back to article Cloudflare launches campaign to ‘end the madness’ of CAPTCHAs

Cloudflare has called on the world to “end this madness” by consigning Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAS) to the dustbin of history. The internet-grooming firm’s beef with CAPTCHAS - specifically those that require users to identify images - is that they take 32 seconds to …

  1. llaryllama

    Somewhat ironic given that Cloudflare switched to the particularly awful hCaptcha system - presumably to enjoy the financial kickbacks that hCaptcha offer.

    1. Gordon Lawrie

      "...we proposed that rather than them paying us we pay them. This ensured they had the resources to scale their service to meet our needs. While that has imposed some additional costs, those costs were a fraction of what reCAPTCHA would have."

      From: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

      1. Znuff

        Sure. They cheapened out on the solution. So now instead of reCapthca just working with 1 click from me, which takes me around 1 second, now I have to deal with hCaptcha.

        And this post is indeed very ironic. I have NEVER spent so much time solving captchas for reCaptcha as I have had searching for Pictures of Boats in their hCaptcha shit.

        So for them to come out with this is indeed very ironic.

        1. Anonymous Coward
          Anonymous Coward

          > So now instead of reCapthca just working with 1 click from me, which takes me around 1 second

          Congratulations, that just means that Google actively tracks you and knows so much about you that it can identify you reliably from a single mouse click.

    2. iron Silver badge

      hCAPTCHA doesn't report to Google and aid them tracking you acrosss the web, I prefer it.

      What is ironic is I think Cloudfare are the only company that have asked me to complete a CAPTCHA in recent months. And they seem to ask for it every time I visit a site they host.

      1. rnturn

        I rarely see CAPTCHAs any more. Sites appear to have responded to their users/visitors and dumped them. I'd estimate only dealing with less than five in the last year---so few that it always surprises that some site is *still* using one. I think Cloudflare is seeing the potential for making big Zorkmids in the hardware token market.

        1. Anonymous Coward
          Anonymous Coward

          I still see them constantly, but I also randomize almost all data sent by my client. Way I figure it is if they can identify you and sell your browsing habits they wont ask you to find the boat, if they can't they use you for machine learning datasets.

        2. Version 1.0 Silver badge

          When I see CAPTCHAs appear I quit my subscription to the site - they are a complete pain in the arse (I'm human, not a computer).

        3. stiine Silver badge
          Coffee/keyboard

          re: not seeing CAPCHAs

          Now log out of your google account, clear your browser cache, and try again. I usually get 5-10 per day.

          1. Anonymous Coward
            Anonymous Coward

            Re: Now log out of your google account...

            How quaint... A Google account. Well, you asked to be tracked just about everywhere you go so carry on and enjoy life feeding the Borg.

            As soon as the few sites I use, get rid of Capchas then the sooner I can finally block google.com at my firewall.

        4. Anonymous Coward
          Anonymous Coward

          The "tick a box, human" Captcha is reCaptcha v2. There is a Captcha v3 which is automated - no interaction - and gives a score, rather than a "yes/no". So it's likely you're still running captcha, you just don't realise it.

          I've been testing both - sadly I find the fully automated one isn't great with what look like bots slipping through, although I'd prefer it. I have some resource-intensive operations on our website which I've moved back behind reCaptcha v2, where I absolutely, positively require a human to be present.

    3. Mike Pellatt

      Came here to say exactly that.

      "Physician, heal thyself".

      No other provider I login to has such an annoying captcha system. And, like so many providers, you don't get SAML support without paying for the Enterprise product.

    4. elregidente

      Speaking as a Tor user, the Google reCaptcha is a brick wall. It *never* completes - it goes on forever - and so any site using reCaptcha is fully and 100% at that point unusable to Tor users.

      hCaptcha works with Tor, and so has restored those pages/sites to being functional over Tor.

  2. Joe W Silver badge

    Hardware dongles?

    How quaint and very 80s.

    Neither my laptop nor my phone would be able to use that. Although I have to admit that I have a hard time with CAPTCHAS anyway, but that is based on blocking java script.

    And I really do wonder, what is the alternative for the visually impaired? There's sometimes a bunch on grainy pictures that I have a hard time to correctly identify. Now if you see less than I do, or just nothing at all....

    1. thames

      Re: Hardware dongles?

      The main problem with the few CAPTCHAS that I see is that they tend to be ambiguous street scenes from American suburbia. If you happen to live in American suburbs, like say the sort of people at US tech companies do, then they may make sense.

      If you're not an American living in an American suburb, then you end up having to ask yourself "how would an American answer this question?" based on what you know about the US from American movies.

      What they need is less ambiguous CAPTCHAS, but I suspect they are afraid that people will then use image recognition and AI to solve them.

      Not that I think the Cloudflare proposal is a better solution. In fact I think it's worse.

      1. Flocke Kroes Silver badge

        Re: ambiguous scenes

        I assumed the the server does not know the right answers for half of all CAPCHAS and is just collecting training data for AIs.

        1. katrinab Silver badge
          Black Helicopters

          Re: ambiguous scenes

          Quite often, you will find some photos with an obvious answer, and other photos with a less obvious answer. If you give the wrong answer for the less obvious ones, it will usually let you though.

