Wow it looks like CloudFlare's new CAPTCHA both requires Javascript 100% and requires disabled people to sign up and set a browser cookie. And signing up requires solving a CAPTCHA. So fuck disabled people I guess.

Oh my god the website for the new CAPTCHA system CloudFlare uses (hCAPTCHA) is horrid: It pays CloudFlare and RUNS ON A FUCKING BLOCKCHAIN

Show thread

It even has some shitty terms and conditions that require you're 18 to solve the CAPTCHA and allows them to look up your identity to verify it's real if you sign up (such if you're disabled)

Show thread

I'm fuming because somehow CloudFlare now has a WORSE CAPTCHA than Google's. reCAPTCHA was barely accessible but this is just inaccessible by design. Absolutely disgusting.

Show thread

What absolute ghouls CloudFlare are for switching to a brand new CAPTCHA service (did they fund it? create it?) that treats even more disabled people as second-class citizens, literally dehumanizing them by classifying them as bots instead of humans.

Show thread

I say it treats even more disabled people as second-class because CAPTCHAs by design are anti-accessibility. There's simply no way to make a CAPTCHA accessible to computer-based assistive technologies but not computer-based malicious technologies. reCAPTCHA for example provided visuals and audio, but excluded deafblind people who would need something like braille AKA plain text.

Show thread

By using CAPTCHAs you are making your website less accessible on purpose which is terrible on its own, but you justify it by saying it stops bots or only allows humans. You are dehumanizing people by placing criteria on what it means to be human that excludes disabled people. You classify disabled people as non-human. Even more importantly: You are making these human variations not just variations but disabilities. You are the problem.

Show thread

Oh btw shoutout to @ajz for tooting a picture of this new CAPTCHA so I learned about it :D

Show thread

@jookia please tell me it at least has an audio alternative.

@pitermach To my knowledge it does not, exactly why I'm very angery.

@pitermach To be absolutely clear: This is all only if it flags you as a bot. So if you aren't using a VPN or Tor with privacy extensions that stop trackers you can still just click the checkbox and it will be fine.

@pitermach So for instance, my blind friend can just click the box since they doesn't use those and I assume their browser isn't flagged. But there's been cases on other websites that require them to solve a CAPTCHA, and if they used this CAPTCHA then it would be unsolvable.

@pitermach Ultimately it's up to the web developer whether to be strict or lenient about CAPTCHAs, and there's now financial incentive to give people CAPTCHAs.

@jookia @pitermach
Looks like either an oversight, or the impact of not mitigating attacks is greater than blocking a small portion of users. I would believe that the cross-section of disabled people AND Tor/tracker blockers users AND sites that have the Cloudflare interstitial is not that big.

Do you know of an effective (at Cloudflare's scale) captcha that is easily usable by 100% of web users ?

@gileri @pitermach Nope, but that's not my problem to figure out. If technology is inherently discriminatory, then it shouldn't be used.

@gileri @jookia @pitermach
>the impact of not mitigating attacks is greater than blocking a small portion of users

thats indeed the reasoning websites use (and why they stick with cf, it means they dont have to hire a security / attack mitigation team who actually knows what theyre doing, as well as pay for hardware firewalls, bandwidth, etc)

doesnt mean its the right stance to take though. not the right solution to the problem. its unfair for sites to show favouritism toward certain users and tell the rest to fuck off, basically, by serving them hostile error pages and unsolvable captchas and "get a modern browser, goy" messages. its pathetic how few people actually care about doing the right thing on the web

@wowaname @pitermach @jookia
Again, the website owner choose the level of security, by making compromises (see picture). Not CF. I don't think any 100% anonymous and perfectly usable by every person captcha can exist, but please disprove me :)

(image taken from

@gileri @pitermach @jookia
>the website owner choose the level of security

~90% of them dont. if a software/service developer chooses a shitty config default, then it's the developer's fault, not the end user's. users shouldn't have to fine-tune everything down to the letter, nor do they want to waste time doing that. if they did, they wouldnt be using a canned service to do the work for them

>I don't think any 100% anonymous and perfectly usable by every person captcha can exist, but please disprove me :)

sorry for proving you right then: i don't think such a captcha can exist either. my point is that cf is using captcha for the wrong purpose here. captcha is often misused—it's like an X/Y problem, people typically want to stop spam or abuse, not necessarily bots
@gileri @jookia @pitermach and yeah the triangle you posted is a tough nut to crack. i'm committed to blurring the lines though, even though it will take a *lot* of work, it wont be done overnight, and it'll require rethinking a majority of the infrastructure we use today. people settle for mediocre, are inertial to change (understandable, because it's a large setup cost to improve systems), but we need to let go of stuff that just doesnt work and figure out better alternatives

also, tangential comment: you linked to "privacy pass" article on cloudflare's blog. i just wanted to note that i tried that extension one day: to get credits or whatever they're called, you still need to solve a captcha, so it doesn't do a great job at subverting the issues that people have with cloudflare and captcha. also, in the extension comments section, people seem to have all-around issues with the extension just not working, so make of that what you will

@wowaname @pitermach @jookia Yeah I hoped they implemented another challenge, but they didn't yet (I only linked it to source the image)

Imagining they fix the bugs, I don't see how a person could possibly prove it's humanness without any visual/audio challenge nor providing it's identity.

