Captcha on Safari


(Ray Kloss) #1

I do not seem to be able to access Captcha in my Mac Safari. I am running 10.14.3 on an iMac Pro. Every time I go to a site that needs Captcha, I do not know until I have filled out the forms on the page, click on Accept, and the page goes nowhere. It does not respond to the Accept or Submit clicks. Then I go open the same page in Chrome and see that the problem is that there were Captcha images that I could not see or respond to.

I closed all my extensions, cleared caches, gave the test website open access with stopping blocking of popups, everything. No Captcha.

test site I am using is https://patrickhlauke.github.io/recaptcha/

I tend to run into this problem sporadically, as I am not usually on sites that require Captcha, and then waste time trying to figure out why the form is designed so poorly before realizing it is on my end. Any ideas on how to fix this?


#2

I just ran into a Captcha problem too. Google updates Captcha periodically to stay ahead of robots as they get smarter and smarter, and they recently released a new version in October. They are moving away from having users identifying text or images to analyzing prior user activities within the site.

I suspect that maybe the new version is inadvertently screening out legitimate users. Maybe it isn’t educated enough and needs more training?


(Curtis Wilcox) #3

The reCAPTCHA JavaScript URL in the page Ray is visiting to test has “api2” in the path which makes me think it’s not using v3 yet.

I notice that the blog post about v3 doesn’t mention the large amount of real work people have performed for free for Google by jumping through their hoops. Early on it was confirming the text in an image taken from their Google Books scanning, then it was text in images from Google Street View and more recently it’s been identifying objects (e.g. cars), probably also from Google Street View; it sounds like Ray is finding such image identification work isn’t even loading in his Safari browser for some reason; I wonder if that could be caused by a browser extension.

The “I’m not a robot” checkboxes don’t involve doing work and the description of v3 makes it sound like they don’t involve doing work either but do involve more monitoring of what you do on pages of a site.


(Ray Kloss) #4

I turned off both of my extensions (Ghostery, 1 Password), deleted the cache. Turned off any security for just the website.

Just had an idea that solved the problem. Little Snitch was blocking gstatic.com. I turned off the blocking and that fixed it. LS is so quiet in what it does, I always forget about it. Sorry I didn’t think of it earlier and bother all. The peculiar configuration was probably why I couldn’t find anything on the web about the problem


(Ron Risley) #5

Wow. The blog post is short on details, but it appears as though reCAPTCHA v3 will now potentially be sending to Google all user activity (including typing and clicking) throughout an entire web site, invisible to the user. I wonder if they’re also going to make life even more difficult for users who try to use privacy-preserving tools like Tor and ad blockers?

–Ron


#6

What also bothers me is that many large scale retailers use CAPTCHA, and in addition to tracking what I looked at on a site, they probably collected data on what I spent and which credit card I used.


(Curtis Wilcox) #7

I don’t think it will be that elaborate but given how prevalent it is for sites to use Google Analytics, they already get that. I expect some of what Tor and ad blockers do will make one’s use of a site look more suspicious because it makes activity look more like a bot’s. It’ll be like the Bayesian statistics used in spam filter but instead of assigning a percentage confidence to an email based on how many characteristics it shares with previously identified spam messages, this will assign a percentage confidence to a site visitor based on how many characteristics the traffic shares with previously identified bots. My guess is if one’s visit is suspicious enough, rather than blocking you outright, reCAPTCHA will present explicit “prove you’re human tests.”

I don’t think they’ll go that far, the credit card thing sounds illegal, I don’t think they’ll even connect reCAPTCHA data to your Google profile if you have an active Google session cookie set though having one probably would make ones traffic look less suspicious.


(Curtis Wilcox) #8

That’s why I don’t like using firewalls or DNS trickery to block ads and such, it’s invisible and has unexpected side affects. Google also uses gstatic.com to how web fonts which many, many sites use so sites were probably also looking worse because the intended fonts weren’t loading. BTW, I looked into Google Fonts recently and I really don’t think they use those file requests to track users across the web.


#9

I’m a little skeptical about Google Fonts and tracking. Though Google Fonts don’t use cookies to track visitors across the web, they can, and I suspect they do, collect IP addresses and count visitors, returns, etc., unless the font is hosted locally. Local hosting also makes sense because Google does occasionally, and without notice, update fonts, which can cause a site to become messy.


(Curtis Wilcox) #10

Google Font logs are not dumped into their analytics and they take a number of steps that greatly reduce requests made for fonts in the first place. Google Fonts FAQ.