[cyberax]

This automatically means that you're penalizing smaller websites. And killing off the independent alternatives to Reddit/Disqus. Do you want this?

Large sites like Amazon or CNN can afford to eat the bot traffic. Smaller sites can't.

[cryptoegorophy]

Problem isn’t a bot traffic. I run an Ecommerce site and scammers run python scripts to test 1000s of cards per hour if there is no captcha. I hate it, my customers hate it, scammers hate it, but it is the only thing that keeps my merchant account running. Any advise is welcome!

[technion]

Logon forms are another whole issue. "Lock out the account" is just a DoS vector. People are quick to talk about systems that can defeat a captcha but if the brute force goes from 50 passwords/sec to one password/10 sec it's mission accomplished.

[LightHugger]

Can't you just put a 5 second "loading bar" delay instead of a captcha then i wonder?

[mike_hearn]

Not easily: if it's enforced client side it may as well not exist, if it's enforced server side you just let anyone lock anyone else out of their account by running a constant brute force attack against their account (a DoS vuln). It also does nothing for attackers who try a giant list of accounts but only one or two passwords for each.

I worked on Google's system for solving this. It's a pretty sophisticated analysis that decides whether to demand CAPTCHAs or not based on a lot of factors. The CAPTCHA was needed (at that time) because it's the only way to slow down the attacker without bothering the real user, who won't be shown one.

[LightHugger]

Serverside of course, but i would think the loading bar can be per connection rather than be per account right? Like a connection is attempted, starting the loading bar, and then 5s later you only allow that connection to continue the load? I do non-web dev stuff so maybe i'm missing something but it sounds like should be easy enough.

[mike_hearn]

What stops you dropping the connection the moment you realize you're being loading barred.

[account42]

> without bothering the real user, who won't be shown one.

bullshit

[mike_hearn]

Lots of signals used to prevent people seeing captchas when their passwords were being attacked, but you never see it so never think about it.

[aja12]

If you do that on the server side, per account, it works. Small DoS risk, but it remains acceptable

[aja12]

If you do that on the server side, per account, it works. Small DoS risk, but it remains acceptable

[onetokeoverthe]

would requiring a un/pw sent to an email address work￶?

[Zak]

> killing off the independent alternatives to Reddit/Disqus

I haven't encountered a captcha using Lemmy. There might be one on some servers for account creation.

[KennyBlanken]

What are you on about?

I've used Amazon from the same IP address for years and I still regularly get the "you look like a bot, solve this" crap.

[mouse_]

Did you read the article? What you said directly goes against the study's conclusion.

[cyberax]

I'm helping a neighbor to run a small e-commerce website with reviews. Review forms are being spammed by bots that get even through CAPTCHAs, and the owner needs to clean them up constantly. Without CAPTCHAs, it becomes unsustainable.

They don't get a lot of bots trying stolen credit cards, but mostly because they are pretty niche.

[theamk]

I can believe study's results on user interaction, but their "security analysis" section (6.2) is deeply flawed - it only looks at the best bots, and not at the average ones. Meanwhile, as many other people in this thread can attest, (1) most of the bots are not really sophisticated, and get stopped by CAPTCHa, (2) the defense does not have to be 100% efficient, as long as form spam goes from 100/day to 1/day, things are OK.

Of course authors really wanted to write their conclusion, so they just ignored all the practical considerations. It's really a shame on the part of paper's reviewers.

[NoGravitas]

My thinking is that these days, the unsophisticated bots will still be stopped by literally any effort, like a hidden form field that causes the form to be rejected if it's filled in. Almost nothing will stop sophisticated bots, and nothing will stop a boiler room. This doesn't really leave a place for more sophisticated CAPTCHAs.

[noah_buddy]

Sounds a heck of a lot like the bots are killing off these websites. Gross overuse of automated scraping is a fact of life but individual choice is intolerable. What if I told you they were the same thing?

[cyberax]

Yes, bot traffic is killing the open web. What's your point?

[phoronixrly]

Regulate against inaccessible and privacy invasive CAPTCHA (done and done in EU) and regulate against disruptive bot traffic (what's the hold-up there? Oh, I see, it requires actual competent law enforcement... That's a hard one). Me only half-joking while standing on my high EU horse.

[cyberax]

Have you seen this: https://trog.qgl.org/20081217/the-why-your-anti-spam-idea-wo... ? You're proposing a legislative change, and bots in the US, Russia, China, whatever can care less about the acts of the EU parliament.

I also don't see how EU solves issues with CAPTCHAs. Anonymous CAPTCHAs are allowed in the EU.

[phoronixrly]

Thank you for that, though I'd rather choose 'The police will not put up with it' and either 'The politicians are too incompetent' or 'Underestimate how much money there is in it'

Anonymous CAPTCHAs are fine so long as they're accessible for people with disabilities. I would not venture to say I know of such one as a service...

[im3w1l]

If you are a EU government wanting a no-captcha experience on your website you could solve it thusly:

* Don't have captcha.

* Make it illegal for bots to access.

* Block foreign ips.

* Make it illegal to provide a proxy for foreign bots.

[PoignardAzur]

Yeah, that's great until you're a european citizen who needs to access a government service while travelling in the US, or living in French Guyana, or any amount of exceptions to your clever idea.

[phoronixrly]

Also confirming that banning foreign traffic is the go-to eGovernment without CAPTCHA experience in Bulgaria.

[ChadNauseam]

Once regulations against disruptive bot traffic are effective enough that you don't need captchas, please ban captchas. But I don't see why you would do it the other way around. (Unless you secretly know that effective regulations against bot traffic are impossible.)

[phoronixrly]

Oh I do believe they are possible. It is just high time that the units fighting against organised crime heavily expanded their scope to illicit online activities that actually cause financial harm by entities to entities smaller than the movie/music/publishing industries.

[j16sdiz]

> (Unless you secretly know that effective regulations against bot traffic are impossible.)

Have you tried register your phone number in the DO-NOT-CALL list (or your local equivalent)?

Did it stop anything?