          1. Robert Carnegie Silver badge

            Re: ambiguous scenes

            I'm in doubt that Google CAPTCHA uses real photographs. I think they're composed. When asked to pick the squares with traffic lights for instance, there are maybe half a dozen dotted around the grid. Surely if a real road had traffic lights like that, chaos and carnage would ensue.

        2. aks

          Re: ambiguous scenes

          I remember reading somewhere that the CAPCHA system was designed for exactly that purpose. I think it was an old article here on the Register.

      2. John Riddoch

        Re: Hardware dongles?

        You've obviously not had the pain of "select the picture where the dice total X" so you have to peer closely at the dots on dice then add them up for the 4 or 6 image and inevitably it's the last image you find the correct answer on. It's not difficult per se, it's just time consuming and bloody annoying. Especially when the dumb thing asks you to do it 3 times or more because some algorithm has determined you're higher risk or whatever.

      3. Wade Burchette Silver badge

        Re: Hardware dongles?

        You just identified a major problem today with programmers. Since they like, since they understand it, and since it works for them, they assume that you will like it, that you will understand it, and that it will work for you. This attitude has given us Windows 10 with its horrible horrible UI. And then you have website designers where they assume everyone uses Chrome, like them, has a really fast computer, like them, and has really fast internet, like them. If none of those conditions are true, they blithely tell you to switch to Chrome and never think that some people cannot afford fast computers or cannot get fast internet.

        Since Cloudfare is an American company, they assume everyone is like them and an American. It is no surprise that their CAPTCHAS solution assumes you are an American because all the programmers today assume everyone is like them. I call it myopia.

        1. rnturn

          Re: Hardware dongles?

          > And then you have website designers where they assume everyone uses Chrome, like them, has a really fast computer, like them, and has really fast internet, like them. If none of those conditions are true, they blithely tell you to switch to Chrome and never think that some people cannot afford fast computers or cannot get fast internet.

          That's been a problem forever. One former employer hired people to create the company's first web site. It looked great in the conference room where they demoed it---just steps away from the data center where the web server sat. The trouble was that, at the time, there were huge (and I mean HUGE) numbers of internet user who were still using dial-up connections. The corporate web site was unusable over that type of connection. Sadly, the web site designers still got paid.

        2. a_yank_lurker Silver badge

          Re: Hardware dongles?

          You missed a couple of problems with diaper brigade in programming. They assume you can read poor contrast between the text and background. There is reason black text (or very dark text) on a whitish background is used. Another is a fondness for very small font sizes that are difficult for those whose eyes are a wee bit old.

          1. hoola Silver badge

            Re: Hardware dongles?

            And the bonkers hashed up fonts so you cannot tell what it what. Even refreshing it umpteen times makes no difference.

        3. aks

          Re: Hardware dongles?

          I fully agree with all of the above except regarding the Windows 10 UI. I much prefer the simplistic style to the gaudy one which came with Windows XP, and don't get me started on Apple's grey-on-grey style.

      4. andy gibson

        Re: Hardware dongles?

        The pictures usually ask you to identify a bus, bike, or fire hydrant on the picture I would have thought these objects are globally known?

        1. Graham Cobb Silver badge

          Re: Hardware dongles?

          Buses look very different in different places, and the word "bus" is not well defined in many places (particularly non-English speaking). Is a taxi a bus? What about a minibus taxi? What about one of those long wheelbase tuktuks that fit 8 passengers with people getting on and off at all the traffic lights?

          As a Brit, I even distinguish a "bus" from a "coach"!

          And don't get me going on fire hydrants (which are never visible in the UK - they are always underground or in the walls of buildings) and crosswalks (which we don't have at all -- we have Zebra crossings which look very different).

          Even bike is not clear. Does it include motorbikes? Does it include pushbikes? Is there a difference between a bike and a 'bike (there is on the BBC).

          1. katrinab Silver badge
            Meh

            Re: Hardware dongles?

            A stretch limo is legally a coach in the UK. They are licenced and taxed as such if they have 10 seats including the driver's seat or would have 10 seats but for the fact that they were adapted to carry disabled people.

          2. Claverhouse Silver badge

            Re: Hardware dongles?

            Buses look very different in different places, and the word "bus" is not well defined in many places (particularly non-English speaking). Is a taxi a bus? What about a minibus taxi? What about one of those long wheelbase tuktuks that fit 8 passengers with people getting on and off at all the traffic lights?

            And what of Pui Pui Molcars ?

            Google should incorporate these.

        2. ChrisC Silver badge

          Re: Hardware dongles?

          A bike, fair enough.

          A bus? Do you live in a country/region where most buses are single deckers, where most are double deckers, where most are minibuses, where most look more like long-distance coaches, where there's even a bus service against which you can hope to have any concept of what a "bus" looks like in your local area let alone in whichever part of the world the captcha images originated?

          A fire hydrant? Here in the UK, hydrants are mostly, if not entirely, below ground level and accessed via a hatch in the pavement (or sidewalk, if you're a left-pondian who thinks the pavement is the thing the cars, sorry, automobiles, drive along), so the only way the average UKian will recognise the typical fire hydrant shown in a captcha is if they've spent enough time watching US TV shows or films, and are now able to associate "fire hydrant" with those odd lumpy looking bits of metal sticking out of the pavement (or is it now a sidewalk - I'm so confused...)

