I use Firefox and Firefox Mobile on the desktop and Android respectively, Chromium with Bromite patches on Android, and infrequently Brave on the desktop to get to sites that only work properly with Chromium (more and more often - another whole separate can of worms too, this…) And I always pay attention to disable google.com and gstatic.com in NoScript and uBlock Origin whenever possible.

I noticed something quite striking: when I hit sites that use those hateful captchas from Google - aka “reCAPTCHA” that I know are from Google because they force me to temporarily reenable google.com and gstatic.com - statistically, Google quite consistently marks the captcha as passed with the green checkmark without even asking me to identify fire hydrants or bicycles once, or perhaps once but the test passes even if I purposedly don’t select certain images, and almost never serves me those especially heinous “rolling captchas” that keep coming up with more and more images to identify or not as you click on them until it apparently has annoyed you enough and lets you through.

When I use Firefox however, the captchas never pass without at least one test, sometimes several in a row, and very often rolling captchas. And if I purposedly don’t select certain images for the sake of experimentation, the captchas keep on coming and coming and coming forever - and if I keep doing it long enough, they plain never stop and the site become impossible to access.

Only with Firefox. Never with Chromium-based browsers.

I’ve been experimenting with this informally for months now and it’s quite clear to me that Google has a dark pattern in place with its reCAPTCHA system to make Chrome and Chromium-based browsers the path of least resistance.

It’s really disgusting…

  • Skull giver
    link
    fedilink
    41 year ago

    You have to do something to stop the bots. Any website allowing user generated content without CAPTCHAs in either submission or account creation is absolutely full of spam.

    There are a few open source CAPTCHAs. Those are simple enough that anyone with a GPU can train a network against them and defeat every website using them.

    The difficult ones for trivial bots are Google’s and Cloudflare’s. Both work by observing the user, doing some kind of behaviour analysis, and making you click boxes. Between Google and Cloudflare, I’m kt sure which one is worse to be honest. At least the Cloudflare one is easy to bypass with their Privacy Pass addon, I suppose.

    I tried running a website without CAPTCHA of some sort, but bots ruin everything. They’re indistinguishable from real people with real browsers, use real consumer IP addresses (through botnet and shady VPN addons), and are rented out for pennies per spam post. No website is safe.

    Twitch has found an alternative solution against bots: fingerprinting the browser. That’s why you can’t log in with resistFingerprinting enabled on Twitch. Honestly, I prefer CAPTCHA in that case.

    There is progress within the IETF to make a somewhat privacy preserving standard based on Apple’s and Cloudflare’s work (which is much less intrusive than Google’s attempt) but it’ll require signatures generated by a validated root of trust, either online (having the device/OS vendor hand out limited tokens per device) or through local hardware (secure boot + TPM, making browsing the web through Linux incredibly hard).

    I’m pessimistic about the future of bot detection. If you think your privacy is being violated now, prepare for things to get worse.

    You can try to avoid Google’s CAPTCHAs by just not using websites using them, and maybe contacting the website owners with suggestions for alternatives. I doubt they’ll bother, but it’s worth a shot for the few websites thst do care.