My government's websites require solving a reCAPTCHA for basic services, which is horrifying. They also use Cloudflare which blocks me sometimes. This is in the EU

This automatically means that you're penalizing smaller websites. And killing off the independent alternatives to Reddit/Disqus. Do you want this?

Large sites like Amazon or CNN can afford to eat the bot traffic. Smaller sites can't.

As of two weeks ago my locked down Firefox profile gets hit with captchas on every visit to Google search. DDG has also gone to shit with captchas and stupid low cache lifetime because I use their non-javascript site. I'm giving Bing a test run before making the leap to Kagi.

Far too many people talk about security as if it's a simple binary and not about effort levels and dissuading attackers.

Well, I would at least ask what the baseline was. The vast majority of websites on the internet don't really have to deal with sophisticated bot traffic, and a very simple traditional CAPTCHA, one that can be trivially solved using existing technology, will also cut SPAM to zero or very close. I don't know exactly why this is, but I suspect it's because most of the bot operations that scale far enough to hit low volume websites are very sensitive to cost (and hence unlikely to deploy relatively-expensive modern multi-modal LLMs to solve a problem) and not likely to deploy site-specific approaches to SPAM.

There are a lot of things that can trivially cut down SPAM ranging from utterly unhelpful to just simply a bad idea. Like for example, you can deny all requests from IPs that appear to be Russian or Chinese: that will cut out a lot of malicious traffic. It will also cut some legitimate traffic, but maybe not much if your demographics are narrow. ReCAPTCHA also cuts some legitimate traffic.

The actual main reason why people deployed reCAPTCHA is because it was free and easy, effectiveness was just table stakes. The problem with CAPTCHAs prior to reCAPTCHA is simply that they really weren't very good; the stock CAPTCHAs in software packages like MediaWiki or phpBB were just rather unsophisticated, and as a double whammy, they were big targets for attack since developing a reliable solver for them would unlock bot access to a very large number of web properties.

Do you need reCAPTCHA to make life hard for bots, though? Well, no. Having a bespoke solution is enough for most websites on the Internet. However, reCAPTCHA isn't even necessarily the best choice even for something extremely high-volume. Case-in-point, last I checked, Google's own DDoS protection system still used a bespoke CAPTCHA that largely hasn't changed since the early 2010s; you can see what it looks like by searching for the Google "sorry" page.

I agree that reCAPTCHA is not "worthless" but it's worth is definitely overstated. Automated services that solve CAPTCHAs charge less than a cent per-solve. For reCAPTCHA to be very effective against direct adversaries rather than easily-thwarted random bots, the actual value of bypassing your CAPTCHA has to be pretty damn low. At that point, it's very reasonably possible that even hashcash would be enough to keep people from SPAMing.

Yeah, we've used CAPTCHAs to great effect as gracefully-degraded service protection for unauthenticated form submissions. When we detect that a particular form is being spammed, we automatically flip on a feature flag for it to require CAPTCHAs to submit, and the flood immediately stops. Definitely saves our databases from being pummeled, and I haven't seen a scenario since we implemented it a few years ago where the CAPTCHA didn't help immediately.

Reminds me of the advice around the deadbolt on your house - it won't stop a determined attacker, but it will deter less-determined ones.

Cutting edge tech like paying cents to captcha solving services?!

At an approx 750,000 hours in a human lifespan, they wasted 1100 human lives in totality. Unbelievable.

Does solving captchas generate $1000/hour? I assume you're conflating amounts here, or messed up an order of magnitude somewhere.

That's just the direct value, how about the whole dimension of training the AI models

Absolutely agreed on the 'very elegant solution for global-scale tracking' part!

The people who created the initial version that got bought went on to create duolingo, with a similar goal of getting people to produce translations of text.

Multi-purpose trojan horse. Not only will it look beautiful in your city but you can use it as scaffolding to repair tall buildings or children in your community could use it as a play gym.

Yes, known images are used for validation, unknown images are used for training.

> Naive question: how can clicking on the motorbike or traffic light image help to train an ML algorithm if they already know what image has a motorbike in it, or otherwise the captcha would not make sense.

