If you solve this CAPTCHA, you are not welcome here
If you solve this CAPTCHA, you are not welcome here
Table of Contents
About this page
This page shows a bunch of annoying dialogs<br>to anyone who has JavaScript enabled.
The checks can be bypassed by hitting the Escape key five times.<br>There are a few other ways to get through the checks,<br>which I’ll leave undocumented.
An inverse CAPTCHA
It’s been the case for a few years now<br>that bots are better able to solve CAPTCHA than humans.
That being the case,<br>we are approaching the point where any client that bothers to solve a CAPTCHA<br>is more likely to be a bot than a human.[1]
This page explores that idea.
Passing the gauntlet of prompts that pop up on this page<br>results in being locked out.<br>Only those who attempt to exit the process,<br>reject all of the cookies,<br>hit escape,<br>or click away from the incessant dialogs<br>are able to get through.
How this page works
This is a normal blog entry,<br>there is just a script loaded<br>that does a bunch of annoying stuff.
The script doesn’t really do any of the things it claims to do.<br>These are strictly fake versions of some of the more annoying junk<br>that makes the Web unpleasant to use:<br>CAPTCHAs, cookie banners, anti-fraud interstitials, sign-up forms, and so forth.
All this content is added by that script.
The trap is the point
Anyone who successfully “solves” this CAPTCHA gets to visit a page<br>(here, it’s safe to visit, I promise)<br>that tells them they have failed the test.
This is a trap.<br>The script saves a value to your browser.<br>Any future visits to this page will be immediately forwarded to the rejection page.
The rejection page does give you a way to reset this state,<br>because to do otherwise seemed too much like a middle finger to visitors.
What about the bots?
This page is not really for bots,<br>it’s just a demonstration.<br>Well, that and a chance to build some really annoying stuff.<br>Many bots won’t even see the nonsense that I made<br>because they don’t bother running scripts.<br>This page is mostly just an experiment<br>that explores the shape that a bot trap might take.
It would not be particularly hard<br>to make a real bot trap.<br>The trick being to reduce the number of humans it catches.
Many bots will solve CAPTCHAs<br>to get to where they want to go.<br>A non-AI bot might need to be taught about new techniques,<br>but AI tends to just do whatever is necessary to accomplish its task.
If the site is built so that “passing” through all the checks<br>puts the bot in a trap,<br>this creates the right sort of incentives.
A trap doesn’t need to lead to a total lock-out.<br>It probably shouldn’t, either,<br>because having the bot know that it is trapped doesn’t help.<br>Putting the bot in a tarpit,<br>serving garbage,<br>or providing some lower class of service<br>ensures that you can seamlessly provide distinct handling for bots.
Humans will get trapped too
That humans will end up caught out is the main reason<br>an inverse CAPTCHA probably isn’t a great idea<br>for most sites.
Some people will attempt to solve these increasingly annoying puzzles too.<br>Those that do will end up in the same traps as the bot.
So we aren’t yet at the point where we can completely invert CAPTCHAs.
CAPTCHAs are user hostile
One reason I built this tool was to highlight just how much typical abuse mitigations –<br>whether it be CAPTCHA, proof of work, or similar<br>(along with cookie banners) –<br>degrade user experience.
CAPTCHA is annoying for everyone.<br>CAPTCHA excludes many people.<br>Besides, CAPTCHA doesn’t work.
Sites that set such demeaning tasks<br>make it very clear that they think very little<br>of the people who visit them.
So why are CAPTCHAs still common?
Everyone knows that a determined burglar is not slowed much by a locked door.<br>Still, we take the time to lock up anyway.
Slowing an adversary down can be the whole point.<br>You set up a simple cost-benefit equation for them.<br>If what your security protects is not worth<br>the cost of getting around those protections,<br>that might be enough to encourage the adversary to move on.
In other words, websites: if your CAPTCHA is working,<br>think carefully about what that says<br>about the value of the stuff it protects.
Either that, or it could mean that the papier-mâché lock –<br>while not an effective lock –<br>is an effective signal nonetheless.
A sign on the door
Bots could choose to interpret the presence of a CAPTCHA<br>as something more like a polite request to stay out.
After all, solving CAPTCHA isn’t that hard.<br>I mean, bot solving is a service that is widely advertised<br>for 1 or 2 dollars per thousand uses (with 100% reliability).<br>A general purpose model is probably not cheaper,<br>but any model would be capable of solving novel challenges<br>more reliably than a human.
Any bot therefore is deciding to either<br>respect a request to stay out<br>or deciding that the cost-benefit balance<br>leans toward not solving the challenge.
It certainly could be the case that 0.1c per site<br>is too high a cost.<br>But it seems like that is a cost that can be...