If you are a web developer trying to keep spambots out, DO NOT use reCAPTCHA. It is an unethical privacy invasion that follows people around the Web and stops disabled people from accessing information or services for no good reason.

Instead, just ask a (very) simple logic puzzle from a decent-sized set. Ask the questions in regular text and give an option to change puzzles. Switch out the library of puzzles occasionally. This will stop the vast majority of spambots.

· · brutaldon · 13 · 116 · 88


> If you are a web developer trying to keep spambots out, DO NOT use reCAPTCHA. … Instead, just ask a (very) simple logic puzzle

How does the effectiveness of using logic puzzles compare to using honeypots hidden with CSS/JS? (if the site already requires JS)

(Done poorly, those can be even less accessible that reCAPTCHA, but I'm talking about well-done versions that don't have accessibility issues)

@codesections A field that is hidden and/or says "leave empty" is a sort of logic puzzle of its own. That's the kind of level of "very simple" I'm talking about. Not much more complicated than giving them instructions in their natural language and seeing if they follow them. Not enough to be any challenge for a human, but very hard for a computer. We're approaching the level at which machine learning will be able to solve these, but such tools aren't widely deployed in spambots.

@codesections If you're a web user, and don't like Training Google's GD ML AI Dragon:

1. Request audio.

2. Repeatedly respond with "Fuck you, Google."

3. The algo will eventually let you in.

4. Bonus: all audio interpretation trends to "Fuck you, Google".


@dredmorbius @alexbuzzbee

Or, you can replace steps 2–4 with pitting Google's toys against one another, and have the audio Captcha solved by google's speach-to-text algorithm:

@alexbuzzbee @codesections I don't have empirical evidence, but the general idea with both Turing tests and honeypots is to develop a reputation sense of the remote party. Each has pros and cons, *both* can be used together. Honeypots risk false-positives, TT's both false positives and negatives A key problem is that there's no really reliable, durable, expensive (e.g., sockpuppet-proof) remote reputational token we have yet. #HardProblems

@alexbuzzbee when I had this problem some years ago, I just implemented a captcha field with whatever random question. The captcha response text box was hidden in CSS.

So, no human would ever fill it out, but all bots would. It was 100% effective.

@celesteh @alexbuzzbee this might be true. Although screen readers are pretty smart these days.

It wasn't a perfect solution, for sure.

@rysiek @alexbuzzbee Gitlab implemented such a thing recently, but apparently it didn't help when it was tried on the pleroma gitlab instance :(

@alexbuzzbee Also, as a user: file bugs / issues with service providers who *do* rely on reCAPTCHA telling them that you find this practice unacceptable.

Possible reasons:

1. Privacy / surveillance.
2. Privatising results of crowdsourced intelligence.
3. Potential military / antisocial applications of technology.
4. Other (think of your own).

I regularly do this.

@Darkness_89 Yes. reCAPTCHA uses Google's tracking infrastructure as part of its human-detection algorithm (which is why I always have to answer the second step), and it is part of that tracking infrastructure. reCAPTCHA widgets monitor your activity on the page before, as, and after you click the checkbox. Supposedly this helps with the human detection, but it's also being sent to Google.

@alexbuzzbee dang Google won't let any stone unturned for info mining.

@alexbuzzbee Also learn about rate-limiting, logic isn't that accessible (I actually tend to dump the math ones in the calculator).

@alexbuzzbee I'd love to expand my repertoire of puzzles. Currently, I give three words and ask the user to type all three in a box with the first one in all caps. I feel alright with it since I'm the only user, but it won't work with s2t which is a downer. Do you have any good suggestions?

@alexbuzzbee I love when people nowadays ask for such things in such a self-confident way, though they know well that this is all lost, and you are not even able to _just_ _conserve_ what works fine _today_!

You lost that war around a decade ago... Just nobody has (wanted to?!) notice then...

People do all that google stuff, because its cheap and its 'typical' and 'accepted' in the mainstream nowadays...

@alexbuzzbee I agree. I have so many problems with CAPTCHA. Sometimes it takes me over 5 minutes to get through, it forces me to open up connections to google as I remove them in my hosts file and I know its a tracking issue. I've requested to site admins not to use it and the typical response I get is "We have no current plans at the moment to move away from CAPTCHA" . Sometime if I face goog capcha and what I'm doing is not paramount I opt out. So see it as a potential barrier to clients...

@alexbuzzbee also generate it in JS and most spam bots will not even see it.

@curufuin This isn't accessible; many screen readers and low-resource browsers do not process JavaScript.

@alexbuzzbee do you have an example, usable in wordpress and/or drupal ideally? just so I get an idea what to do? right now I do not use any recaptcha, but if I am in the need...

@alexbuzzbee I found that a very simply reverse captcha also does the trick. Add a checkbox or textfield, call it "I agree" or "url" or something. Hide it with CSS. Anyone who fills this in is a bot.

Works perfect for spam. Works less for targeted brute-force attacks and DDOs though.

@berkes Make sure you implement your hiding correctly; there are many ways to "hide" something in CSS that still show up in screen readers or low-footprint browsers.

@alexbuzzbee Sure!

<div style="position: absolute; left: -5000px;" aria-hidden="true">

for example. Aria should work for screenreaders.

Here's my tiny backend handling a contact form, using reverse captcha:

@berkes I believe that would still show up in Lynx. Doesn't HTML5 have a hidden attribute? I'm pretty sure display: none works in most screenreaders and in Lynx, as well.


aria-hidden complements display:none. Or overrides it.

aria-hidden is exactly the HTML5 attribute for this.

@alexbuzzbee yea. But if you use that, spammers won't see the elements either :D

So, you cannot be perfectly accessible, because that would mean that you're explaining to bots "don't use this field", which is the exact opposite of what you want.

@berkes This is why I recommend simple puzzles. Just a (visible) field specifically labeled as "leave blank" is enough to stop nearly all spambots.

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.