          So whilst the name of such objects may (*) well be known across the globe, it's definitely not safe to assume that the physical manifestation of such an object from one region will be recognisable as such an object to someone in another region.

          (*) though as someone else has already noted, some captchas ask you to identify crosswalks, which not only requires the user to be aware of what a crosswalk looks like in the US, but also to know what a bloody crosswalk is in the first place, because that's a term most assuredly NOT used globally...

          1. MrReynolds2U Bronze badge

            Re: Hardware dongles?

            I'm pretty sure the only reason I know what a US fire hydrant is or looks like is from a Richard Scarry book when I was a child.

          2. ThatOne Silver badge
            Joke

            Re: Hardware dongles?

            > know what a bloody crosswalk is in the first place

            That's obviously when Jesus carried his cross to Golgotha before his crucifixion.

            1. Disgusted Of Tunbridge Wells

              Re: Hardware dongles?

              From the song:

              Pontius Pilate, he's the boss.

              Get back on that f*cking cross

        3. katrinab Silver badge
          Flame

          Re: Hardware dongles?

          A fire hydrant in the UK is a rectangular slab of iron in the pavement that you could walk/drive over without noticing it. None of the captcha fire hydrants look anything like that.

        4. Steve Davies 3 Silver badge
          Holmes

          Re: Hardware dongles?

          When did you last see a US Style 'Fire Hydrant' in the UK or Europe for that matter?

        5. Anonymous Coward
          Anonymous Coward

          Re: Hardware dongles?

          I'm pretty sure that in future war against the US of A, autonomous Chinese and Russian drones will wreak havoc by zapping 100% of key US infrastructure elements: crosswalks, cars, traffic signs and lights, funny-yellow-coloured-mass-transport (?) vehicles, corner cones that the A-mericans seem to like to photograph...

          ...

          oh, and hills! ('cause: Bunker Hill)

      5. Steve Graham

        Re: Hardware dongles?

        "Click all the pictures showing a parallel divergent crosswalk." A what?

        "Click all the pictures showing a mixed utilities access cabinet."

        Even when the target is something that's actually culturally generic, I still find them hard. Something about the way I think or perceive.

        1. Graham Cobb Silver badge

          Re: Hardware dongles?

          And does "traffic light" include the poles they are mounted on? What about the wires strung between them? Are there actually any squares in this picture that don't include some part of the traffic light system? Hmm... I can't quite make out that little grey box on the far corner...

          1. Kevin McMurtrie Silver badge

            Re: Hardware dongles?

            I sometimes see how incorrect I can be and still pass as a human. It doesn't seem to care much about the poles.

      6. stiine Silver badge

        Re: Hardware dongles?

        just check 2 and click continue about 10 times and it will give you an image that contains a single object (like a fire hydrant) that occupies 2 verticlly adjacent squares.

        And speaking as someone who used to do captchas (the text version) for fun in the old days, the new image captchas are shit.

      7. hoola Silver badge

        Re: Hardware dongles?

        Not forgetting the ones where it tells you to select all the cars/buses/crossworks or whatever and there are none on the stupid picture.

        You have to spend time starting at it to figure this out as many as bad.

        1. Charles 9 Silver badge

          Re: Hardware dongles?

          That's intentional. "No match" can be a correct answer in this case, and you just click Next without selecting anything.

    2. I ain't Spartacus Gold badge

      Re: Hardware dongles?

      And I really do wonder, what is the alternative for the visually impaired? There's sometimes a bunch on grainy pictures that I have a hard time to correctly identify. Now if you see less than I do, or just nothing at all....

      Hello. The visually impaired here. Or at least one of them. Google at least have an alternative - it's an audio CAPTCHA. I don't think I've ever got one right though, and I have perfect hearing. So the answer is to repeatedly poke at the photo ones, until I guess right. I'd say I average somewhere between two and three goes. It would certainly help if their pictures were a bit bigger. Or less shit. Or less confusing. Or less low resolution and grainy. Or badly cropped so you've got a tiny sliver of what might be a bicycyle/traffic light (sorry, stop light)/car on the edge of the picture, hidden amongst the bushes. But I'm fucked if I can see what it is.

      It is also interesting/ironic that I'm training the computers for Google's self-driving cars - which are allowed to drive, when I'm not...

      Can't see the hassle of maintaining (and carrying around) some sort of identity dongle is going to be any lower though. At least for me. If you're totally blind, or deaf/blind I don't know how you handle it.

      I await the comments from Shadow Systems, when he comes across this thread. Containing robust Anglo-Saxon language, no doubt...

      1. Steve K Silver badge

        Re: Hardware dongles?

        I suspect Shadow Systems has already read this, spontaneously combusted and is trying to find one of those fire hydrants mentioned above.....

        1. Shadow Systems

          Re: Hardware dongles?

          Essentially yes. I read it, tried to write a post, realized I was vomiting vitriol like Vesuvius, so closed the tab to kill the attempted post & did something else to calm down. Once I was calm & could think straight once more, I came back & reread the story. Rinse & repeat.

