Ask HN: Any good FOSS alternative to Google's reCAPTCHA?

[+] simongr3dal|5 years ago|reply

Cloudflare recently moved away from Google's reCAPTCHA to hCaptcha.

Announcement: https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptch... Discussion on HN:https://news.ycombinator.com/item?id=22812509

[+] superasn|5 years ago|reply

hCaptcha is the worst most buggy captcha service I have ever encountered. As a matter of fact digital ocean recently added that to their login screen and it made my life a complete nightmare. The fact I had to solve it everytime I wanted to login, I genuinely decided to leave their infrastructure and move to AWS regardless of the higher bill.

But I must give 100% points to DO support. Before leaving them I sent one last support ticket to DO with the recording my nightmare in a mp4 file and lo and behold they changed their entire login flow for me (1). I no longer see that and life is good again.

(1) https://imgur.com/a/GKJHhtT

[+] adtac|5 years ago|reply

Not sure how this is FOSS?

[+] motyar|5 years ago|reply

hCaptcha is annoying. I see it every time I open codepen and few other website.

[+] unknown|5 years ago|reply

[deleted]

[+] whatsmyusername|5 years ago|reply

Yes, and it made half the web unusable. Getting captchaed twice in 60 seconds is an immediate bounce from me.

[+] ignoranceprior|5 years ago|reply

It's not FOSS though, is it?

[+] OpFour|5 years ago|reply

I use hCaptcha on multiple sites and honestly, it does the job well. To those who claim it hurts business, yes it adds an extra step to the verification process but it also keeps you and the rest of my visitors safe.

It almost feels like that the inconvenience of using a multi-layered system equates to the people who want to get back to eating in restaurants while in the midst of a pandemic and will then complain if they catch Covid-19...

[+] vortico|5 years ago|reply

What is your use case? I get exactly 0 spam on my website (of 100,000s of users) by simply writing my user registration page in a nonstandard way that bots aren't familiar with filling out automatically. It uses JS to `fetch()` a custom API endpoint and then redirects to the homepage.

Or for example, a fixed question "What color is the sky?" or something can reduce spam by orders of magnitude relative to nothing at all.

[+] bo1024|5 years ago|reply

I think a "honeypot" HTML input field works well for anything not written explicitly to target your site. If any text is entered, mark as bot/spam.

    <form>
    <div style="display:none">
    If you are human, please ignore this field:
    <input type="text" name="Name" value="My Name">
    </div>
    Name:
    <input type="text" name="actualfield">
    </form>

Bots can't resist. Accessibility is fine, I think.

(Edit: suggested earlier elsewhere in the thread by tyingq: https://news.ycombinator.com/item?id=23090550 )

[+] Symmetry|5 years ago|reply

A website I use used to have a question of "How do you spell 'blue'?" Then a bot figured it out and they had to change it to "How do you spell 'green'?".

[+] orblivion|5 years ago|reply

This gets me thinking. What we're looking for here is a way for "small" players to be able to survive without having to lean on Google. But small players are smaller targets for bots. So they don't need to take drastic measures. Once you can get big enough to be noticed by more sophisticated bots, you would be more likely to be able to afford a more sophisticated defense.

[+] VWWHFSfQ|5 years ago|reply

how do you handle blind or colorblind visitors

[+] pleasecalllater|5 years ago|reply

> "What color is the sky?"

Well, the answer is obvious:

> The sky above the port was the color of television, tuned to a dead channel.

I hope this is the good answer you support on your page.

On the other hand there is no one answer to this question, as the proper answer should begin with "it depends...". Currently, the sky is totally dark grey, storm is coming. Soon, it will be dark, so the sky will be black.

I think your "captcha" is broken.

[+] rapnie|5 years ago|reply

Here are some [0] and if your submission is not on there, pls consider PR'ing it. OP is right, we need more alternatives.

[0] https://github.com/ZYSzys/awesome-captcha

[+] kdeldycke|5 years ago|reply

Just answered you call at: https://github.com/ZYSzys/awesome-captcha/pull/15 :)

[+] web007|5 years ago|reply

Do you need a CAPTCHA? Or do you need to slow down / stop spammers? Consider hashcash [1] instead of CAPTCHA if #2 is your goal. It can be used in any place where real users interact with your site at almost zero effort on their behalf, and can slow down spamming enough to make you an unattractive target.

I have a terrible / incomplete / janky proof-of-concept version at [2] that you could build from, or you could find one that was built for your CMS / language du jour.

[1] https://en.wikipedia.org/wiki/Hashcash

[2] https://github.com/007/hashcash

[+] gbmor|5 years ago|reply

> [2] https://github.com/007/hashcash

Looks like your repo is https://github.com/007/hashcash-js

But, cool! Thanks for sharing.

[+] throwayzz-|5 years ago|reply

Proof of work is better IMO

[+] tmlee|5 years ago|reply

We are trying out https://www.hcaptcha.com/ in our application.

It's not FOSS, but seem to be a viable alternative to give a go. So far it does the job, though the images load a little bit slower than recaptcha

[+] vmednis|5 years ago|reply

I'm not a big fan of hCAPTCHA at it's current form. The challenges seems so much harder than reCAPTCHA ones and I keep failing them. The images are just extremely low quality. Maybe I'm a bot.

[+] pot8n|5 years ago|reply

It's way worse than Google's for me. I am using Firefox and I don't even try anymore whenever get exposed to it on any Cloudflare website.