It's more than just your answers that are fed into ML and more than just what others have already said: there's also the way that your browser functions and the way you interact with it. Your IP address, browser, OS, screen size, input type, timezone and current time of day, how fast do you select different images, etc etc. All of this gets fed into ML algorithms and answers to the obvious images are used as corollaries to support/deny your ancillary information.

Hypothetically speaking, if they've got a 97% good ML model, they could implement a captcha where if you disagree with their model you have to do a second image, and a third image and so on. Then they could show each image to several different humans, and only if a bunch of people disagree with the model do they take a closer look.

Frankly a lot of the images I get are... kinda easy? This isn't the classic book-reading recaptcha where you could see why the text had confused the OCR.

They ask the same question to multiple people. Whatever the majority answers is right.

they ask you to solve two. one they know, the other they don’t

I can tell you on the small level asking a simple question to activate the form action stops 99% of spam. Something like "What color is snow?" Granted, with a well trained "AI" system solving these questions would be trivial but I have yet to see it in practice.

There are two alternatives I'm aware of, one is Attestation of Personhood[1] proposed by Cloudflare, the other is a proof-of-work[2] which the Tor project have themselves introduced[3].

[1]: https://blog.cloudflare.com/introducing-cryptographic-attest...

[2]: https://github.com/mCaptcha/mCaptcha

[3]: https://blog.torproject.org/introducing-proof-of-work-defens...

Since this was focused on v2 and other interactive captcha, the alternative is to upgrade to new versions that don’t do so. Still some downsides (and the study does address very briefly the use of AI to trick v3), but at the very least it does address some of the concerns.

Important to note though that as AI gets more accessible then the downsides of v3 start to weigh more.

I've been using Truesign [0] for several months and been impressed with the results, it detects bots, VPNs, disposable emails and suspicious traffic patterns all in one. I use it to protect my payment form but it seems it can also protect APIs.

Still in beta though.

[0] https://truesign.ai

For a lot of places where I've encountered captchas, they could just do nothing. Simple rate limiting should probably be the next step. It's not one-size-fits-all of course.

Building your own captcha or running one that doesn't sell your users data to the highest bidder?

What a time where people on a site called "Hacker News" ask such a question..

I think we need to critically re-evaluate what is it exactly we are doing on the internet, how we do it, and examine existing assumptions. For instance, do we really need all services to be centralised? Do we really need services to be "free" (part of the payment is selling your data ok). A server serving static files doesn't care about bot users, but apps... why would you let a stranger use your cpu/ram over the internet? I know i am not providing an answer but i believe we need to take a look again at all of these before we try to come up with an answer

I've heard about form fields hidden with CSS multiple times. No idea how effective this is though.

I would wager all services will be linked to a verified credit or debit (non-temporary) card. Most of them are now...

How are you going to connect the physical person with an identity with in-person attestation? Many (several of which major English-speaking) countries don't have mandatory government IDs...

A commenter below suggests that government eIDs could be used. I bet this will be harder to implement and will have much worse conversion rates than (the already terrible) mandatory credit/debit cards... Not to mention the hell that we as non-US citizens will have to endure if anyone tries to impose any form of mandatory ID there... One can only take so much complaining about government overreach about something that is basic necessity here in the EU...

Realistically it will be a government or private service that everyone will have to have to verify that it is a real person. Or at least tied to a real person so that banning will be more sticky.

Nothing less than drinking a "verification can", as presciently propounded by a 4chan user a decade ago.

no, because a lot of bot service run on botnets, made out of hacked regular residential computers, routers and so on. They will feel a bit more sluggish, but it won't cost the botnet authors that much more.

On the other side, an amount of work reasonable for modern desktop will absolutely overwhelm an older cell phone.

Literally. Social engineering 101. Grab a clipboard, put on a hi-viz, speak in an authoritive, directive voice and people will absolutely do what you ask at the sound of the word "security". Social engineering defence 101: teach scepticism and not being intimidated by the word "security"... ask "whose security?", "security from what?", "security to what end?", and "show me your ID and the written policy".

Except captcha is not supposed to be security for the user, but security for the website.

But in the end it is not (effective) security for a website, is an antifeature for users and is profit for google.

It’s not three years, it’s thirteen.

> A lifetime value of $888 billion for all of reCAPTCHAv2's tracking cookies produced between 2010 and 2023.