upvote
I looked this up and realised it’s the page I’d seen briefly on a range of websites lately. It’s not annoyed me at all. Not nearly as much as having to complete captchas with slow refreshing tiles.
reply
A fun fact about Google captchas: they've often decided whether you will succeed or fail the captcha before you do the captcha.
reply
I implemented something similar for my bot defences. If headless chrome is detected you still get the same anubis-style PoW but even if you submit the right answer you get rejected.
reply
This seems nonsensical. Care to elaborate?
reply
The captcha itself (matching pictures to text) is mostly for ML training data. I think pass/fail is mostly based on heuristics like how you moved your mouse which could get analyzed before you complete the captcha. https://www.techradar.com/news/captcha-if-you-can-how-youve-...

reason why is 1. Google and others really needed the training data, and 2. it probably helped justify the cost of providing the captcha service for free worldwide (old free tier was 1M/mo)

reply
[dead]
reply
If Google determines you're an undesirable user, doing the captcha is just an exercise to waste your time.
reply
I certainly experienced this (the vicious try-again cycle) but curious if you have any sources for this?
reply
A person's testimony is a source. I can add mine: you can tell when you're truly blocked because if you click for the accessibility audio-based captcha it will actually tell you you're blocked (but, if you did the visual captcha, would simply loop forever while telling you you did it wrong).

I don't think you'll find an article by Google saying "yes, we sometimes completely block users while making it look like they're not blocked and wasting their time".

reply
That explains why I can never get past Google's captchas! I don't even automate Google searches, I wonder why they don't like me.
reply
Depending on the IP reputation as well as the kind of IP address you have, this can happen.

Google also prefers if you have a Google account logged in.

reply
I've usually been more annoyed at the surprise dissonance of "was that an anime girl on kernel.org?" than annoyed at the delay.
reply
deleted
reply
> just crank it up when you get a flood,

A few months ago there was a story posted here about someone who completely eliminated crawlers on their website with Anubis.

I think it was getting upvoted before users were clicking the article because if you did, you had to leave the Anubis PoW page open for several minutes before you could get into the site. The Anubis difficulty scale is unintuitive and the difference between a small delay and becoming unusable is easy to cross.

reply
For me Cloudflare is worse, it takes more than 5 seconds, where as anubius take 1-2 secs.

funny with all the IP information they have, cloudflare cannot do a better job. (I am on IPv6)

and most of the time, its on marketing product pages like in framework main site, which can be cached.

reply
Imo the worst is recaptcha. At least with cloudflare the work you have to provide is minimal. With recaptcha it can take me much longer than 5 seconds, and lately I have trouble even completing their challenges correctly. Nowadays if I see a (recaptcha) captcha I drop the site unless I must visit it for some reason, it is not worth the time, the effort or the annoyance.
reply
Most CF / Recaptcha problems are users going "off the golden path", and not realizing that their config changes are at fault.

If you're on a consumer router, using a mainstream stock browser with stock settings (maybe plus uBlock Origin), with your Google account logged in, it's very, very likely to just work. If you're part of the .01% of users with opinions about that sort of thing... you're not worth optimizing for.

reply
At least for me, CF is fine; recaptcha is the only one I really have problems with.

I dont care what recaptcha wants to optimize for. I dont think that using a vpn is that a rare thing anyway. If others have figured out how to do it without requiring spending 30 seconds to solve a captcha, I dont see why websites still use recaptcha/captchas for that.

And that it is "my fault" not being logged into google I was least expecting to see here.

reply
> that it is "my fault" not being logged into google I was least expecting to see here.

Parent was just starting a fact of how our digital overlords determine the probability of your browser being a bot. Why take it personal?

reply
If you don't live in a first world country then you will also find yourself on the "too bad, don't care" list.
reply
A lot of users also run cheap cracked fire sticks and other low reputation hardware that's proxying their residential traffic for nefarious reasons which makes all the big providers put up their guard.
reply
From my understanding this is also how cloudflare bot protection has worked for a long time, and then they look for entropy in user input to confirm the user is human. Also how recaptcha without images works.
reply
Google and Cloudflare both are not just looking at entropy of mouse movements, that was cracked years ago, they are fingerprinting you and correlating your session with all your activity cross domains to score your botlike behavior.
reply
I doubt they are doing it. You just have to get on a VPN to and see yourself being flooded with captchas despite browsing the web like a normal human and solving dozens of captchas along the way.
reply
I guess that raises the bot score given that the vpn IP is a data Center IP and thus in a lot of ban lists
reply
Also some of the free VPN apps support themselves by proxying this kind of traffic:

https://www.kaspersky.com/blog/what-is-wrong-with-free-vpn-s...

reply
Which also involves detecting entropy across sites I guess
reply
Supposedly, but not really. I regularly encounter sites where cloudflare serves me with an ambiguous ban notice rather than a proof of work. What's worse is that these apparent IP bans take effect even if I already had a valid active session (ie previously passed the check).

Yes, a VPN involved. That doesn't make it okay and notice that anubis by default works without issue (though possibly with a more difficult challenge) in the exact same scenario.

reply
There's lists of data center IPs. You're probably in them and That's why you're getting banned
reply
Regardless of the precise logic it's no excuse for the policy. Simply hand out a sufficiently difficult PoW to prevent widespread abuse.

I'm quite certain it isn't a generic "datacenter" list though because a given VPN exit that was working will suddenly stop. Meanwhile I have a valid cookie yet that is disregarded.

reply
Cloudflare often just straight up blocks me or makes me do a captcha. IMO those are both much worse than Anubis
reply
deleted
reply
Except when it throws you into a reload loop. It's pretty buggy, and trivial to bypass.

And contrary to grandparent, PoW only worked because it was a novel thing to work around, a simple "type human" prompt would've worked as well.

When anubis gets widespread enough users will still run the PoW in javascript or whatever while the scrapers will run much more optimized native code, so no, it doesn't scale.

reply
Putting aside the question of whether it will continue to work, even somewhat, against botnets, I find your first paragraph confusing.

Reload loops, or being able to "bypass" anubis (unless you merely mean bypassing it for the token validity period by solving a challenge), sound like misconfigurations. There's no reason for anubis itself to cause reload loops; it's tricky to configure a webserver to use it in some scenarios.

Any ability to bypass anubis probably means the site is using it in auth/challenge mode only, and then misconfigured their webserver's auth checking. Or it's a bug. If you mean the double-spend tavis mentioned in his blog post which previously made the HN frontpage, that was patched right after it was reported to the maintainer almost a year ago.

reply
deleted
reply