I just saw the ReCaptcha thing for the first time on AskWoody.com, and immediately I was concerned. My browser is set to delete cookies early and often, so nearly all of the browsing of AskWoody.com I do is anonymous. I sign in before I make a post, at least in theory. I’ve managed to post anonymously by accident on many occasions, though, as all it takes is for that addon to delete the cookies and… not signed in anymore!
The ReCaptcha, thus, was showing for the anonymous post function, but the thing has been spreading like a virus lately. I’m seeing ReCaptchas on a host of sites upon which I never saw them before. So I signed in and, thankfully, no ReCaptcha on sign-in or to post while signed in. Whew!
The problem with these things is that I cannot solve them. I don’t know what they did in the last couple of months, but I either succeed only after many, many retries (takes several minutes) or I am told after all that haranguing that they can’t be sure I am not a bot, so go away.
I don’t know what the deal is. They seem to be really focusing on crosswalks, cars, buses, motorcycles, and traffic lights now (happy to help for free with your AI training for your self-driving car program, Google… not). I check off all the ones with buses, study it carefully to make sure, then click the button to accept it, and it tells me “please try again” and gives me another one. I have no idea what I am supposed to be doing, but I do not see any buses, crosswalks, etc., in those super grainy excuses for pictures.
I remember reading about the new “no Captcha ReCaptcha” the tech press breathlessly told us we’d soon have, but I’ve never seen it. Of course, when you know how it works, it’s obvious why it doesn’t work for me. Their “no Captcha” thing is based on allowing Google to track you. If they track you and they like what they see in the results of that tracking, you’re not given a challenge. On the other hand, all of my cookies get deleted dozens of times a day, certainly before and after using Google for anything. I’m also using Waterfox, and we’ve already seen the articles about how Google artificially downgrades their services for people not using Chrome, in what appears to be a blatant violation of antitrust law.
I recently read a presentation made by someone at one of the black hat conferences describing how he made a bot that can break Google ReCaptchas, and he said that one of the things that adds to the suspicion level is any browser that is out of date. Well, Waterfox is based on Firefox 56, which is seriously out of date, and banks all over the place complain about that even though it’s not Firefox and is fully patched (all of Mozilla’s security patches backported). The banks are basing that “out of date” on their misuse/misassessment of the useragent string. It’s not supposed to be used to decide whether someone should be allowed to access your site– at best, it should only be used to get an idea of what the browser is able to render, and even that’s considered bad practice.
I can change the useragent for Google domains, but the presentation says that useragents that disagree with the actual browser are another suspicion-adding thing, so it is able to grok out that it’s not actually Chrome, even if I change the useragent to say it is. If I change it to say it’s a newer Firefox than what it actually is, I wonder what effect that will have.
All of this means, apparently, that I am at the maximum suspicion level, and I get the hardest challenges. Which would be fine, of course, if they were not so hard that I am incapable of solving them. Are they supposed to determine whether I am a bot or just deny me access completely? I’m reasonably intelligent, and I know what a bus is, or a crosswalk, or a traffic light. I’m most assuredly not a bot. Even so, I have less than a 50% eventual success rate with a given login attempt, and that’s after round after round of time-consuming, insulting, frustrating puzzles that keep telling me I am wrong when I can’t possibly see how. The success rate after just one challenge is 0%. It never lets me in after just one.
The audio puzzles are much easier, I think… but I only managed to get one once. All the other times it tells me that my computer may be sending out automated requests (it’s not), so they can’t let me do the audio one to “protect other users.” Other users of what? The highway system?
The way it is now on AskWoody will actually be a benefit to me, I think, as now I know I won’t enter a message anonymously by mistake with that in place. I’m sure this was about avoiding the spam that clogs comment sections that allow anonymous, unmoderated comments, and that cause much consternation and gnashing of teeth for those that are moderated. It’s dismaying that it has to be Google providing the captcha, using us guinea pigs to train their UI and judging us based on whether we’re being good little tracking targets, but at least I can avoid it by signing in, which is what I want to do before posting anyway. On some other sites, I can’t even attempt to sign in without being blocked by a ReCaptcha.
I can understand how a given site might want to block bots from attempting to break into their users’ accounts, but can they at least wait until there’s been a failed login attempt before breaking out the weapons? I can’t even get into my account on some sites now. Maybe this is what they do… maybe someone has always been trying to get into my account right before I log in. As time passes and it happens each time I try to log in for weeks and months, though, that seems less and less likely.
One of those sites that recently added a ReCaptcha on login was Newegg, of which I have been a customer for many years. I just gave it another try now, and there was no ReCaptcha before signing in. What do you know!
I wonder if they responded to complaints like the one I sent them, or if there is some kind of anti-spam IP blacklist that they’re using. I use a big ISP with a coverage area containing tens of millions of people, and the pool from which my IP is drawn is huge as well. It’s entirely possible that someone who had my IP before I did deliberately or inadvertently (by being infected with malware) send out spam or participated in other malfeasance, but that’s the nature of ISPs. By the time anyone blacklists a given IP, it’s very likely that the IP will belong to someone else, someone completely unconnected to the source of the spam, malware, DDOS, or whatever else. The individual actually at fault will also have a new IP address by then, of course.
That may have been what Newegg was doing, but other sites I use apparently just ReCaptcha everyone on every login attempt, since I’ve never seen them not have that ominous “I’m not a robot” box), or else they’ve blacklisted my entire ISP, which seems a bit heavy-handed and excessive.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
