HellCaptcha: Accessibility Theater at Its Worst
18 points by kwas
18 points by kwas
I like hCAPTCHA as a sighted user so this is a very sad read.
Cloudflare Turnstile Drop-in replacement for hCaptcha or reCAPTCHA.
- Privacy-first — no tracking, no fingerprinting.
I’m surprised to hear about anything from CloudFlare as “privacy-first”, to be fair. Maybe I’m biased and it has changed. Anyone knows offhand if it’s actually true?
In many cases? You don’t need a CAPTCHA at all. You’re not Google. You’re not running a global login gateway. If you’re just protecting a blog comment form or a contact page?
I really don’t think it’s true. We had to enable manual user approval in our bug-mfing-tracker (a Phorge, formerly Phabricator, instance) because otherwise it keeps getting spam links. We should look into something less obtrusive, but I know for a fact that anything that allows posting links absolutely does need a CAPTCHA.
Although I have no idea why it’s still so when search engines no longer use backlinks for ranking pages and malicious links those bots post are just so obviously malicious that no one would intentionally click them.
I’d expect the spam-bots to adopt to it relatively fast, and in the process they might develop a more general understanding of hidden CSS elements and so on.
I used to run a MediaWiki instance for a router project. It would get overrun with spam with its standard, not too strong but accessible ConfirmEdit options. Sometimes the entire wiki would got replaced with spam overnight and I had to roll back its database. Eventually I wrote a custom ConfirmEdit plugin that required people to enter the broadcast address of a randomly generated IPv4 network.
That absolutely wouldn’t work for a general audience website, but network admins just know offhand that for 192.0.2.0/24 the answer will be 192.0.2.255 and so on. If someone didn’t know that, they weren’t qualified to edit the wiki, either. For many months, it solved all our spam problems. Then the wiki was overrun with spam overnight again.
Since the plugin was unique, there’s only one option: someone wrote a custom solver. For a rather small wiki of a relatively unknown project.
Since the plugin was unique, there’s only one option: someone wrote a custom solver. For a rather small wiki of a relatively unknown project.
Or, nowadays, “someone plugged it into a cheap LLM told to solve these”
Oh, that was in some 2016, way before LLMs, so someone had to take the time to write a solver by hand.
Now with LLMs, the barrier is even lower, of course.
hCaptcha is also a nightmare for sighted users too, or at least for me. The use of generated imagery which is either not vetted or is vetted by people who have very different assumptions about the world means that I frequently can’t solve the first, second, or even third grid of images. At home, on my gigabit connection, that’s no issue; but on the go, especially if I’m out of fast data and am at 2G speeds, it can be insurmountable.
hCaptcha hates your users, or at minimum, doesn’t care about them. Use something else.
You insert a hidden form field that bots will fill out, but humans never see.
Does this actually work in this day and age?
It can work on a small scale, but I don’t think it would work if deployed on a large scale in a particular piece of software. Right now, it’s not worth the time of anyone writing comment spam bot software to code in something to deal with, for example, my specific bits of CSS and HTML that work quite effectively for my blog. But this would be different if it was a standard precaution deployed at scale in essentially identical form on every blog/etc that was using it; I’d expect the spam-bots to adopt to it relatively fast, and in the process they might develop a more general understanding of hidden CSS elements and so on.
“Privacy-first” from a company that does man-in-the-middle over half of the https domains is a little ironic.
Also on a related note, mandatory link to videogamedunkey’s video about captchas: https://www.youtube.com/watch?v=WqnXp6Saa8Y
I briefly used hCAPTCHA on a form on my website (in combination with a hidden form field that would reject the message if it were filled out), but I’ve never really liked the concept of captchas in general, so earlier this year I removed the captcha and just started using the hidden form field, with the idea that I’d go back to the captcha if I started seeing a bunch of spam. Haven’t gotten a single spam form submission.
(Also haven’t gotten a single real form submission either, but that’s another story :( )
Edit: it occurs to me that maybe I should set up a log query or something to let me know if this is because nobody (including bots) are filling out the form, or if I am getting a lot of bots filling out the form and none of them are succeeding. Maybe I’ll set that up sometime soon.