Worth noting that this title is primarily due to Cloudflare having switched to them from ReCAPTCHA, and Cloudflare is... well, relatively popular, to say the least.
I'm curious what kind of data may exist on the experience of switching for larger providers; do the users like it? how much more/less time do they spend solving? do they care, let alone even notice that it's not Google's ReCAPTCHA?
Regardless, as ReCAPTCHA is not only terribly annoying but also built for surveillance from the ground up, I still view this as a good improvement.
Disclaimer: I've been an engineer at hCaptcha for a few years now building out the service. I'm just as interested in you as hearing about customer and user success/pain stories!
> Worth noting that this title is primarily due to Cloudflare having switched to them from ReCAPTCHA, and Cloudflare is... well, relatively popular, to say the least.
That's definitely a part of it, but we also have a number of other large sites and services that use hCaptcha to protect against bots, and more that get added every day because of our more advanced bot detection special sauce.
> I'm curious what kind of data may exist on the experience of switching for larger providers; do the users like it? how much more/less time do they spend solving? do they care, let alone even notice that it's not Google's ReCAPTCHA?
From what we've seen, the integration process is generally smooth, especially if you're a previous reCAPTCHA user, since we keep the interface and workflow largely the same.
Solving is roughly the same although we have a number of other protections that irritate bot maintainers and get activated when we detect them.
Not sure if the majority of people are aware of the change, I'm sure some technically savvy people pick up on it more than not.
> Regardless, as ReCAPTCHA is not only terribly annoying but also built for surveillance from the ground up, I still view this as a good improvement.
That's actually one the top reasons we've had a lot of customers come over to us; we put a heavy emphasis on user privacy / security, including adopting/supporting privacy-preserving protocols (PrivacyPass, Tor), and minimal retention of data (see our data privacy policy on our site).
Your CAPTCHA accessibility leaves much to be desired. You require screen reader users to register an account to create a magic cookie that itself requires Safari users to disable security protections in their browser in order to use -- and then it doesn't actually work.
Please do better. You're blocking off a non-trivial amount of the Internet to blind users. You will eventually be sued for this.
We actually spend quite a lot of time on this, and regularly work with blind users to test and improve these flows.
Most vision-impaired users have no issue in our testing, and it is a much more accessible option than audio challenges, which discriminate against those with auditory processing impairments.
> If you are using the very latest version of Safari on either the recently released OS X 10.15 or iOS 13.4, Apple has just changed the behavior of Safari related to third-party cookies, blocking all of them by default. We are implementing a solution, but in the meantime please visit Safari Preferences, Privacy section, and uncheck "Website tracking: Prevent cross-site tracking" to enable the accessibility cookie to function as expected. [0]
So while you're patting yourself on the back for not "being like Google", your accessibility workaround exposes blind users to third party trackers like Google.
Using any kind of privacy/adblock extension that supports domain-level whitelisting (e.g. uBlock Origin) works fine, and this is what we suggest in the accessibility FAQ. Apple didn't build fine-grained controls into their browser before making this recent change, unfortunately.
That said, we're working with the browser makers on native support for our next gen privacy-preserving approach to this via Privacy Pass.
I usually just bounce when I see a captcha (if I get one, I usually get a string of them, so I don’t bother).
However, I checked secondary markets where you can pay a human to solve a captcha.
It takes a professional captcha solver 70 seconds to solve an hCaptcha but only 15-20 seconds to solve a reCaptcha. Is that typical? That seems horrible.
The market rate for a captcha solution is 1-3 cents, which is clearly worth it, until you think of the ethics of paying someone slave wages so you can browse the internet slowly, but at least without breaking concentration.
Have you considered a more ethical approach, like micropayments that go to charity or something?
Love the response, happy to see that it's going well then! After reading a lot of feedback I got from 'You (probably) don’t need ReCAPTCHA' (https://nearcyan.com/you-probably-dont-need-recaptcha/), it started to seem pretty obvious to me that there was an open market space for some better competitors, so I'm glad hCaptcha got around to being adopted with such success sooner rather than later. Hopefully the challenges of the future go just as smoothly as things are going in the present.