          The visual ones are obviously not accessible for the blind. The audio ones *might* be *IF* the audio is clear & unambiguous. Since that's almost never the case, they are pretty much not accessible either. Of course I'll pick out the few words you want me to regurgitate, just remove the echo, reverb, hiss, clicking, popping, & what sounds like a drunk bagpiper doing a speed metal solo in the background.

          *Sigh*

          I'm an American & even I couldn't do the visual concepts in all their images back when I could still see. A bike? Would that be an upright two wheeler, a recumbant two wheeler, an upright three wheeler, a recumbant three wheeler, one of the old fashioned massive front wheel & microscopic rear wheel, a forward swept two wheel racing (aerodynamic to the point of being anatomicly improbable), with or without a fairing, with or without paniers, with a regular saddle "banana" saddle, recumbant saddle, touring saddle, or some other sort? A child's tricycle? An old person's trike with the lumbar support seat & the wire grocery basket on the front? There are so many different styles & configurations that vary from location to location that just saying "bike" is akin to asking someone to point to the "boat" & pointing them to a seascape full of every design ever contemplated by a drunken sailor in the middle of an acid trip.

          *Shakes head sadly*

          99.99% of the time if a site drops a CAPTCHA in my path I'll simply close the tab & go elsewhere. If they include an email link then I'll give it to them with both barrels, but otherwise it's often not worth the hassle nor headache to explain it to the socially blind (versus physical blindness) idiots why they've just lost my business.

          That "check this box if you're Human" is utter bullshit. It's not an element I can navigate to, it's not an actual element I can interact with, and since I don't use a mouse there's no way to toggle the bloody thing. I *AM* Human you fucking pile of steaming Howler Monkey shit, but you don't seem to give SweetFuckAll that your audience might not be of perfect vision, perfect hearing, & perfect motor controls. I hope your aged mother visits your site & promptly kicks your sorry ass for telling her that she's not Human because she's unable to jump your fucking hurdles.

          *Deep breath*

          I'll go away now. I can feel the urge to kill coming back strong. NURSE! Refill my dried frog pills please, STAT!

          *Wanders off muttering darkly & tapping my cane as if trying to beat the pedestrian-using-concrete to death*

      2. Anonymous Coward
        Anonymous Coward

        Re: Hardware dongles?

        I don't know if it's funny, sad, ironic, or what, but my vision (with glasses) is 20/20 and I have the same complaints about CAPTCHAS. So... a win for equal (in)access, I guess?

      3. Anonymous Coward
        Anonymous Coward

        Re: Hardware dongles?

        I'm entirely blind. Here's how the captchas currently work. Google's has an audio option which starts with a section of white noise, a clip of speech, and some more noise. You are supposed to transcribe the speech. This usually works. It is best not to think about where the speech comes from. Some of it is clearly phone call quality. This is what they switched to after their previous method, which was severely distorted computer voices reading numbers on top of each other which you were also supposed to transcribe. I tested several friends, both sighted and blind, and I was the only one who ever completed that one successfully.

        For other providers, there may not be an audio version at all. They frequently have not replaced their captcha solution. For me, this is a zero-tolerance situation. If a service uses one of these, I will cancel my account immediately if at all possible. Also, for those who are both deaf and blind, there is as far as I know no captcha which will work.

        1. Robert Carnegie Silver badge

          Re: Hardware dongles?

          I could be talking nonsense but I thought I read that the typical CAPTCHA just puts up one box to say "I'm not a robot" and watches mouse movements until you click on it, humanly. Only if that's doubtful does it start to ask for more proof. But I am tapping on a touchscreen tablet. It still usually works, though. Maybe it watches for you typing like a human, too.

          I don't know what a deaf and blind user uses for computing on, but I expect that that device identifies itself as what it is. A catch would be if a billion hackers run a simulation of the same type of device.

          An alternative is user password as authentication, but that has its own issues.

          1. doublelayer Silver badge

            Re: Hardware dongles?

            I don't know if that's what it's attempting, but I don't think so. I think it has more to do with what Google knows about you by the time you click the box--if you're a known account, they just add the site and any information to your advertising profile and let you through. If you just did a captcha, then it's probably safe and they'll let you through this one too. If you don't have either of those, click on all the [insert subjective category here].

            I don't think I'm doing anything mechanical in my input, but I don't browse with any Google accounts active and thus get asked for the captcha on every site that has one. It could be worse though. At one point, I was accused of spamming Google's captcha because I was on a crowded network. If that happens, you have no method of bypassing it and just have to wait an hour and hope for the best when you try again.

            1. Dog11
              Boffin

              Re: Hardware dongles?

              At one point, I was accused of spamming Google's captcha because I was on a crowded network. If that happens, you have no method of bypassing it and just have to wait an hour and hope for the best when you try again.

              That happens to me periodically, but I'm on a VPN and just switch to another VPN server (if I can do so without interrupting anything else my computer is doing), or to a different browser that bypasses the VPN..

              1. Bruce Ordway

                Re: Hardware dongles?

