they would have the opportunity cost of using it to mine cryptocurrency instead, so it's still costing them $5 per ID.
No, it's a well known character.
That's probably a generous use of the term well known
"Broadly known in narrow circles" to be precise.
for the english-speaking and not hard-of-hearing part of the blind population, yes. And the english speaking part is a pretty small one.
They're usually inaccessible if the system already suspects you of being a bot.
> Cloudflare
I'm starting to think that Cloudflare is even worse than the GAFAMs, due to its impact on so many of the other websites :
https://www.gigablast.com/blog.html
(If it can even be separated from them, considering that Cloudflare has received up to $110M from Microsoft, Google and Baidu !!
https://techcrunch.com/2015/09/22/cloudflare-locks-down-110m...
Their accessibility mode is "Give us your email and we'll _probably_ think you're a human for a while... until we don't and make you use privacy pass... until we take away your tokens because yeah you're absolutely a bot.". yeah... no. Absolutely not. Also that thing doesn't work with incognito, nor vpn's/tor/whatever. I've stopped trying to bother with numerous sites, all running behind Cloudflare, for exactly this reason.
Charging for reCAPTCHA, and even removing the free tier, seems like a good win for consumers. By having a non-zero price tag, companies are forced to actually attach a monetary value to the service, which will discourage them from using it so frivolously. As it stands today, reCAPTCHA costs consumers both privacy and time, and costs the companies nothing.
That's only for huge clients - it's free if you'll have less than a million assessments per month[0].
0:
https://www.google.com/recaptcha/about/#combined-table__tabl...
>As it stands today, reCAPTCHA costs consumers both privacy and time
Also it forces users to perform unpaid labor for Google.
Why not simply just not differentiate between humans and bots, and enforce a usage policy that works for your business?
You don't want them scraping 1000 articles an hour? Just put a limit on viewing 20 articles an hour, no need to differentiate between human and robot.
The boundary between humans and robots will blur over the next few centuries. At some point it will just be a spectrum from all-inorganic to mixed to all-organic beings that roam the planet. We might as well prepare for that future by abolishing chemistryism (discrimination against organic vs. inorganic chemistry of a being) today.
(Yes this sounds stupid, but 200 years ago, abolishing racism sounded stupid too.)
Limit by what? IP? Bots are distributed across IPs while certain users share IPs (NAT, universities, etc.). Cookie? Bots won't store cookies. Overall? Then human users will be blocked outright if there's enough bots.
Humans can also create a network that are distributed across IPs.
I'm mostly human and I don't store cookies.
Yeah the amount of website laziness that reCAPTCHA has prompted is ridiculous.
Guess what, folks, every visit to your website involves some mix of humans and software. Nobody uses the web without a browser, and every browser was written by a human. You aren't entitled to make hair-splitting distinctions and dump the enforcement burden on the public.
I built FriendlyCaptcha [1], it's a proof of work based alternative to reCaptcha that is accessible.
While it's not the perfect captcha either (which I think is impossible), it makes a better tradeoff in terms of UX, price and privacy.
[1]:
>The problem with other CAPTCHAs
> It's broken
>Tasks that are easy for all humans but difficult for computers may no longer exist.
>Using machine learning or even browser plugins one can solve ReCAPTCHA in under a second. There are even CAPTCHA solving companies that offer thousands of solves for $1.
This is probably a bad argument when your proof of work captcha can be solved for much cheaper. Your site says "Solving it will take a few seconds on a desktop computer", which I'll interpret as 5 seconds. The spot price for a c5a.2xlarge instance (8 thread zen2 CPU) is 21.6 cents/hr. That works out to 0.03 cents per solve, an order of magnitude less than the 0.1 cents per solve for commercial recaptcha solving services. It probably gets even cheaper if you get your compute through non-cloud providers, or through GPUs.
It gets worse for a determined attacker. The "difficulty" on that page seems to be 136, corresponding to ~131000 hashes of blake2b if I'm understanding the documentation right [1]
There are ASICs for crunching blake2b designed for mining siacoin. One ~$2000 card [2] can do ~4 _trillion_ hashes, or 30 million captcha solves, _per second_
[1]
https://github.com/FriendlyCaptcha/friendly-pow
[2]
https://www.miningstack.com/products/dragonmint-b52
We can change the hashing algorithm at will which is different from cryptocurrencies (potentially even on a timer). By changing here I don't even mean swapping out entirely, but even randomly changing the operations inside the hashing function - which will make it a moving target for any ASIC or even GPU implementations.
Right now we use standard blake2b as nobody has repurposed a miner to solve hashes for spamming yet.
