Cloudflare drops Google reCAPTCHA in favor of hCaptcha
Cloudflare announced plans to drop Google's reCAPTCHA service in favor of hCaptcha last week on the official company blog.
Cloudflare offers many features for webmasters and site owners. One of the features acts like a firewall. It blocks known malicious traffic automatically, allows traffic by humans, and displays a captcha if traffic is encountered that could be malicious or legitimate.
Captcha, which stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart, are displayed in the latter cases as a verification step. Ideally, captchas are designed so that humans can pass them easily while bots will fail to pass them.
Cloudflare has been using Google's reCAPTCHA service (which Google acquired in 2009). Up until now, use of reCAPTCHA was free for the companies that implemented it. Google did get something in return as it used the service to train visual identification systems. The choice made sense from a business perspective as it was free, scaled thanks to Google's vast network of servers, and was effective (according to Cloudflare).
Privacy concerns were raised even in the early days as Cloudflare customers were concerned that reCAPTCHA was operated by Google. Additionally, Cloudflare noticed that reCAPTCHA was having issues in some regions such as China as Google services are often (or always) blocked there.
Plans formed to switch to a different provider. Google announced in 2020 that it would start to charge for the use of reCaptcha. Cloudflare started to look at other captcha providers to find a suitable alternative as it would be too expensive to continue using Google's solution.
Cloudflare picked hCaptcha and provides several reasons for that:
- The company does not sell personal data and collects only minimal data.
- Performance was "as good as or better than expected".
- Includes solutions for visually impaired and "other users with accessibility challenges".
- Supports Privacy Pass.
- The solution works in regions in which Google is blocked.
- The hCaptcha team "was nimble and responsive".
The business model of hCaptcha is similar to that of Google. The company charges customers that need "image classification data" or tasks. The company pays publishers who install the solution on their sites.
Both companies agreed on a different business model because of Cloudflare's scale. Cloudflare decided to pay hCaptcha and push most of the technical load on its own platform to make sure that the solution will scale well.
Closing Words
It remains to be seen how well the switch from using Google's captcha solution to the new solution will go. Privacy conscious Internet users will probably like the decision because Google will no longer have anything to do with the display of captchas on sites that use Cloudflare.
Now you: What is your take on the decision?
With Google’s shit it’s funny… I’ve seen some sites which say they offer private/secure mail so you think you’re giving Gmail the middle finger when Google’s there for your alternate sign up.
And then there’s hotmail over there, sitting in the corner going, “Google..” “Google..” sucking it’s thumb.
What is your take on the decision?
As long as Privacy Pass keeps working and improving, I could care less about this change.
Beyond that, we likely don’t know all that’s going on with this change, so it’s rather silly to speculate with our opinions here.
I have noticed the switch when it happened a few days ago. This is a vast improvment. I have a particular site I access only through Tor, it’s protected by Cloudflare, and getting to it is hell. hCaptcha is so much easier to solve.
In fact, when that site used reCaptcha, I never tried to solve it, because I knew I would be thrown in an endless loop of “try another one” (I used another trick to get in).
I don’t like this. recaptcha v3 is awesome and can automatically detect if you are human without clicking anything.
Cloudflare wants to switch to inferior captchas just to save money.
Screw them.
I generally close any site that prompts for a Google Captcha. Not worth the hassle.
Will likely do the same for sites that use hCaptcha.
All of these systems are easily defeated by anyone who wants to defeat them, so they only serve to annoy and waste the time of actual users.
Source for “easily defeated”? Or are you just another talentless hack talking out their behind?
I can’t be so optimistic about the switch as you Martin.
I convinced that Google has gotten enough data right now concerning the reignition possibilities and sometimes Its good to switch to divert the attention.
This so Google can pick up the project later maybe even under another name like maybe even hCaptcha.
Right now Google is once more proven with the development with the corvid-19 app were there getting all positions, they can handle. I think there right now need all the computing power they have for this snooping in people’s privacy and therefore resting this less interesting for Google project reCAPTCHA or even hCapta.
This new Google Corvid-19 location app is the new spreading worldwide illness that satan Google is spreading wit the complete help from governments. Big Brother (Nineteen Eighty-Four) from Orsen Wells is now happening.
Maybe even the corvid-19 virus is spread by Google company so they can implement this worldwide information app because now Google can handle this much information with there new Quantum computers.
And you know the saying “It’s now different to be bitten by the cat or the (Hell) dog (Cerberus)?
Does hCaptcha maybe have for now unknown technical possibilities to measure what we are doing who you and I not yet familiar with?
We know what we had in this case and were not quite sure what we getting.
Not sure this article can be considered journalism of any value, did the author of this article personally reach out to a nominated rep at Cloudflare to confirm and further explore this announcement? Or is this a late repost from some other site’s article about a press release?
Let’s not let this site devolve in to another ZDNet uncritical press-release dumping ground site please.
I’m not sure why you’re “not sure”, as this report is simple, and links to the official news release from Cloudflare. As such, whatever you’re going on about is at best moot, and more so rather crazy.