                >>>That happens to me periodically, but I'm on a VPN

                Apparently Google doesn't like my VPN anymore.

                the last few months, whenever I try to use Google search I'm confronted with multiple image selection challenges. What irritates me is that there doesn't appear to be no rhyme or reason to the number of challenges I must complete before I'm allowed to proceed to my search results.

                (On average must deal with 10 challenges... talk about madness)?

                So... I've set my default search provider to DuckDuckGo.

                Occasionally I still want to run a search thru Google and just deal with the related annoyance.

                At least picture challenges work eventually whereas text based captchas never seem to end (for me, my VPN)

    3. Nick Stallman

      Re: Hardware dongles?

      Your phone doesn't have NFC? All the keys these days support NFC for mobile use which is fantastically convenient.

      1. Charles 9 Silver badge
        Big Brother

        Re: Hardware dongles?

        Yeah...for Big Brother or a miscreant with a hidden antenna. Plus there are plenty of phones that simply lack the capability. As for bots...can't they just FAKE it?

        1. Nick Stallman

          Re: Hardware dongles?

          Trying to find a phone today that can't do NFC would be quite difficult. Not impossible but very difficult.

          Remember this is to make captchas easier, not be the only option. As I already have a yubikey I look forward to using it instead of clicking on traffic lights.

          And no bits can't fake it as per the original article. Cloudflare uses the fact that the original device manufacturer of the keys signs the keys in batches of 100,000 and Cloudflare has a whitelisf of vendors. A bit could emulate the security key in general but won't be signed by a reputable manufacturer of security keys and thus will be rejected.

          1. Charles 9 Silver badge

            Re: Hardware dongles?

            Oh? What's to stop miscreants obtaining a few of them legitimately, breaking them down, and figuring out how they work so that their bots can emulate them (or at the very least, copy the abilities of the legit keys they do obtain)? What man can create, man can usually recreate.

    4. bombastic bob Silver badge
      FAIL

      Re: Hardware dongles?

      Hardware Dongle = TRACKING - you identity is NOW KNOWN to the web site, uniquely so.

      As IRRITATING as a CAPTCHA is, I'd rather use CAPTCHA than GET TRACKED on that level...

      Only an ad-slinging over-present cloud network would come up with THAT as a "solution".

      (at least cache clearing and VPN can anonymize you a little bit, even with CAPTCHA)

  3. Anonymous Coward
    Anonymous Coward

    once ever ten days

    Should that have been once every ten days or once every ten pages?

  4. thames
    WTF?

    What?

    Either there is something missing from the description, or the idea is pointless. How does the presence of a YubiKey or the like tell you there is someone physically at the computer and it's not a bot? Anything a person can do with a YubiKey a bot can do.

    And how is the "attestation is not uniquely linked to the user device" if they are using a device whose whole point of existence to uniquely identify itself? I'm not sure I'd want to have Cloudflare tracking me all over the Internet using a YubiKey they would make me buy.

    I see CAPTCHAS very rarely, and only on sites which are especially concerned about not allowing bots to DDOS them. CAPTCHAS would be far less of a problem for me than buying a YubiKey and using it would be. Whatever problem they are trying to solve is one that I don't have.

    1. Robert Carnegie Silver badge

      Re: What?

      It seems from the description that you are to plug in the security key only when prompted for it. Software can't really do that. On the other hand, ... I started that sentence yesterday, and I've forgotten what was on the other hand. Does anything come to mind?

      Ah - probably that I may as well mention how tiresome it is when a USB port or plug wears out, and so what a good idea it is to use a detachable hub on your PC or laptop, so you are mainly wearing out the ports on the hub, which is cheaper to replace.

      And yet... that undermines my first point, but to not help bots out, I won't say why. And if you see it... the same should apply. Thank you.

      Anyway, I assume that Cloudy tells the web site that you're a human, but not which human. And possibly most of your internet access goes through Cloudflare already, so they are able to have a pretty good idea of who you are if they want to. But why would they want to?

  5. Kevin McMurtrie Silver badge

    Self-serving specification

    I trust Cloudflare less than Google, and I don't trust Google. How is the new proposal going to stop malware from infected user devices?

    If Cloudflare wanted to stop botnets, they could stop providing so many services to them. C&C, phishing pages, fake stores, bots for hire, PayPal merchant pages, etc.

    1. Nick Stallman

      Re: Self-serving specification

      Malware can't use a yubikey even if one is plugged in to your computer. It requires a physical touch before it'll perform the handshake.

      And if your computer keeps randomly asking you to touch your yubikey you'd get suspicious pretty quickly.

      1. Graham Cobb Silver badge

        Re: Self-serving specification

        I think that depends on the model (and possibly even the configuration, if I remember correctly).

  6. chrisw67

    Financial interest?

    So which of the secure key providers does Cloudfare own?

  7. b0llchit Silver badge
    Facepalm

    From anonymous and cheap to expensive and tracking

    How is going from a bad, cheap and annoying anonymous solution to an expensive personal identifiable and track-able solution benefit the user?

    Oh, I was mistaken, it is not about the user. Sorry, to have spoken out loud.

    1. ThatOne Silver badge
      Devil

      Re: From anonymous and cheap to expensive and tracking

      > Oh, I was mistaken, it is not about the user.