The thing is, a determined spammer will be able to attack any CAPTCHA - even in labeling tasks there is always the fallback to human-in-the-loop which is cheap at scale (or even free if these are MITM'd users..).
Any (new) CAPTCHA system will have flaws and break in some way at scale, we're open to ideas and of course will try to address any (future) concerns. We are trying to provide a viable alternative to ReCAPTCHA that respects the user - and we will iterate on these problems as we go. Without some new thinking and openness to new approaches we'll be stuck with ReCAPTCHA.
Small nit: the difficulty is set to require around 2.5 million hashes, not 115 thousand. Your point still stands though.
You're right that it won't stop determined attackers, there was some prior discussion here [1]. The idea is that it's good enough - while not punishing your users as much.
The difficulty can be scaled in a predictable way - it's similar to rate limiting but less all or nothing. We're about to release automatic difficulty scaling per IP, so if many CAPTCHAs are requested/submitted from a single IP the difficulty increases exponentially. Also being able to set the initial difficulty for your usecase and audience is something that should help.
Aside from that there's some more measures on the roadmap: using lists of known-to-be-datacenter IPs, and reputation lists such as [2], as hints to increase the difficulty.
But you're right - it will still be affordable to attack any CAPTCHA, FriendlyCaptcha is no exception. Proof of work approaches have downsides too.
The main ideas behind FriendlyCaptcha vs ReCAPTCHA:
* The user experience is superior. It can happen in the background while the user is doing something else. There is no labeling task.
* We don't have any incentive to collect user data or track users (GDPR compliant, no tracking cookies etc)
* It's as easy to add as ReCAPTCHA to your website. The API is a near copy of ReCAPTCHA's API. You can host the JS code yourself, or even bundle it. With recaptcha it must be third party.
* It works in any browser less than 8 years old (IE>=11), although of course it's much slower in old browsers that don't support WebAssembly.
* It doesn't have inherent accessibility problems (poor eyesight/hearing doesn't matter).
* Open source at its core [3], the SaaS wrapper is not open source.
[1]:
https://news.ycombinator.com/item?id=24921288
[2]:
https://www.stopforumspam.com/
[3]:
https://github.com/friendlycaptcha/
IP reputation doesn't work for anti-abuse at scale. Traffic on NAT'd broadband and mobile networks can be purchased for cents per gigabyte.
All those upsides are not compelling if it doesn't effectively stop abuse.
The FriendlyCaptcha demo takes less than a second on my machine (i5-7400, RX 560). A c5a.2xlarge is far more powerful.
I think this is a great solution! I have been thinking over the problems with captchas and also came to the conclusion that a proof-of-work puzzle is a fair, private, and hopefully-effective solution.
You can look around for "useful" work, similar to how recaptcha was originally about transcription. If you can find some problems of the right difficulty that people want solved (e.g. I dunno, protein folding or something), then the electricity isn't wasted and you might even be able to sell the solutions.
AFAIK there used to be a service that did exactly that - it used cpu cycles to mine cryptocurrencies.
There's a few like that, Golem and Gridcoin are the two that immediately come to mind for me. Gridcoin uses the Berkeley Open Infrastructure for Network Computing (BOINC).
Curious how spam bots react to Friendly Captcha. If it's just gobbling a bit of cpu time, I assume they mostly don't notice.
but yeah. rCaptcha is horrible. And you know google is making money of you when you use it, and some times it takes 10 - 15 minutes to finish one thing. I hope the site owner are getting paid for my work, not just google.
The idea that 1) Google is using it to train modelling stuff (I still think is true?:) for free AND 2) on top of that is also charging small startups money for it AND 3) it's annoying as hell as a customer just makes me angerier.
A trifecta of doing evil from Google (well at least two out of three, 1 should cover for 2). And I say that as a relatively pro-capitalist with no problem charging money for services but I'm also pro-privacy and don't like training their AI models for free with them charging the hosts on top of it.
what about hCaptcha
?
interesting project. However, couldn't what they are doing be simply solved by applying bcrypt or scrypt in JS?
It troubles me how a company can say in the same post that it respects user privacy and used Google reCAPTCHA. It's not only about what you collect, it's also about what third-party services collect. Otherwise the magic solution to respecting user privacy would be using a back-end as a service (e.g. Firebase).
I might try navigating the web while blocking reCAPTCHA. How limited would my reach be? And what about blocking CloudFlare's solution?
reCAPTCHA won't even try to work if your UserAgent isn't on Google's short list[1] of supported browsers. If they don't like your browser, the reCAPTCHA widget simply gives up with a fatal error[2]. Any new browser, browser variant, or browser-like tool cannot access any website that requires reCAPTCHA. Same for anyone obscuring their UserAgent or using an older browser for any reason. reCAPTCHA is _de facto_ restriction against any new competition in the browser market.