[+] whatsmyusername|5 years ago|reply

I suspect you will see a considerable bounce rate once you switch. Pretty much the day Cloudflare flipped over half the web became 'captcha every 5 seconds' garbage.

Some sites that are the only source of what I'm looking for will be fine, but most I just bounce from now.

[+] tyingq|5 years ago|reply

If you aren't a big target, sometimes just a visually hidden form field that shouldn't contain anything is good enough.

[+] judge2020|5 years ago|reply

That's if you aren't a target at all, which is only applicable for very few services. Any inexperienced attacker could use burp suite or inspect element to see and imitate this hidden field.

[+] pedrogpimenta|5 years ago|reply

Oooo, I like this, thanks for the tip :)

[+] beshrkayali|5 years ago|reply

Previous reCAPTCHA discussion, with some alternatives https://news.ycombinator.com/item?id=20158386

[+] alexandernst|5 years ago|reply

A quick search revealed the following:

* https://github.com/Lokno/click-captcha

* https://www.phpcaptcha.org

* https://source.netsyms.com/Netsyms/Captcheck

[+] thanksforfish|5 years ago|reply

Click-captcha has tiny touchpoints, so I fail a couple times on mobile, just from that. Phpcaptcha has autocorrect enabled on the text box, so "alk" was changed to "all", causing a fail. Captcheck worked well.

[+] juliend2|5 years ago|reply

I know it's not as usable for visually impaired people, but I kinda like those that ask you to drag a piece of puzzle on an image : https://github.com/ArgoZhang/SliderCaptcha

[+] ehonda|5 years ago|reply

I second phpcaptcha.org.

[+] moviuro|5 years ago|reply

What's your threat model? Maybe a CAPTCHA is not your only or not even a good solution. What about blind users? or with some other disability?

Think: rate-limit, IP rating/scoring, your own filter on messages, etc.

[+] Belphemur|5 years ago|reply

Latest version of recaptcha doesn't even require any solving.

It just analyse the traffic and give the site owner a score [0.0 - 1.0] on how sure they are the visitor is human.

They don't explain how they calculate the score, but from my usage it's pretty accurate. They suggest to consider at first anything higher than 0.5 to be a human.

[+] londt8|5 years ago|reply

Just FYI: google recaptcha works with screen readers too and blind users can use it.

[+] dkdk8283|5 years ago|reply

Yep. Apache beam with fraud detection heuristics.

[+] majkinetor|5 years ago|reply

I just did research few days back, and there are none that aren't passable with some OCR/tensorflow tech. Anything simple and the question is why do you need it ? Anything hard enough for bots not to beat it will also fail many humans.

Add rate limiter instead and put CF infront or something similar. Way better experience then any captcha.

In case you still want it here is solid one:

https://github.com/dchest/captcha

[+] LaurentS|5 years ago|reply

Not exactly answering the question, but I recently used aliexpress.com and their captcha system is super easy: it shows a sliding button like the one to answer a call on a phone. The prompt just asks you to slide it to validate your input. Not sure how it works, but it sure is a much better UX than when I have to spend 3 minutes identifying for hydrants. Maybe we could make a FLOSS version of it?

[+] renewiltord|5 years ago|reply

The common recaptcha is just a "check box to prove you're human" if Google knows you even slightly otherwise.

[+] hexandcube|5 years ago|reply

But is that good for accessibility?

[+] zzo38computer|5 years ago|reply

What some wikis do is just asking a question (in text) that you can then type in the answer (and if you don't know, can look it up in a book, Wikipedia, Google, or whatever you want to look it up, or ask someone who does know the answer). I think that work much better than reCAPTCHA.

[+] LordHeini|5 years ago|reply

I would say it really depends on your use case.

Lets say you have a comment section on your site where any user can write stuff.

More often than not a hidden field which should not be filled (the honeypot method) and a spam filter gets the job done no problem.

For registrations it can be more problematic because the spam filter does not work that well.

I have yet to find a good alternative to commercial captchas as well but rolling your own solution is possible.

And probably even the best idea because if every site has its own weird system it would make the life of bots quite hard.

In the end a dedicated attacker can always hire people to fill the captchas and circumvent any system for an astonishingly low amount of money.

[+] false_kermit|5 years ago|reply

I just want a version of captcha that isn't tied to my google account. This is particularly an issue on anonymous message boards like 4chan. If google wanted to, they could tie pretty much every 4chan post to a google account.

[+] nerdbaggy|5 years ago|reply

Problem is CAPTCHA is a hard problem to solve now days. It’s not like before when you can just display and image and ask what the letters are. It takes machine learning, lots of training data, etc.

[+] amelius|5 years ago|reply

Also it has to take into account that the puzzle may be sent to a farm of human puzzle solvers. Or that the puzzle is sent to unsuspicious users of another website.

I think this is what makes Google's approach powerful because they have the best view on IP addresses used worldwide. (Whether that's desirable is still another question).

[+] ParadisoShlee|5 years ago|reply

I've found https://github.com/koto-bank/kocaptcha

[+] three_seagrass|5 years ago|reply

Latest reCAPTCHA isn't even detectible. It runs in the background of the browser and gives predictions for bot traffic.

The days of reading images as validation are going to be one of those "remember when" moments on the internet.

[+] bjoli|5 years ago|reply

It is not really a captcha, but I used email for people to submit comments to my website. You could rely on a third party mail provider for for filtering, which would make it even simpler.

[+] unknown|5 years ago|reply

[deleted]

[+] flatiron|5 years ago|reply

I wonder what all those darkmarkets use. I assume they are pretty resilient!

133 comments