      It's never about the user; Such a quaint last-century notion!...

      Competing for market share and trying to seduce customers is tiring and expensive. It's so much easier to strong-arm them to compliance and make it very difficult (ideally impossible) for them to take their custom elsewhere. As an added bonus you haven't to pretend you care anymore (well, apart from some standardized empty formulas).

  8. Jamesit
    Facepalm

    I'm not human:-(

    I click the button and nothing happens. I may not like them much, however at least CAPTCHAS work for me.

  9. cantankerous swineherd Silver badge

    but who will drive the driverless cars?

    1. I ain't Spartacus Gold badge
      Devil

      I'll do it. I can't see properly (c. 5% of normal vision), and am not allowed to drive due to the danger to other road users. So I'd be perfect for Uber's self-driving car program...

  10. Muppet Boss Bronze badge
    Thumb Up

    I just walk away

    When I see a captcha I simply close this web page, I did not visit it to waste my time solving puzzles and 99.9% of the content they protect is useless anyway. From my experience, most of the time the catcha turns on because they detect Javascript is blocked so they cannot show me ads and I am a useless freeloader for them too.

    If I see an especially annoying captcha where I am a paying customer (some airlines are notorious for that, well, used to be when the airlines were still flying) I just call their customer support and ask them to solve their puzzles on my behalf. Most of the time they are able to shortcut the whole nonsense right to the payment and send me the direct payment link.

    1. Blazde Silver badge

      Re: I just walk away

      Online supermarkets seem to be doing it lately post-login. I suppose airlines and supermarkets both attract bots trying to book slots, scrape prices constantly, or something like that?

      I'd like to suggest I get a pound every time a company I'm paying makes me do a captcha, to help motivate them to find less irritating solutions to their bot problem (maybe they should just put up with it?). But the truth is they can probably already see a greater loss of sales than that in their usage stats and yet they're still doing it.

      1. Znuff

        Re: I just walk away

        The amount of bots ANY web form gets is frankly just insane these days.

        Finding and blocking all possible bots would be an insane issue to tackle, and just too costly.

        Imagine spending millions of dollars every month on bot blocking techniques (because bots change and adapt constantly) when you could simply implement reCaptcha (mostly for free) and call it a day.

    2. Anonymous Coward
      Anonymous Coward

      Re: I just walk away

      I, however, do like puzzles so it would be great if Captchas could be replaced with a nice Sudoku or a single clue from Sunday's crossword. It might take me a lot longer than 32 seconds but I'll be happy the whole time.

      1. I ain't Spartacus Gold badge

        Re: I just walk away

        clue: Weary Postman?

        1st letter T

    3. DS999 Silver badge

      What you should do before walking away

      Is submit a bunch of wrong answers to the CAPTCHA to pollute Google's image AI and make it dumber

  11. Peter Prof Fox
    FAIL

    Shortcut that faulty tech-bloat

    That Cloudflare 'solution' is 'We once had some humanish behaviour and accepted it. Now the same source of keystrokes(verified by some e-key) is calling again.' So, fool the system once and you have unlimited free access. So (a)pointless (b)coach-and-horses fail.

    This is the same as giving Cloudflare an 'I am not a bot password.' That is easier to think about. It means (a) somehow I proved I wasn't a bot once (b) I 'remembered' my not-a-bot password. Same coach-and-horses fail.

    Back to the drawing board. My solution is a microphone that listens for "I AM NOT A FUCKING BOT GET ON WITH IT!"

    1. katrinab Silver badge
      Alert

      Re: Shortcut that faulty tech-bloat

      A virtual microphone driver that plays a recording of you saying that?

  12. mark l 2 Silver badge

    I doubt using a hardware key is going to catch on to replace CAPTCHAs, they might be annoying but they don't require you to buy and carry around a separate piece of hardware, which I assume if you don't have available will fall back to using CAPTCHAs anyway.

    I particularly find the Microsoft CAPTCHA on outlook.com annoying as it doesn't give me enough time to complete it before it times me out, so i have been going through the option for the audio CAPTCHA instead as at least that doesn't time me out. But i wonder how long it will be before bots can complete the audio CAPTCHAs and they are no longer effective.

    1. ThatOne Silver badge

      There is always a solution for the Bad Guys if they want to get past difficult CAPTCHAs: Sweatshops in 3rd world countries where real living humans solve CAPTCHAs for a couple cents and register user accounts for the bots to use.

      It doesn't matter if it's a picture or a sound, they are humans like any legit user, so all it changes is the Bad Guys have to spend a couple cents to get their bots in. You know when that happens because it takes weeks/months between the moment the new account is created and the moment it becomes active. I even think people registering aren't the ones using those accounts, they're just flogging them to those who need them for spamming or their bots.

  13. GioCiampa

    CRyptographic Attestation of Personhood

    Hmmm... potentially poor choice of words...?

    1. katrinab Silver badge

      Re: CRyptographic Attestation of Personhood

      See also: Challenge Response Authentication Protocol.

      1. Steve K Silver badge

        Re: CRyptographic Attestation of Personhood

        Challenge Response Authentication Protocol Featuring Enhanced Security Tokens

  14. Candy

    Cryptographic Attestation of Personhood?

