undefined

points

[-]

> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

I had this problem recently with the Indeed website. (Cloudflare Captcha)

Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.

Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.

by anonymousiam15 hours ago|

parent|

[-]

Why not just change your user agent string?

by codedokode13 hours ago|

parent|

[-]

Because the site can compare the user agent with navigator.platform, which your browser fills with great care.

by userbinator5 hours ago|

parent|

[-]

That naturally implies we must patch the browser.

"Source code? We don't need no stinkin' source code!"

by codedokode56 minutes ago|

parent|

[-]

That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.

by tardedmeme15 hours ago|

parent|

prev|

[-]

It probably fingerprints the browser via TLS fingerprinting.

by mschuster9115 hours ago|

parent|

prev|

[-]

That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.

by miladyincontrol14 hours ago|

prev|

[-]

Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.

I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.

by ranger_danger13 hours ago|

parent|

[-]

Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.

by donmcronald11 hours ago|

parent|

[-]

Does the app function as a proxy? I always assumed that wasn’t possible.

by ranger_danger10 hours ago|

parent|

[-]

Why wouldn't it be possible? As long as background network access is allowed (the default).

by chadgpt213 hours ago|

parent|

prev|

[-]

Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?

by donmcronald11 hours ago|

parent|

[-]

Yes. What if your connection is used for illegal activity?

by wraptile2 hours ago|

prev|

[-]

It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha

by rescbr13 hours ago|

prev|

[-]

This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.

I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.

Captcha difficulties are way down now.

by hysan16 hours ago|

prev|

[-]

Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.

by prism5616 hours ago|

prev|

[-]

Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.

by retired14 hours ago|

prev|

[-]

I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.

I wonder if they are seeing a decrease in traffic and somehow find that acceptable.

by chrisjj4 hours ago|

prev|

[-]

> I just take my business elsewhere...

Mars? /i

by Milpotel16 hours ago|

prev|

[-]

Wouldn't a 1£ Linux VM as Wireguard access point suffice?

by ranger_danger16 hours ago|

parent|

[-]

Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.

by ck216 hours ago|

prev|

[-]

whenever I can't access a website for various stupid blocks

I fire up cloudflare warp and walk right through it

use wireguard with wgcf in environments without cloudflare client

yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden

by wafflemaker15 hours ago|

parent|

[-]

You sir seem to have solved a problem many people here have.

Would you care to elaborate a little on how you did it?

It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.

by tardedmeme15 hours ago|

parent|

[-]

He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.

by krackers15 hours ago|

parent|

[-]

I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment

by donmcronald11 hours ago|

parent|

[-]

I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.

This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.

by titularcomment14 hours ago|

parent|

prev|

[-]

the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.