I can tell you on the small level asking a simple question to activate the form action stops 99% of spam. Something like "What color is snow?" Granted, with a well trained "AI" system solving these questions would be trivial but I have yet to see it in practice.
Sounds easy, but at this point everyone is trained to solve these captchas and implementing the questions is not a quick thing either on a bigger scale (Translations, cultural differences, bots easily bypassing them etc.). I've used captchas on my sites before because bots were just hammering the login form, checking checkboxes and causing me to rack up email sending bills.
Sorry for nitpicking but you need a puzzle that is knowledge-agnostic (be it cultural or scientific), otherwise you're guarding your site from both bots and people unfamiliar with the concept of or lacking the pre-existing knowledge necessary to solve the puzzle.
What colour is snow is close but you can't assume that everyone knows what snow is, let alone what colour it is. This includes both people with disabilities and in parts of the world where there is no snow...
I agree, and thankfully we're dealing with mostly regional visitors to small local business/organization websites. Not a global audience. That being said, it's hard to think of a simple question, with little to no ambiguity.
Once example is for a landscaper: What is the color of healthy grass?
The answer is "green" of course, but grass is common in our region. That question would not work in a culture or region unfamiliar with "lawn grass".
Yes, I would go for simpler stuff (word or digit puzzles) and package it in a way that is friendly for screen readers. So... No images or video, or at least one alternative to them that at the same time does not make it easy for the bots...
This has the added benefit that translators will be forced to come up with a translation that makes sense when your projects gets to a point that it needs i18n.
> What colour is snow is close but you can't assume that everyone knows what snow is, let alone what colour it is. This includes both people with disabilities and in parts of the world where there is no snow...
Google will happily ask you to point out which squares contain fire hydrants. Is there a captcha that meets your standards?
Yes, I also saw the post about the fire hydrants the other day. No I was not able to confirm that fire hydrants are shown in countries in which they are not a common sight.
However, I am far from arguing in favour of reCAPTCHA. It is also an example of shit CAPTCHA that also bans people. I am often one of these people.
No there is no example of a CAPTCHA-as-a-service that I know of that I would be fine to impose on my users.
> There are no humans that know the word snow who don’t know what colours Snow is
Sorry, I don't follow, English is a second language to me, but how does this stand against my statement that 'many people don't know the concept of snow, let alone what colour it is'?
There's no reason for an English language website to cater to people who don't know what snow is. How can it be discriminatory to have a question a user can't comprehend, when they won't be able to comprehend the rest of the website either? Even blind people who can read English Braille and input text in English know that snow is white, even if they've never seen it.
If a website is multilingual, it can offer language/region selection and add appropriate questions for each of them.
I did not say it was discriminatory -- I stick to basic terms -- you may inadvertently be guarding against people who for one reason or another don't possess the knowledge to solve the puzzle. For example I could copy over an integral from one of my undergrad exams. 'Please calculate the value of the integral and enter it in the field below' (completely accessible to screen readers as well). This would effectively ban not only people who have not taken a calculus class, but many of my uni colleagues who have happily forgotten everything about calculus after they took their exams 10 years ago...
Another example for an inadvertently hard puzzle, this time due to a lack knowledge as a consequence of being part of a different culture, would be asking US people what colour is the edelweiss. In my country children learn about it in first grade if not in kindergarten. Another -- asking Europeans/US people what colour is romduol... I don't consider this discriminatory, I don't consider people in the US or Europe uneducated because they cannot solve such a simple puzzle... It is just poor/lazy/stupid design that fails the single requirement to block bots and only bots. And I get it 'I would just google it'... But how many conversions will you lose if a considerable part of your users need to google something to go to the next step of your funnel? It's just inexcusably shit UX...
You would indeed be fine with the 'snow' question if your site must only be visited and used by fellow citizens of your country (where citizens implies similar education -- both cultural and scientific). You would indeed be fine if you can make sure the puzzle will be translated intelligently (including the solution) if your site may be used in a foreign country or by users speaking the language in your own country.
I usually cannot make any of these assumptions for any of the projects I work on. The site's audience is but a whim of the Product team, and I18n is outsourced to (once) translation agencies and now directly to an LLM... This can even be done (and frankly should be done) without the knowledge or input of the dev team. Also, neither translators nor LLMs can be expected to understand that they must come up with basically a new puzzle that will not be hard for people that use the specific language. And I as a developer that does not speak the specific foreign language while I can roughly validate their translation (if by any chance it passes by me for review and I go above and beyond what is expected of me and pass it trough a translation service) and return it with feedback for fixes, I cannot rely that they will abide by the feedback, or how long it would take... Those are a lot unknowns to consider these assumptions reliable, and it seems much less effort to come up with a simpler puzzle that contains the answer in itself... Its effectiveness against spam will be exactly the same.
Also, you will definitely not be fine if your puzzle contains a concept foreign for a considerable part of people who can't for example see or hear. You would also not be fine if your puzzle's technical implementation makes it impossible to be perceived by them. The latter part is very simple to get wrong. For example, one of the best ways to protect any site from blind people is to implement a hero image slidshow that steals the focus on each slide. Their screen readers' focus gets moved each second and they literally cannot perceive, let alone navigate the site...
Finally, none of the peculiarities above excuses straight up going for reCAPTCHA. Even if you don't give a f about your users' data EU users can and will get you in trouble with EU regulators exactly when you get to a scale at which CAPTCHA use is a necessity. There's a cultural difference for you.
There are two alternatives I'm aware of, one is Attestation of Personhood[1] proposed by Cloudflare, the other is a proof-of-work[2] which the Tor project have themselves introduced[3].
