STOP USING hCAPTCHA

Hi @chedburn,

As an enterprise customer, have you discussed this with your account team as well? They may be able to assist and pass your feedback on.

2 Likes

Google decided to start charging Cloudflare for reCAPTCHA.

Oh wow! That’s very interesting. If it’s true - I wonder why this hasn’t been publicly mentioned. I’ve not heard anything regarding this in my support tickets. I’d be more than happy to pay extra for reCaptcha, as really there’s nothing else that is viable.

hCaptcha like bullshit. Till now, I could not complete this ■■■■ captcha, so angry !!!

I will vote against hCaptcha.

hCaptcha is very heavy and loads a lot of useless stuff like sentry.io things. Just like reCAPTCHA, hCaptcha is stealing your privacy as well.

As you can see, there is no way hCaptcha is better than reCAPTCHA,

3 Likes

Wouldn’t it be easier if users can choose with type of Captcha they want used on their site? It shouldn’t be hard to implement…

https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

5 Likes

I do checked that Google’s requirement for reCAPTCHA enterprise. And I understand why you choose hCaptcha instead. I’ll talk only about financial way, would you mind give user a choice to pay 1 USD/month to let user enjoy reCAPTCHA or just add another plan like Basic- , which might not cost that much, and we will happily to switch to that if we have our choice for captcha and you can also offer more services to us. And at the same time, you have the money. It’s a win-win, man.

Cuz CF worked perfectly before, so we have nothing to complain.

The current pricing is 1 US$/1000 CAPTCHAs, so it would be a very expensive usage-based plan, especially if you use them for DDoS attacks.

I absolutely hate this hcaptcha. It shows me way way too many captchas, especially on corporate vpn, warp+ or on mobile.

Pus it now appends ?cf_chl_captcha_tk to ll urls after solving it.

That was done even before, it’s not dependent on hCaptcha, it’s Cloudflare’s security implementation.

https://blog.skk.moe/post/bypass-hcaptcha/

Hey everyone, see the link above. The hCaptcha is just a sh*t. @hCaptchaSupport

Hi there,

It is not exactly a secret that we support accessibility cookies :slight_smile:

They have very limited use and duration, and account signup and redemptions are both aggressively restricted and monitored for suspicious patterns, with those accounts terminated if any suspicious use is found.

As a practical matter, people have tried various tactics to abuse them for a long time with limited success, but as with all security measures this is always a cat and mouse game. This particular blog post is simply describing how they work, not outlining any kind of circumvention.

3 Likes

That may be true, but I never noticed, because I had only been shown recaptchas very very few times in years! Now it’s obvious, because almost every single site on cloudflare, including my own clients and my own sites, I keep seeing this hcaptcha, sometimes, in a row many many times, despite solving the hcaptcha correctly AND showing as validated without redirecting or refreshing the page and showing the content, until I just say F it and try again later… where magically it starts working for some time, until I start seeing the annoying “select trucks” or “select motorbykes” hcaptchas over and over again.

Let me tell you, I have nothing against hcaptcha itself, what I do strongly oppose to, is that it shows too many and too frequently to normal, real human users.

You should not use reputation IP addresses on your database… at most, since you are partners now, try to make use of cloudflare IP list of abusers, since that one works very well.

Showing hcaptchas just because my company requires the usage of private vpn, or simply because I am using cloudflare warp+ on my mobile, and my ip randomly changes is not a solution.

Set some session, or cookie or whatever at least for 24 hours, though there may be issues with EU GDPR on that.

I don’t mind 1 hcaptcha a day but definitely not willing to take on multiple, consecutive hcaptchas just to access my own sites or my clients sites.

Also, you should be building IP reputation everytime we solve recaptchas.
As I said, cloudflare has an extensive list of IP addresses of abusers, which should always see hcaptchas.

Your system or method, is just simply not working well and from what I heard from many of my clients, their traffic started dropping after this hcaptcha change.
Now they know why it’s happening, and so do I.

Please do something asap because this is easily going to become the most hated captcha of 2020.

We need to split blame (if there is any, I won’t decide merits of this, since I don’t have the technical knowledge of the security implementation Cloudflare uses, obviously) here. One this is the actual display of the page where the CAPTCHA is shown, that depends on the specific security settings of a website (the owner of which can decide how long to let you go through after passing a challenge, the level of bad acting at which point it will trigger, etc.), the other is the length of the challenge itself, which is @hCaptchaSupport’s doing, they decide how long it will be (with some wiggle room and settings that CF I presume can set on how much accuracy they want, but not sure here).

Again, the number of times a page is shown depends mostly on the website owner, the number of challenges to pass hCAPTCHA depends on @hCaptchaSupport support, which one is this?

Unfortunately here is a tradeoff between privacy and security. To not use the IP as a basis, but decide you are a different person than your colleagues in the same office with the same IP, you need to profile a person through their visits on different website. Google was better simply because they do have that data.

The solution here is using Privacy Pass, which makes this inter-website auth possible.

https://privacypass.github.io

It’s not per se bad a drop in traffic if the traffic dropped is malicious, do they have a way to confirm it’s not?


PS: @hCaptchaSupport I can confirm what others are saying, the images take way too long to load, not always, but often.

1 Like

Because people only register when they need to complain when they realize something is wrong. The change is recent, so why else would people register before, if they never needed support?
Also the official blog tells people specifically to register here and talk about it.

I agree that the privacy offered by hCaptcha is a goal that should be prioritized. However, in my experience hCaptcha does not offer nearly the same level of convenience that reCaptcha did, and that this trade-off is too much. With reCaptcha it was as simple as clicking the checkbox, with the images coming up about 5% of the time. hCaptcha prompts for images every single time I’ve used it. In addition reCaptcha only appeared at all very rarely. hCaptcha appears significantly more often, to the point where there are few sites I can access without being prompted to answer a captcha. Aside from issues with the rate of captcha occurrence, I have also noticed that on mobile captchas will not ‘take’. After answering it the check will not appear and the captcha must be answered again.

In my opinion, keeping hCaptcha should be the goal because of its privacy, however the rate that captchas occur and that images are prompted must be reduced.

Remember that hCaptcha is new which means that yes, it does have some problems, but they are likely going to improve on it.

1 Like

A big percentage of sites where I am seeing hcaptcha, were setup by myself. I’m a systems engineer and I set cloudflare on dozens of clients a week, The security settings are medium, WAF is enabled for some countries, show captcha chanllenge once a day.

I can whitelist my IP, but that is only valid for the sites I have access to.

The issue to me, is frequency.
I can solve hcaptchas successfully in one site, switch to another, same account, same settings, and bam. Captcha.

Solving captchas one, on any cloudflare site should be enough to know that I am human for at least a few hours or a day, on any other cloudflare site.

I don’t care what Google does with my data because I only provide what I want to provide, and even then, I am more than happy when they suggest me stuff that I wouldn’t find otherwise, such as news according to my interests.

As for recaptcha, I am also happy supporting google, or whoever would use it for machine learning. Better technology, regardless of who owns it, benefits everyone in the future.

And no, I am not going to install privacy pass just for this. Maybe if cloudflare creates an extension with some other features, I would consider, but not going to clutter my browser with more extensions, just because of hcaptchas.