Do we need Google captcha?

Two weeks ago my website [0] got hit by a botnet attack. These bots were submitting 2 POST requests to /login, followed by 2 POST requests to /signup, and since there were no checks in place, they were getting in quite easily. All their requests originated from residential IP addresses (probably hacked IoT devices) so IP blocking seemed impossible. I knew I needed to do something, but didn't want to send my users' data to Google.

I settled on implementing a honeypot technique using invisible_captcha gem [1]. It uses multiple techniques to detect bot activity, such as checking if the form was submitted too fast, hidden form attribute only visible by bots but not humans, etc...

Luckily for me, these bots weren't quite sophisticated so I managed to clamp down on their activity. I still get a couple of bogus signup attempts every day.

Disclosure: I am a contributor to the invisible_captcha gem

[0] https://tryhexadecimal.com

[1] https://github.com/markets/invisible_captcha

EDIT: grammar and wording

It's worse than that. It fingerprints the browser, the OS, and a ton of other stuff.

I'd love to see a solution that's privacy-friendly.

My problem with Google Captcha is that I have to solve the "select all" window every time I check the checkbox, even when I'm logged in to Google. Maybe it's because I use Safari, but it's getting really annoying. What's the benefit of Google Captcha if you have to solve the captcha every time?

From a user point of view on Firefox, Google captcha is a an absolute hell.

Every single time I have to pass few batches of captchas. I'm not on a private window and I'm logged in to Google. So I started to blacklist websites that use Google captcha. and forced myself to change reading habits.

CAPTCHA isn't just a matter of protecting your site. One of the most evil attacks nowadays is "Distributed Spam Distraction", where you spam your victim with thousands of emails per second so an important email (e.g., fraudulent purchases) gets lost in the noise.

How do you do this in a world with decent spam filters? By using the victim's email to sign up for real services so they get hit with a welcome email. Because these are real services, spam filter won't catch it. This can only be done with services that have sign up forms that are easily automated.

The most evil thing here is your email is crippled even after the attack is over because these real companies will keep sending you newsletter and it's impossible to unsubscribe to them all.

I didn't even find Google Captcha to be effective, I still got a ton of spam coming through my web contact forms - often advertising software tools to bypass Captcha.

In the end I wrote my own rule based spam filters and that has been significantly more effective without tracking or annoying users.

Over the past 2 years or so I've become incredibly skilled at identifying crosswalks, fire hydrants, traffic lights, and bicycles.

I don't necessarily mind contributing to googles car-driving AI, but the services that I've put this captcha infront of have seen a dramatic increase in spam.

I unfortunately don't know what the solution to this problem is but I would gladly contribute to whatever someone smarter than me comes up with!

I only know about Buster:

> The difficulty of captchas can be so out of balance, that sometimes they seem friendlier to bots than they are to humans. The goal of this project is to improve our experience with captchas, by giving us easy access to solutions already utilized by automated systems.

https://github.com/dessant/buster/blob/master/README.md

Probably not.

A sophisticated attacker will simply use something like Mechanical Turk to get past Google captcha, and Google captcha is incredibly aggravating to a number of marginal users. But it's simple to implement, so that makes it popular.

I'd even say that most services don't need captcha in the first place. Captcha only affects relatively unsophisticated attacks, and if it's just an entry in your database, who cares? If it's sending you spam in an attempt to DDOS your email or customer service platform, use correlation between purchases and accounts to filter out the spam.

So, as with all security related matters, identify your threat model, and use that to figure out what you actually need, not what you think you need.

Are bots now advanced enough that transcribing obscured text is no longer a viable solution?

There's dozens of simplistic captcha libraries that serve obscured text. I can would rather transcribe a few letters much than complete a Google Captcha, probably faster, too.

Here was an earlier discussion about it:

https://news.ycombinator.com/item?id=20158386

My general answer is "no". But the question also isn't meaningful unless you define what it is you're trying to protect.

(E.g. maybe it's reasonable to have a captcha of some sort for account creation, with fallback to a human-involved process. But if you're trying to prevent credential-stuffing on a login form, the correct approach is using the Pwned Passwords dataset and/or cooloffs.)

To the extent that you'd consider non-Google alternatives, there are multiple different CAPTCHA services, and we at NetToolKit recently launched our own version called Shibboleth: https://www.nettoolkit.com/shibboleth/about

You can try out demos at https://www.nettoolkit.com/shibboleth/demo

While not open-source, the service is very affordable ($10 for 100,000 CAPTCHAs), and clients get to review user submissions to see if the CAPTCHAs are reasonable or not.

Would love to get your feedback on the service.

I started using Buster[1] few months back with Google Speech to Text API. I use Firefox on Linux and I hadn't had to manually fill a captcha in all these months. Highly recommended. :)

I get 60 free minutes/month from Google Speech to text API. So, It's pretty much free to use.

[1]: https://addons.mozilla.org/en-US/firefox/addon/buster-captch...

I like captchas that ask a question relevant to the topic of the site. For example, a forum about D&D might ask: "Who created D&D?" and accept all answers that contain "gygax", "arneson", "TSR" or "WotC". Trivial for your target demographic, but at least it requires a very different kind of bot.

Though I suppose if this becomes common, bots might just google that question and try some of the zero-click results as answers.

Honest question. What’s wrong with Google Recaptcha V3?

No need to select 25 traffic lights. Gives you a score from 0 to 1 so you can decide whether you let them in easily or not.

Add to the problem the complication that you need a replacement for the captcha that is usable by users with disabilities.

Hcaptcha will soon be open source.

> Isn't there a better way to fight bots?

Don't?

I mean, what are you trying to protect? If it's account registrations, shouldn't an email confirmation be enough?