    Sounds like CrAP to me...

  15. Cuddles Silver badge

    Hardware dongle

    "The user plugs the device into their computer or taps it to their phone for wireless signature (using NFC)... A cryptographic attestation is sent to Cloudflare, which allows the user in upon verification of the user presence test."

    OK, I need to check I'm not misunderstanding something here. Their proposal for humans to identify themselves as human and not a computer, is to get a computer to do it for them automatically. I'm really not clear on how this is supposed to help.

    1. nijam Silver badge

      Re: Hardware dongle

      > The user plugs the device into their computer or taps it to their phone

      Finding it amongst the stuff on my desk (assuming I'm at my desk) will take wayyyy longer than 32 seconds.

    2. Stanislav Bonita
      Facepalm

      Re: Hardware dongle

      Ha! Like I'm ever going to enable NFC on my phone...

    3. bombastic bob Silver badge
      Unhappy

      Re: Hardware dongle

      do it automatically while revealing your current cell phone number and IP address along with other personally identifying information that was gleaned the last 92 times you used this method.

      Would the 'app' that you would need to make this happen ALSO upload GPS tracking data from your location over the last several days so that "they" will know where you've been?

      yeah no tracking going on here. Nothing to see, move along...

      [it's bad enough when you use a credit card in a store AND online and when you visit the online page you see your in-store shopping history along with online history...]

    4. doublelayer Silver badge

      Re: Hardware dongle

      "OK, I need to check I'm not misunderstanding something here. Their proposal for humans to identify themselves as human and not a computer, is to get a computer to do it for them automatically. I'm really not clear on how this is supposed to help."

      It's supposed to help because it's an expensive computer that does it for them. If users all have to buy these, then it is more expensive to run automated attacks through them. Also, individual users won't buy multiples so they won't have multiple identities, meaning it's really easy to track their activity. This works until somebody gets their devices trusted and sells a block of keys to a botfarm, which should take a long time, maybe even a whole month. But if that ever happens, the company that did it gets delisted from the service, which cuts off the botfarm. Oh and also the people who legitimately bought and used that company's devices, too bad for them. Now we just have to find a new provider of keys so there's sufficient supply. I'm sure they won't do the same.

  16. Graham Cobb Silver badge

    Tracking

    This is a transparent attempt for Cloudflare to make more money from the web sites: this proposal doesn't do anything for proving there is a real person there, but it does allow Cloudflare to offer the site a permanent tracking ID for every visitor, based on this dongle/tab, even for people who disable javascript and cookies.

    What on earth makes them think that someone who disables javascript, uses an ad blocker and uses a fingerprint defender (which are the things that prompt the Captcha in the first place) will plug in a unique ID to let Cloudflare track them?

    1. DS999 Silver badge

      Re: Tracking

      Came to say this. NO WAY will I hook up a dongle with a unique signature linked to me that any web site can inspect. That would make Google and Facebook's tracking look positively pedestrian.

      And how is that going to work on a mobile device, are you supposed to hook a dongle up to that? Yeah, that sounds super convenient!

  17. Warm Braw Silver badge

    FIDO tokens are supposed to identify individuals, not generic humans

    A FIDO token has first to be enrolled with the service you intend to authenticate with - this generates a key pair, with the public key being retained by the service (in order to identify the token with a particular user the next time around) along with a "key handle" provided by the device to identify the service. Subsequently, the keys are used as a form of user authentication.

    This is done through a JavaScript API in the browser, which talks to the FIDO token. So the first thing any self-respecting bot-herder is going to do is replace the API with one that doesn't require a token and does the crypto in software - in fact it can probably fake most of it out.

    Meanwhile, for the blameless user, ideally, the U2F token would store the private key securely - in which case the storage space would soon be exhausted by multiple enrolments. In practice, most of the keys generate the "key handle" so that it contains the private key (encrypted under a master key on the token), meaning that the private key is actually stored by the service and not on the token (though the key is supposedly inaccessible without the master key). However, if the master key to your token subsequently turns out to have some cryptographic flaw, then potentially all your private keys are recoverable by any service you have enrolled with. And, of course, it means the next time you use the service, it knows you're a return visitor, because that's what the tokens are supposed to do. So, out of an abundance of caution, you probably don't want to use FIDO tokens except where there is a valid reason to prove your identity.

    So it's not just that you'd have to have a FIDO token to hand, you'd have to enrol that specific token in advance of using the "protected" service and present the same token the next time around, which would allow you to be tracked. [Edit: as Graham wrote above while I was being longwinded...]

    Apart from that, I'm sure it's a great idea.

  18. Arthur the cat Silver badge

    I am human (beta)

    Pretty good summary of me first thing in the morning before I've had my cup of tea.

  19. Anonymous Coward
    Anonymous Coward

    The Internet whore

    The other issue with 99.9 percent of all known captchas is that they snuggle in the bosom of Mother Google.

    Luckily, she is no Internet whore, she is far too principled and trustworthy to harvest your activity for commercial purposes.

  20. DS999 Silver badge
    Mushroom

    I want a CAPTCHA solving browser extension

    Because once something like that exists and works, Google will have to give up on making humans teach its image classifier and it will be the end of CAPTCHA!

