I'm logged in on a Chrome browser with a residential IP and get a reCAPTCHA 1-3 times a day when programming. It's the kind that I don't need to solve puzzles but still need JS enabled to click the button. So after the first few (SEO optimized) pages I either get fingerprinted or temp banned. Ugh this is getting ridiculous.
Cloudflare must be mentioned when talking about recaptcha and cancer. They are the ones locking people out from whole websites and forcing you to fill out these recaptchas. They are also the ones who have almost destroyed browsing the internet using TOR due to these recaptchas.
While I agree with you -- I'd also like to point out that >90% of malicious traffic to the websites I administer comes through the Tor network.
It shouldn't be the case, and I don't want to block people who have a legitimate reason to use Tor. Unfortunately there isn't a "block Tor traffic from assholes" option, so all I can really do to reduce the malicious traffic is block exit nodes.
This has nothing to do with Tor. Cloudflare frequently blacklists entire countries/counties worth of people (and rarely reverts those blacklists). There is a good chance, that you have missed a lot Indian/Vietnamese/Russian/Chinese visitors, because Cloudflare concluded, that forwarding their traffic to your site isn't financially viable for them.
> Unfortunately there isn't a "block Tor traffic from assholes" option
What exactly is "Tor traffic from assholes"? Bulk DDoS attacks? E-mail spam? SSH login attempts? Please share your valuable experience with everyone here, so that all of us could stay safe by learning from your example.
And for companies that don't do business with those countries - this is not a loss.
Most "asshole" traffic I see falls into one of two categories - attempts to exploit vulnerabilities (../../../etc/passwd stuff) and account takeover attacks.
The first I can forgive, I don't frankly care where that traffic comes from and the responsibility is entirely mine as website admin to prevent these types of attacks through good coding practices, WAF, etc.
The second I have less control over because customers / the general public sucks at security. They re-use passwords they've had for 10 years and won't opt-in to 2fa. And as a merchant, my company generally eats the cost of fraud that these attacks generally result in.
If no or little legitimate traffic is coming from Tor, and a significant percentage of malicious traffic is coming from Tor - at great cost to me / my company - why the hell would I allow it to continue?
One simple solution I can think of is to restrict POST requests from Tor exit nodes while still allowing GET requests. Cloudflare will give you a impossible-to-solve captcha even if you just try to visit site.com/index.html and I see no reason for this.
Is the issue Tor traffic, or that you know what traffic is Tor?
There are many types of "abuse" (not just trolling) - mass downloading/scanning. (Ex: several types of port scanning can't be done via Tor since it doesn't support UDP)
I see that your heart is in the right place, but I think as web developers we should take a blood oath that we will always optimize for standard compliance, instead. And for a standard that is not a moving target, while we're at it.
But when do we move on? When most browsers implement something the same way, or when all do? What about polyfills? What do you do when you need a new API to better support a user's device with a new form factor, interaction model, wide colour gamut, resolution, background threads, etc.? Tell them to not upgrade? Stop the world? It seems impractical to suggest "target a standard: job done, go home..."
If we target standards, then the standards are driving. The browser gets supported when it builds to the standards. Perhaps the issue will then be getting standards in place quickly around new capabilities?
Then maybe the standards process needs disruption. But if we don't build to standards then we are building roads that only certain cars can drive.
This is unfortunately not true - browsers are driving. Especially when entity everyone uses (Google) also owns the most popular browser. They can, and did, implement non-standard features that only worked in Chrome. Super cool tech demos, you have to see it, just install this browsers from an advertising company. What could go wrong?
Well considering that Google already specifically blocks Chromium based Edge from its current YouTube version may be Recaptcha will not work in it soon too.
Google is not blocking edge, or at least we have no proof of that. In this instance I think it's safe to assume an oversight based on naive user agent whitelisting.
And before I get accused of shilling, I hate chrome and despise Google with a passion.
Do you know of any good alternatives? I would love to get rid off recaptcha but it is a very convenient and quick to set up way to stop most spam bots.
If everyone would block it the website owners would have no choice other than to move to a different captcha system.