While I get the draw, I never understood how PoW is ever supposed to work practically.
PoW tasks are meant to work on a wide range of mobile phones, desktops, single-board computers, etc... you have vastly different compute budgets in every environment. For a PoW task that is usable on a five year old mobile phone, an adversary with a consumer RTX 50 series card (or potentially even an ASIC) can easily perform it many, many, many orders of magnitude faster.
I understand that, but what I'm saying is that due to the wide gulf between the compute budget of the slowest device one is meant to support and a couple commodity VPSs adversaries need anyway to conduct a DDoS or to spam, there is ostensibly no extra cost.
In fact, all you are doing is slowing down legitimate clients with old equipment and doing nothing against adversaries.
I've seen a PoW CAPTCHA https://github.com/mCaptcha/mCaptcha and at the time it did not make any sense to me. I would still get spam, just a tiny bit slower, and spammers would have to expend more resources for just my site, which would barely register on their bill.
I bet that requiring JS stops more spam than the PoW itself. Can anyone who tried it chime in?
Oh, I see, it's effective against 'someone [who] wants to hammer your site'. That is usually never the case with my sites. I do get a steady stream of spam, but it is quite gentle as to not trigger any WAFs. The load comes from LLMs scraping this everliving shit of my sites and fortunately they don't seem to bother with filling in forms...
You are not missing something, you are finding it: the game theory of bots vs anti-bots is subtle and somewhat different from regular software engineering and cyber security.
For the most part bots wish to be hidden and sites wish to reveal them, and this plays out over repeat games on small and large scales. Can be near-constantly or intermittently.
The bot usually gets to make the first move against a backdrop that the anti-bot may or may not have a hand in.
Perhaps you think all PoW algorithms are still crackable by ASICs? A few years ago that was the case, but some years ago Monero developers made a breakthrough with RandomX. Now it is no longer true that a GPU or ASIC can outperform a typical consumer device to the extent that you seem to imagine. The Tor project uses a similar algorithm, i think with the same developer contributing to it as RandomX. It is nothing like bitcoin's SHA256 PoW - with that, the performance of an ASIC does indeed mean a consumer PC becomes completely useless at the algorithm
Will RandomX work on the old cell phones, via Javascript interface only?
The website says: "Fast mode - requires 2080 MiB of shared memory. Light mode - requires only 256 MiB of shared memory, but runs significantly slower"
If you want your website challenge to work on the cheap phone - slow CPU, with little memory, and when implemented in Javascript, you'd have to tune complexity way down. And when a modern PC with fast CPU and tons of memory tries to solve it.. it probably will take only a few milliseconds, basically being useless.
I don't know, I dont understand the details and your reasoning is confusing for me. My understanding is that the effectiveness of particular hardware is complex to predict; it depends on the sizes of the CPU caches and effectiveness at certain instructions, and the algorithm can of course be tuned in all sorts of ways. The Tor project is already using it so presumably it is working for them to some extent. More info here: https://blog.torproject.org/introducing-proof-of-work-defens...
Since this was focused on v2 and other interactive captcha, the alternative is to upgrade to new versions that don’t do so. Still some downsides (and the study does address very briefly the use of AI to trick v3), but at the very least it does address some of the concerns.
Important to note though that as AI gets more accessible then the downsides of v3 start to weigh more.
I've been using Truesign [0] for several months and been impressed with the results, it detects bots, VPNs, disposable emails and suspicious traffic patterns all in one. I use it to protect my payment form but it seems it can also protect APIs.
For a lot of places where I've encountered captchas, they could just do nothing. Simple rate limiting should probably be the next step. It's not one-size-fits-all of course.
And if you ever get so big that people start writing bespoke software to break your CAPTCHA, then investing some more engineering effort into it will quite likely not be a problem.
Of course reCAPTCHA is also still vulnerable to the use of a mechanical turk so even giving away your users' data won't save you.
I've come across a CAPTCHA on a website I was scraping that was absolutely terrible. It was 10 multiple image choice answer, with a question to click the image that had "X". Their implementation didn't even have a nonce, so I would just attempt every single answer and get past it.
I think we need to critically re-evaluate what is it exactly we are doing on the internet, how we do it, and examine existing assumptions. For instance, do we really need all services to be centralised? Do we really need services to be "free" (part of the payment is selling your data ok). A server serving static files doesn't care about bot users, but apps... why would you let a stranger use your cpu/ram over the internet? I know i am not providing an answer but i believe we need to take a look again at all of these before we try to come up with an answer
Who are "we" and what are "we" going to do with the answer once "we" come up with it?
For example, there is a someone's personal blog, which is beset by comment spammers. The blog's owner is tired of deleting spammy comments, and do not want their comment section to look like garbage bin, so they want some bot protection. The website's author is not that technical, so they do some googling and install reCaptcha (or cloudflare) and this cuts off bad comments to 1/week, which is easy to clean manually.
So in that story, who should be re-evaluating what, and what answer do you expect?
(keep in mind the blog's author cannot host their own captcha service / AI bot detector, as they are not proficient enough to install all the required dependencies for such a complex task, nor is their VPS powerful enough to keep it running.)
"we" is another word for "the people building the systems living on the web"
Once, "we" come up with the answer we are going to build based on the newly defined assumptions.
Here is what critically re-examining everything means: Do i really need to have a comment section? And if I do, shall I be the one responsible for managing it's technical infrastructure? The answer could be to use an off-the-shelf solution in your particular story. When you pivot to the side of the off-the-shelf solution developers who actually needs to do the spam filtering, then answers may differ, as will assumptions.
Edit: What are your thoughts of the mechanism hacker news have used to reduce bot comments?