TIP: Go start a Cloudflare hate group on Facebook.
I can’t believe that anyone who has used hCapthca would think this is a good move.
reCaptcha is intuitive and easy to use, hCaptcha is anything but.
Their ‘bounding box’ & ‘comparison’ challenges are far inferior (from a user’s perspective) to Google’s challenge(s).
Are you saying “Click in all traffic lights” is easier than “Click in all train pics”?
Hcaptcha us faraway less annoying that the stupid google thing.
@Anonymous
I disagree, but then unlike most users, I’m a genius.
recaptcha is only intuitive because we’ve lived with it for many years. I don’t think hcaptcha is particularily less intuitive.
“…regions in which Google is blocked”
i.e. on any device which I will ever own! :-)
Seriously though, I get hit with captchas a lot, simply because I use a VPN 100% of the time. I abandon those websites if they try to force me into that stupid game, or I use anonymous view to access them if I care enough.
you say that, but you should consider the other side of things, as a webmaster it helps protect my servers from bots who maliciously crawl/scrape content causing the server to be overloaded (talking thousands of requests per seconds here). My only other option would be to shut down my websites or disable any form of input(search forms, etc which imo would hurt the user experience more). It would cost me many hundreds more than I am already paying for servers to handle the kind of load generated by non-humans. I think that tradeoff is acceptable but that’s just my opinion of it.
Cloudflare is a pain in the butt – with or without captchas.
“Checking your browser before accessing whatever.what.
This process is automatic. Your browser will redirect to your requested content shortly.
Please allow up to 5 seconds…”
Feels like an eternity. Fast browsers, for what? To get slowed down by methods like those? Cloudflare is simply annoying as hell. Period.
“Cloudflare is a pain in the butt”
The attacks it is protecting from are real. Talk to some webmasters of sites targeted with DDOS attacks and bot spam (thousands of messages or uploads in seconds) by government hackers and criminals. Cloudflare is the only thing stopping these sites from being down completely. Even with Cloudflare attacks are still getting through.
im pretty sure that 5 second one is for ddos protection & captchas is to prevent bot…
And how many sites are really affected of it? It’s like to slow down everyone, just because “maybe” the site could be attacked. Most likely never, but better save than sorry? Lame excuse for me. But well. Complaining about doesn’t change anything.
hi martin.
i am very glad about this great news which you published.
thanks extremely for it, and God bless you!
A very good move. I am very unhappy that I have help the evil Google even to use my favourite privacy related sites. I don’t want to train their AI for free while they collect my data.
@Jabal at Tariq
With reCAPTCHA and such, there’s only pre-selected right or wrong answers, so there’s not much to anything the user can do to teach so-called AI in respect of what the images are. In other words, the system already “knows” what the images are, where even if it’s questionably wrong, user input can do little to nothing to change that.
As for “machine learning”, that can be found most anywhere, and is often hidden and thus unavoidable, even if you never use a computer.
I mean, both Google and Cloudflare are trash from a privacy pov. Sure, one less evil is better, but nowhere near as good as no evil.
reCAPTCHA is somewhat customisable in terms of aggressiveness, yet Cloudflare decided to turn it all the way up for TOR users. Sure, they, somewhat, whitelisted one user agent, but what if I can’t spoof my UA?
Both of these entities are equally evil, imo.
>Cloudflare decided to turn it all the way up for TOR users
ehm… No. That would be Google 100%. You see the more tracking protections you have enabled in your browser (Anti-Fingerprinting, blocking third party cookies, etc) the lower your ReCaptcha score is. From what I understand Tor browser is pretty much super tuned towards privacy and well, Recaptcha hates privacy settings so much so that they even degrade your score if you aren’t logged into google (I’m not even joking, but nobody talks about this)
recaptcha have a LOT of stuff that lowers your recaptcha “score” including
>TOR exit node IP’s
>out of date useragent string
>blocking third party cookies
>blocking certain web technologies such as webGL, OffscreenCanvas, and so on
you can fiddle with browser settings and access on https://recaptcha-demo.appspot.com/ to see this first hand, now while their developers say those scores shouldn’t be taken as the gospel, you can get some good ideas on exactly why you consistently get unsolvable fading grainy captcha’s all the time. Honestly it annoys me, recaptcha has gone from preventing bots to preventing privacy so the move from cloudflare I take as mostly positive, hopefully others follow.
“You see the more tracking protections you have enabled in your browser (Anti-Fingerprinting, blocking third party cookies, etc) the lower your ReCaptcha score is”
You’re right, when I use Firefox (with tracking+fingerprinting protection on) after using any Chromium based browser (with protection off) I feel like Google is intentionally punishing me for that sin. No matter how correctly you recognise the images, Google wants more free input for not being able to collect enough user data.
I’m fairly sure if you udecide to shove reCAPTCHA down your users’ throats you also get to control how annoying you want it to be.
I was talking about tthe TOR network in general, not TBB.