@wowaname @pitermach @jookia Regarding blocking bots vs spam/abuse : I think that detecting the latter is a lot harder than the former. But anyway either approaches will have false positives and negatives.

@gileri @pitermach @jookia

>I don't see how a person could possibly prove it's humanness[…]

yeah me either and like i said, i dont think its the right issue to be solved

>either approaches will have false positives and negatives

i'll just give a quick anecdote to show my experience with the issue. i have maintained web services in the past, and i maintain other web services nowadays. i have made use of local-generated captcha out of laziness, either for account registrations or post submissions (and one time i fucked it up by implementing a figlet captcha, for the text-browser users, that was trivial to crack, lmao). but that aside, as far as dealing with hostile bot traffic, usually the solution for me has been to just throw a caching mechanism into the mix, or serve sites statically. that cuts down on a majority of the abuse i get on my resources, and just leaves me with having to deal with whatever margin of spam i get

for my fedi instance at least, i havent seen much spam yet, and that's with no captcha on registration + no email verification + allowing tor. it's pretty nice, and it's why i hold such a strong prejudice against people who block tor. things like that dont tend to be the issue; ive seen dedicated spammers and trolls make use of non-tor proxies and other botnets in order to abuse services
@jookia @pitermach cloudflare is absolutely disgusting and is *still* hostile to tor users, despite claiming to care about tor and privacy, thats brilliant

@wowaname Yeah. Make sure you don't forget to follow

@jookia @pitermach So if you care a lot about privacy, and for that reason use a VPN or Tor, you are screwed. Even if you don't use those, but blocked Google stuff for good reasons, you are screwed if the website decided to use ReCaptcha. You cannot get in without compromising your privacy.

On most sites, when that ReCaptcha pops up, I simply close the tab. If you don't want us, we go. If you want to fight bots, use "honeypots" (hidden form fields) instead.

@IzzyOnDroid @pitermach Yes, but now it's hCAPTCHA which doesn't have audio CAPTCHAs and has financial incentive to give people CAPTCHAs.

@IzzyOnDroid @jookia @pitermach i know im necro-ing the thread but i came back to this when linking to someone who said "oh cool cloudflare ditched recaptcha." i linked this and suddenly their optimism faded away

but i realised, cloudflare is solving the wrong problem, and outright mismarketing their services to people. it isn't just anti-ddos or l7 security, it's anti-bot which makes no sense on the web. plenty of innocuous crawlers, scripts, and useragents that dont match a graphical modern browser profile (not even talking the fringe group of lynx/w3m users, but shit like APIs and wget) where, no, there *isn't* a human involved but it's still valid to necessitate access to the site

this is why i utterly hate people using cf for their fedi instances (small exception for media hosting but still i think no cf entirely is better). because admins dont seem to realise that the cf model of "automated traffic = bad" is entirely counter to how fucking federation works

@jookia One web development and marketing company uses a form, with an internal label of "email" but showing a label something like "If you are human, keep this blank. This is to prevent spam." Not sure how well it works, but with captchas, one has to keep updating and refining because there are going to be tools to solve them which could be used for spam as well. You have to also find new, creative ways of distorting and messing with the audio. Really, simple is best in these cases, and creating moving targets isn't it.

@devinprater Yeah so my favorite type of CAPTCHAs are simple text-based question/answer ones to do with the website topic itself. Like on a kosagi novena forums it asks something like 'how many bits are in a byte' and you write '8' and it's all fine.

@jookia That's actually a really good idea. I've not thought of that one before.

@jookia it seems like every day Cloudflare do something for me to hate them more

@jookia Ah, classic Cloudflare and many people still trust it.

Even though they should not, but there isn't much that you can against it.

Let's hope that GNUnet becomes a thing.

@jookia Ha, also I stumbled on this issue. It might a good way to find an alternative.

@jookia It's all pretty sad and unfair. As it often happens, people just say they care while actually then don't. Especially disgusting is that Cloudflare earns money from solved hCaptchas.
Anyways, there is something you can do though:
They treat you like a bot, then you treat them like just another annoying obstacle on your way.
For now you'll need some skills to use that solution, but we're working on making this as easy as
Good day to you.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!