ReCAPTCHA due lack of opt out is effectively illegal in the EU.
Large sites like Amazon or CNN can afford to eat the bot traffic. Smaller sites can't.
I haven't encountered a captcha using Lemmy. There might be one on some servers for account creation.
I've used Amazon from the same IP address for years and I still regularly get the "you look like a bot, solve this" crap.
To say "it's worthless from a security perspective" is a pretty harsh and largely inaccurate representation. It's been tremendously useful to those who have used it. If it wasn't valuable, it wouldn't be so widely used.
Definitely agree with the whole "tons of free $$$ for Google", but that's kind of their business model, so yeah, Google is being Google. In other breaking news, water is still wet.
It should be a general standard of proof for any sort of sociological claim that you look at rates, not just examples, but it usually isn't.
There are a lot of things that can trivially cut down SPAM ranging from utterly unhelpful to just simply a bad idea. Like for example, you can deny all requests from IPs that appear to be Russian or Chinese: that will cut out a lot of malicious traffic. It will also cut some legitimate traffic, but maybe not much if your demographics are narrow. ReCAPTCHA also cuts some legitimate traffic.
The actual main reason why people deployed reCAPTCHA is because it was free and easy, effectiveness was just table stakes. The problem with CAPTCHAs prior to reCAPTCHA is simply that they really weren't very good; the stock CAPTCHAs in software packages like MediaWiki or phpBB were just rather unsophisticated, and as a double whammy, they were big targets for attack since developing a reliable solver for them would unlock bot access to a very large number of web properties.
Do you need reCAPTCHA to make life hard for bots, though? Well, no. Having a bespoke solution is enough for most websites on the Internet. However, reCAPTCHA isn't even necessarily the best choice even for something extremely high-volume. Case-in-point, last I checked, Google's own DDoS protection system still used a bespoke CAPTCHA that largely hasn't changed since the early 2010s; you can see what it looks like by searching for the Google "sorry" page.
I agree that reCAPTCHA is not "worthless" but it's worth is definitely overstated. Automated services that solve CAPTCHAs charge less than a cent per-solve. For reCAPTCHA to be very effective against direct adversaries rather than easily-thwarted random bots, the actual value of bypassing your CAPTCHA has to be pretty damn low. At that point, it's very reasonably possible that even hashcash would be enough to keep people from SPAMing.
Reminds me of the advice around the deadbolt on your house - it won't stop a determined attacker, but it will deter less-determined ones.
(And while I don't have hard data on this, I suspect that bot authors that don't know how to properly set up rate-limits and don't know how to set up captcha solving service bypass, so captchas are especially effective against them)
> More concretely, the current average value life-time of a cookie is €2.52 or $2.7 [58]. Given that there have been at least 329 billion reCAPTCHAv2 sessions, which created tracking cookies, that would put the estimated value of those cookies at $888 billion dollars.
The cited paper is https://www.sciencedirect.com/science/article/pii/S016781162... - but it doesn't deal with CAPTCHAs, just with the general economics of third-party cookies.
In practice, many of these cookies will have already been placed by other Google services on the site in question, with how ubiquitous Google's ad and analytics products are. And it's unclear whether Google uses the _GRECAPTCHA cookies for purposes other than the CAPTCHA itself (in the places where this isn't regulated).
But reCAPTCHA does gives Google an ability to have scripts running that fundamentally can't be ad-blocked without breaking site functionality, and it's an effective foot in the door if Google ever wanted to use it more broadly. It's absolutely something to be aware of.
The researchers put the vast majority of this value to tracking cookies, and this revenue happens whether or not a manual challenge is completed.
It's more than just your answers that are fed into ML and more than just what others have already said: there's also the way that your browser functions and the way you interact with it. Your IP address, browser, OS, screen size, input type, timezone and current time of day, how fast do you select different images, etc etc. All of this gets fed into ML algorithms and answers to the obvious images are used as corollaries to support/deny your ancillary information.
Frankly a lot of the images I get are... kinda easy? This isn't the classic book-reading recaptcha where you could see why the text had confused the OCR.
What colour is snow is close but you can't assume that everyone knows what snow is, let alone what colour it is. This includes both people with disabilities and in parts of the world where there is no snow...
[1]: https://blog.cloudflare.com/introducing-cryptographic-attest...
[2]: https://github.com/mCaptcha/mCaptcha
[3]: https://blog.torproject.org/introducing-proof-of-work-defens...
PoW tasks are meant to work on a wide range of mobile phones, desktops, single-board computers, etc... you have vastly different compute budgets in every environment. For a PoW task that is usable on a five year old mobile phone, an adversary with a consumer RTX 50 series card (or potentially even an ASIC) can easily perform it many, many, many orders of magnitude faster.
Am I missing something?
Important to note though that as AI gets more accessible then the downsides of v3 start to weigh more.
Still in beta though.
What a time where people on a site called "Hacker News" ask such a question..
Of course reCAPTCHA is also still vulnerable to the use of a mechanical turk so even giving away your users' data won't save you.
For example, there is a someone's personal blog, which is beset by comment spammers. The blog's owner is tired of deleting spammy comments, and do not want their comment section to look like garbage bin, so they want some bot protection. The website's author is not that technical, so they do some googling and install reCaptcha (or cloudflare) and this cuts off bad comments to 1/week, which is easy to clean manually.
So in that story, who should be re-evaluating what, and what answer do you expect?
(keep in mind the blog's author cannot host their own captcha service / AI bot detector, as they are not proficient enough to install all the required dependencies for such a complex task, nor is their VPS powerful enough to keep it running.)
We'll have to have in-person attestation or make all services paid, perhaps.
How are you going to connect the physical person with an identity with in-person attestation? Many (several of which major English-speaking) countries don't have mandatory government IDs...
A commenter below suggests that government eIDs could be used. I bet this will be harder to implement and will have much worse conversion rates than (the already terrible) mandatory credit/debit cards... Not to mention the hell that we as non-US citizens will have to endure if anyone tries to impose any form of mandatory ID there... One can only take so much complaining about government overreach about something that is basic necessity here in the EU...
Specially since all of the sudden, a bot service running hundreds of thousands of requests will suddenly and inadvertedly have to compute cryptographic hashes at the cost of the user running the bots?
On the other side, an amount of work reasonable for modern desktop will absolutely overwhelm an older cell phone.
But in the end it is not (effective) security for a website, is an antifeature for users and is profit for google.
> A lifetime value of $888 billion for all of reCAPTCHAv2's tracking cookies produced between 2010 and 2023.