This is completely anecdotal (and seems antithetical to the typical HN response to hCaptcha vs ReCAPTCHA), but I feel like I end up spending at least twice as much time trying to solve hCaptchas successfully because they have a lot less consistency in the objects you're searching for. I always have to zoom in to the modal and carefully search through each image, which invariably breaks whatever flow I'm in (moreso than other captchas).
For example, here's a screenshot from the hCaptcha website's "try it out" section [1] -- I barely recognized either boat in image #1 because it was so small. I missed image #3 because I didn't realize it was a huge cruise-esque boat (so big you can't even see any water) and I spent a good amount of time deliberating on #4 because, well, it looks like a car + windshield but... on the water? If it's a boat, I can't really tell, but I marked it as one solely because of the water in the background. Not sure if it was right or not.
It also seems to occasionally provide "find all the X" challenges without there actually being any X, which feels super cognitively weird ("am I just not seeing it?!").
I'd say ReCAPTCHA's main problem is deciding whether mostly-consistent objects being partially in-frame is enough to "count", whereas hCaptcha's main problem is actually recognizing the widely-varying objects in the frame. I think the former is a little more frustrating when you get something wrong, but the latter is mentally "harder" and takes more time on average, for me at least.
Honest question: How do you view it as an improvement? The same data is being shared, and the only difference is that Cloudflare isn't immediately behaving in the same evil ways as Google. But once you concentrate power in an entity, perhaps bad things might happen?
... If there was an on-premise captcha implementation that actually worked, that would be great.
Unlike Google, hCaptcha isn't running an ad network "on the side" of their bot management business :) joking aside, hCaptcha is an extremely privacy-conscious operation, Google is not.
I'm not a lawyer, but can you explain how their privacy policy is privacy-conscious now and going forward, and how centralization of network transit with Cloudflare isn't a bad thing?
hCaptcha is more focused on technical solutions to privacy that minimize required trust. A privacy policy is one thing, but a mathematical guarantee is quite another.
We are working through the IETF and directly with browser makers to support provably private options like Privacy Pass, and are currently the only CAPTCHA service to support this.
Similarly, on the enterprise side we offer various technical options to let our enterprise customers guarantee exactly what data we can and cannot see.
(disclaimer: work there, comments not official, etc.)
How does support for Privacy Pass interact with services that pay humans pennies per thousands of captcha solves? Wouldn't it be easy to buy a ton of these blinded tokens then have an extension that provides them on demand to the captcha service?
For site operators, they don’t like the change since users are more likely to complain to the website than directly to CF. The following community post has 20k views and >100 replies asking Cloudflare to move back to recaptcha in some form.
To be fair it doesn't seem to be _that_ bad on this thread: There's the very vocal OP as well as a "discussion" between various users that ranges from "please switch back to ReCaptcha" to "please keep hCaptcha".
For a change that affects "15% of the internet" this seems like very little negative feedback in a period of 8 months.
> hCaptcha is making cloudflare money by earning them Human Tokens on the Ethereum blockchain
> Most people do the convenience from Google CAPTCHA, although they sell some kind of info, but they won’t hurt you
I can't even...this is the Cloudflare forum wow.
I've personally had a few hiccups with hCaptcha quite some time back as I "wasn't sure what I was looking for" and consistently fail on VPNs. But in recent months these there's definitely been substantial improvement , and needless to say I hope to see hCaptcha be the majority provider
Absolutely. Having to solving only one captcha every few days beats solving 5 or 6 on each page visit. hcaptcha supports privacy pass but Recaptcha doesn't.
OP here, and full disclosure I work with the hCaptcha team. Yep, Cloudflare is a big part of this, but you'll find our enterprise offering (BotStop.com) running on many many other large sites and apps. If you've used the internet in 2020, you almost certainly interacted with our products :)
I'm curious what kind of data may exist on the experience of switching for larger providers; do the users like it? how much more/less time do they spend solving? do they care, let alone even notice that it's not Google's ReCAPTCHA?
Regardless, as ReCAPTCHA is not only terribly annoying but also built for surveillance from the ground up, I still view this as a good improvement.