    Then those poor old advertisers will have to contend with all the fake impressions/clicks making online advertising worth less and hitting everyone involved in that shitty industry in their pocketbooks!

    Dare to dream, right?

    1. Charles 9 Silver badge

      Re: I want a CAPTCHA solving browser extension

      What's to stop them just making harder CAPTCHAs that your supposed extension can't break?

      Someone needs to demonstrate, conclusively, that there is NO way to tell way a human from a well-trained bot, for the two simple reasons. One, the use of a computer limits the inputs. And two, a bot, being a computer itself, can simply master and then fake ALL of them.

  21. Joseba4242

    4.5bn users times $20 is $90bn. Quite something created there, more than 10 times the UK music industry.

    So I'm saving 15 minutes per year, on average. That assumes it takes 0 seconds to find the device which is certainly not the case for me.

    Then add the time to select and buy the device. Then add the time to make this work on every single device which likely adds up to a few hours. Then the time to troubleshoot when it doesn't work. Then the efforts to take a tiny device with me anywhere because we don't already have enough in chargers, cables, adapters etc. Then add the time and cost to replace it when it gets lost.

    Seriously?

    1. rnturn

      How do I put this device on our home LAN so that it can be used to allow everyone in the family to browse from any computer -- and any TV -- that I wire up or connect to our WiFi?

      People have been pushing the idea of dongles since PCs were invented. I had coworkers that had multiple dongles connected to their printer port (one for AutoCAD, another for... you get the idea). Either the same thick-headed folks are still pushing the idea or a new generation is re-discovering the idea... and forgetting or ignoring how it failed in the past.

  22. msobkow Bronze badge

    Please buy our useless hardware so we can turn a profit off your paranoia and purported laziness.

    Operators are standing by...

    1. the Jim bloke
      FAIL

      Operators are standing by...

      ..actually,

      Scripts are standing by, to herd you through the purchase process, to acquire a device which will pretend to discriminate between humans and scripts..

      Whether its humans or machines running the scripts is purely a matter of local economics..

  23. JWLong Bronze badge

    First Step

    Towards having everyone implanted with a biochip at birth.

    Maybe the industry needs to come up with software to be used for browsing the internet that doesn't permit the use of bots. Unlike all servers and browsers today.

    Of course that would block all tracking, sniffing, and probably most advertisements on the web. It will never happen.

  24. Intractable Potsherd Silver badge

    "... 500 years every day..."

    I've had those weeks, too.

  25. Nick Stallman

    I'm slightly disturbed by this article and comment section - do people seriously not know that hardware security tokens exist and how they work?

    I've been using a yubikey for years for security reasons. It's fantastically convenient and virtually unbeatable security wise. Way better than sms or 6 digit nunbers for multi factor authentication.

    Sure if you don't have a yubikey already you aren't going to rush out to buy one just to beat some captchas, but I would have assumed a lot of this audience would already have them. Or they should be seriously thinking about getting one at least.

    1. doublelayer Silver badge

      I do have one already. They're great, as you've said, for authentication. Very key word, authentication. Where I wish to prove my identity to a service so they can identify that I'm me. That's their use case.

      I don't want to authenticate to a bunch of random sites with a unique key which identifies me particularly. I can access them anonymously now. Most don't even have captchas, but since it's Cloudflare suggesting this and they provide hosting for a lot of sites, it's not unreasonable to expect they'll expand the use of it. Also, the key I have doesn't work with a phone, because I don't tend to log into sensitive pages on it, but I do browse from it so I'd have to buy another key for that. So the general complaints apply to my situation without my having to have any problem with the keys themselves.

      1. Charles 9 Silver badge

        I'm wondering if it'll eventually have to come down to just that (authentication and identity at every site) simply due to the Tragedy of the Commons. Anything free will be exploited due to human nature, meaning some kind of restriction or regulation will become necessary just to keep things sane.

  26. Hey Lobotoman! CALL -151!

    So we store all our private keys in the device and...

    ...then we lose the device. Yay!

    I foresee a nightmare of cancelling old private keys and applying for new ones to store in our replacement devices when this happens. Or, are they suggesting there will be an in-built facility to back-up and replicate the hardware token that uniquely identifies me?

    (I see nothing about what happens when you lose your device on the fidoalliance web site)

  27. Anonymous Coward
    Anonymous Coward

    … and the test site doesn’t even support Apple FaceID

    Pretty basic fail, I would say.

  28. Real Ale is Best
    Boffin

    So basically

    So this is a system that swaps several minutes trying to work out what is in some fuzzy pictures, with many minutes trying to find your U2F key from wherever you put it after Google last asked you to sign in with it.

    Ok... And which of my two keys (and two backups) should I be using?

    I'm not completely certain, but I'm sure that leaving the key permanently installed in your computer's USB socket is not secure behaviour.

    Still, it's at least better than having to dig out your phone, start the Authenticator app and copy across the six digit code. If you can remember the right one to use.

  29. Anonymous Coward
    Anonymous Coward

    Cloudflare has called on the world to “end this madness”

    uh... I thought that them capchas were by cloudflare, mumbles a man not taking his eyeses off his screen...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021