top | item 8655178

(no title)

Benferhat | 11 years ago

I found a demo[0] via this old forum thread from August[1].

Obviously there are privacy concerns. That being said, this looks like a boon for anyone interested in bot detection, as you can periodically challenge your users' humanity without getting too much in their way. Nice one, Google.

From the thread:

Implemented it successfully for a website. I have to say, it works great!

it also checks if html pages are changed at runtime and how many times you "reload" the page where the captcha is. When it thinks you are a bot a captcha popups, when entered, it got checked on googles servers if it's right and fills in a hidden input. When the user submits the form, the filled in captcha coded, again, will be verifed. [sic]

[0] http://www.google.com/recaptcha/api2/demo

[1] Edit: don't go to this url without adblock (see comment below). http://forum.ragezone com/f144/googles-captcha-recaptcha-1023607/

discuss

markbao|11 years ago

The key post from that page:

"Since it goes through Google's servers, they can verify a lot of things. Whether you are logged in currently to google, have you been logged in the past, verify your activity on your IP address, etc. Even if you signed in from the same ip or ip range like a year ago, they can still tell it's you based on your previous actions."

jackhammer|11 years ago

That makes sense.

If I click from a normal tab I don't see a captcha, but I click from a privacy tab I do.

korzun|11 years ago

So if you are in a remote location or do not fit a specific demographic you are basically a robot.

unknown|11 years ago

[deleted]

muglug|11 years ago

Beware: that second link launched a popup in my browser to a "Super Mario Game" which, in turn, pushes you to install a spammy Chrome extension called ArcadeYum.

stevenh|11 years ago

Why does Google bother with so many minor script-related security enhancements in Chrome that will barely affect anyone (such as extra HTTP headers allowing for bonus layers of XSS protection just in case the site's developers weren't smart enough to cover all possible injection angles) if they are going to also let random untrustworthy developers abuse their extension installation API to achieve over 750,000 installs of a mysterious/shady/useless browser extension that inexplicably asks for permission to read and write to the DOM on every single page of every single site the user ever visits in the future, and which very obviously only exists for the purpose of doing the exact same kinds of terrible things that XSS prevention was conceived of in the first place in order to stop?

Benferhat|11 years ago

Thanks for the heads up, I missed it due to adblock. I made the link non-clickable and added a warning.

meowface|11 years ago

This seems to be following Cloudflare's (and Incapsula's and all the other competitors) approach to bot detection. Basic automatic, silent bot challenges (non-invasive Javascript and DOM tests) which, if failed, give a one-time captcha prompt.

Scoundreller|11 years ago

Which has the side-effect of making the site inaccessible to TOR users with JS turned off.

brkn|11 years ago

Isn't the example in [0] already used on various sites? I at least used it at least on the humble bundle site and saw it on othes sites too.

Benferhat|11 years ago

They seem to have done a small early beta over the summer, I guess they got in early.