[1]
https://support.google.com/recaptcha/answer/6223828?hl=en
[2]
https://user-images.githubusercontent.com/20207154/29577170-...
UserAgent variability is a bug anyway. Apple was right when tried to freeze it. It shouldn't affect browser market, because browser is a user-facing tool, UserAgent isn't.
For a system designed to weed out bots, whomever lead the redesign of reCAPTCHA to the crossing and traffic light identification unpaid labour system had nothing but utter contempt for humans and their time.
I actually can't think of another user interaction I've had with a computer that had less respect for me as a person.
Consider hCaptcha - it's basically a superset of reCAPTCHA's functionality, but much more privacy-friendly and more affordable at scale. Also, it lets anyone label their data on it, not just Google. Full disclosure, I work with their excellent team.
Cloudflare/hcaptcha are the bane of my existence.
Privacypass itself is a privacy violation and not available on most browsers and I don't want to spend an half hour a day doing free labor training someone else's AI to just use the internet anonymously.
Privacypass itself is a privacy violation and not available on most browsers
what?
https://support.cloudflare.com/hc/en-us/articles/11500199265...
It has addons for firefox and chrome, which makes up 90+% (by market share) of the browsers out there.
It's still a privacy violation.
This add-on needs to:
Access browser tabs
Access browser activity during navigation
Access your data for all websites
Cloudflare was a blessing for us. It's an incredible service for the price.
Business tier (we needed custom certs) + advanced ssl is like $220/month and you get a WAF, a world class cdn, and DDOS protection.
Thank you! (it's this one
, right? )
I was thinking about looking for recaptcha alternatives since October and until now I wasn't aware of hcaptcha.
Just wanted to thank you for mentioninf hCaptcha.
I had tried it some time before but IIRC it was either invite-only or enterprise-only or had some "size" requirements.
Just saw that it's available for all. Thank you!
Uh... please no, it requires double the clicks/time to solve it. I just tried it: reCaptcha 5 clicks, hCaptcha 10-12 clicks
although, installing Privacy Pass allows you to bypass 5 hCaptcha prompts for every one you solve.
FWIW recatcha had or still has noscript mode.
Guess they got tired of training their AI for free. Started charging now
> Started charging now
So... a web/company has to pay Google for the service... while the company's users/visitors will still do free AI training for Google? If that is how it works, that's some bold business plan (money on top of free labor).
For most low value sites e.g. inc.com type random news that ask me to sign up to continue, I just dont use them, because the value they provide is lower than how I value creating an account.
The same is true for recaptcha, I usually just don't use a site if they make me use it. I have stopped donating to charities because they use recaptcha and would never buy from an online store that uses it. The same as I would never go to a bar where you are searched on the way in, or buy a pizza from a place with a central call center that makes me wait to make an order. If a business wants to treat me like shit, I just wont use it.
This reminds me that I've got to remove recaptcha from the contact form in my website.
I rarely get contacted so I wouldn't have to pay any time soon, but I want to remove all third party services from my site anyway and I have to find a way to prevent spam that would nevertheless be less annoying for someone who would actually want to contact me.
Why haven’t they considered using other captcha solution?
The only long term solution is to request anonymous users to commit a tiny amount of cryptocurrency.
If you don't want to deal with cryptocurrency then this could be simply a provable burn - purely an IT thing with no accounting team involved.
Bitcoin is pseudonymous, NOT anonymous, and is often easy to connect to a real identity (and there’s already legal action against tumblers, etc, that would make it even more so)
Monero and ZCash supposedly offer real anonymity, but IIRC all implementations so far have been found vulnerable to (at least partial) deanonymization.
Crypto currencies may have good uses, but so far, anonymity is not one of them - most definitely not for the masses (and hard-to-impossible for the very disciplined and knowledgeable pros)
We are talking about relative anonymity against specific service provider and not necessarily absolute anonymity when the government descends upon you.
VPN or proxy users are not really anonymous anyway and would certainly welcome an option to pay $0.1 in cryptocurrency instead of fighting infuriating CAPTCHA-s all the time.
But it's not even relative anonymity. It's psudeonimity. It's a completely different thing we are not used to dealing with.
Unless you actively try to hide your tracks, every single transaction you make is related. You may pay your friend at work $5 back for coffee using Bitcoin -- and at that second -- since he knows your wallet id -- he can check the blockchain for every transaction your wallet has ever participated in - every website you paid for (as a captcha, as a registration fee for that totally-legal-but-morally-questionable site, the money you contributed to support/oppose a political cause, etc.)
