[EFruit]

As much as I _despise_ modern ReCAPTCHA, I have always been able to pass the challenge eventually; it has never flatly rejected me with no recourse. If I made a mistake or was insufficiently human for it, I got a new challenge and tried again. There are apocryphal stories of Google tar-pitting users with it, but I have never seen it in action.

If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?

[toastercat]

It 100% is true that using ReCAPTCHA on privacy-oriented browsers can make ReCAPTCHA unbearable. As a Firefox user, I relate to others who've faced CAPTCHAs where the images fade-in unbearably slow, and even after painstakingly selecting the correct images, it will fail and say "nope try again", repeating the cycle.

[boltzmann-brain]

That's true, ReCAPTCHA is a pain in the butt on Tor Browser and the likes. So are similar alternatives.

However, the honest truth is that nothing that comes out of Cloudflare should be trusted as "privacy oriented".

[VancouverMan]

A couple of years ago, a web site I was using at the time started to use a relatively obscure service that appeared to inspect or fingerprint the user agent in various ways, as well as tracking browsing activity, in order to determine if the user should be locked out of the site until a captcha was completed.

Although I suspect it was supposed to be transparent, it still ended up being a disaster for many of the users, especially the non-technical ones. The web site's support forum was full of complaints from what seemed to be legitimate, long-time users and customers.

Even benign and reasonable user agent variations from the "norm" seemed to cause problems for this particular system. For example, I recall a default Chrome installation working well enough, but adjusting its configuration to harden its security or privacy seemed to confuse the web site's blocking system.

In my case, I had to keep around and use a dedicated ancient browser installation, since newer ones seemed to trigger repeated challenges for some reason I could never figure out.

The challenge page even had a report-a-problem form, but I don't know if anyone or anything actually considered the submissions.

Even the web site's administrators seemed to have trouble figuring out why legitimate users were getting flagged repeatedly by this system they were using.

I ended up just not using that web site any longer. The hassle wasn't worth it.

[deathanatos]

I've had to go a few rounds with the photo match.

Where I usually get tarpitted is by Cloudflare. I'll pass the (automated) CAPTCHA, the page will reload (still as if I had passed), and … it'll be another CAPTCHA. I'm pretty sure these usually amount to a passive-aggressive demand for cookies/storage, but I just vote with my browser & go back/somewhere else.

[bombcar]

Cloudflare deep down greatly discriminates against shared IPs. If you have a real honest-to-goodness IPv4 address that doesn't change, you'll hardly ever encounter anything.

But if you are behind any sort of carrier-grade NAT or otherwise sharing IPs, you're a second-class netizen, sucks to be you.

[deathanatos]

I'm behind your typical non-CGNAT residential NAT, for v4. (Was v4 only for the longest time, but Verizon just recently rolled out a v6… so we'll see if that changes anything, I guess.)

[bombcar]

If you encounter it relatively often with VPN off, I would do a full scan/check of all devices (including wifi phones, etc) and update all software, as you may have a bot virus or similar. If you DO find one, clean it up and then turn your router off for a few hours or whatever is necessary to get your ISP to give you a new IP, heh.

[mdaniel]

> go back/somewhere else.

But, haha fool you, CF now gatekeeps some unholy percentage of the web, so the "somewhere else" list is going to get smaller and smaller with no recourse, as best I can tell. Maybe disposable Firefox containers for your specific situation, but only maybe

[acdha]

> If this judges the browser more than the user, what do I do when the browser fails? Do I refresh the page hoping for a different batch of invisible challenges? Do I submit a ticket to CF customer support... despite not being a customer?

This is definitely good question. With the “Managed Challenge” feature it seems to degrade gracefully — if you have, say, a positive profile with Cloudflare, an iOS device where it can use PAT, etc. you never see the prompt but eventually it'll fall back to the same CAPTCHA you're seeing today. It'd be useful to confirm that this is how Turnstile works as well since some fraction of real people will definitely hit that on a daily basis.

[shiomiru]

> There are apocryphal stories of Google tar-pitting users with it, but I have never seen it in action.

That used to be the case when using Tor; I remember having to rotate exit nodes to get recaptcha to load at all.

These days the situation is a lot better, I've been able to pass Google captchas through Tor every time I tried this month. Seems like they even fixed audio-based captchas, so you no longer get instant-blocked if you try to use them.

Of course, all this could be reverted tomorrow, and there would be absolutely nothing we could do about it...

[charcircuit]

I have been personally tarpitted. It's not infinite, but it has super slow loading tiles, a comically large number of rounds you have to keep doing, and it has decided to fail you from the beginning meaning you wasted your time.

[goodpoint]

> I have always been able to pass the challenge eventually

It's still completely unusable on Tor. It hangs forever.