This is NOT paranoia. People who aren't the NSA are constantly analyzing and making public identities related to wallets and transactions they made. Psudonimity is not anonymity - it's one step away from being an identity; and the fact that the blockchain is public makes all history public for an identity once that step was taken.
Take cash from ATM. Put in wallet. Use cash in wallet to pay for drugs. Use cash from same ATM from same wallet to donate to church. Only NSA/FBI has the means to track this, and they have to work for it.
Put money in bitcoin wallet. Use wallet to pay for drugs. Use same wallet to donate to church. Now church knows you paid for drugs, and your dealer knows which church you contribute to.
Brandan Eich was forced to resign because of his political beliefs, as evidenced by his monetary contribution to some political cause[0]. If pseudonymous blockchain payments become mainstream, such events are going to become an everyday occurrence. For some things, that's a net positive for society (you want to know who the hypocrite politicians are). For some things, it's a net negative (losing privacy for individua).
[0] I'm tryting to word this as neutrally as possible.
Captchas for website access (not signups etc) seem to be mostly about preventing scrapers that are not from major companies and spying ofcourse. I don't see how they are in the interest of the site owner. It is just an annoying default for no fee caching/CDN by Cloudflare etc.
If I would have to pay 10c to visit a website I would like it to "burn up". Most websites I visit I don't support in any sense.
Bitcoin has 'mixers', using which, AFAIK your anonymity goes from zero to 'only the NSA will be able to track you down'.
As someone that hasn't had to use any captcha services, does an alternate like hCaptcha not have feature parity with reCaptcha?
On the surface it does, but many more users will have to complete the captcha, since they cannot judge your 'humanness' by your Google cookies+account.
Although I like services like hCaptcha a lot more myself, it may be possible that this notably bothers users and decreases conversion rates.
I don't have a Google account, I fanatically block Google's tracking and I still usually don't see captchas. For this reason, I don't think this holds.
How do you manage ? These days it seems like almost every website where you have to make an account requires reCAPTCHA...
(I'm using uMatrix too, but this doesn't solve the issue that if I don't allow reCAPTCHA, I'm stuck on the first step of account creation…)
On the other hand I do have a Google account but block tracking, and I have to do about 6 rounds of reCAPTCHA every time.
So either you're in a country that Google has decided is "good" (i'm in Germany), or you're not blocking Google's tracking as well as you think.
That's interesting.
Without disclosing my location, let's just say I'm in a much less powerful (and hence, I would imagine, less reputable) country than Germany. I doubt it is in the "good" set, but who knows.
I also doubt I'm not blocking it well enough. I'm running Firefox with CanvasBlocker, uBlock Origin (with strict rulesets) and uMatrix. I also turn on restrictFingerprinting.
depends on where do you live
Its approach to accessibility is terrible.
https://dashboard.hcaptcha.com/signup?type=accessibility
As a user that can't answer the challenges, you have to register with hCaptcha in advance of using the website you want to.
This lets you bypass the verification checks for a while.
The discoverability of this is poor
And throws privacy out the window.
hCaptcha does not have IPv6 support. It breaks the web, when trying IPv6 only.
Sooooo hcaptcha is way more aggressive. Like when it first went into cloudflare it made browsing the web miserable.
They've since seemed to put a lot of work into it. To the point where I don't notice it anymore.
They're iterating, and that's what I want to see.
Out of the loop, didn't know reCAPTCHA became paid. After a quick Google search I can only see that the Enterprise version is paid,but v3 isn't.
Can one still use v3 and not pay for Enterprise?
reCAPTCHA v3 has 1000000 calls per month limit, after that for commercial purposes you need to migrate to reCAPTCHA Enterprise.
So can I boot lame websites out of the free tier by making 1000000 bot requests to the captcha page?
Or does Google only count successful human detections towards the 1000000-request limit?
I would not shed any tears for sites which abuse users with recaptcha.
just use hcaptcha. even cloudflare switched to it
ReCAPTCHA has forced me to use
as my default search engine in tor browser
fuck recaptcha and all websites that make it impossible to use without it. the state of current things is insane. i can't even talk with the government or pay some bills without letting google spy on me. this is ridiculous.
I feel your pain. Google is cancer for the web. And it should be illegal for sites to require third-parties you want no business with, at the very least for public or utility sites.
false dichotomy!!!
Having to use recaptcha just to download minecraft has to be one of the biggest things that has completely pissed me off about it being sold to Microsoft.