Cloudflare dumps Google's reCAPTCHA, moves to hCaptcha as free ride ends (and something about privacy)
You want this service at Cloudflare's scale? Then maybe you might want to pay for it
Cloudflare on Wednesday said it is ditching Google's reCAPTCHA bot detector for a similar service called hCaptcha out of concerns about privacy and availability, but mostly cost.
The network services biz said it initially adopted reCAPTCHA because it was free, effective, and worked at scale. Some Cloudflare customers, however, have expressed reservations about having data sent to Google.
Google's reCAPTCHA v3, used on about 1.2m websites, provides a way for web publishers to present puzzles called CAPTCHAs (completely automated public Turing test to tell computers and humans apart) that can usually, but not always, distinguish automated website interaction from human engagement. The point of presenting such challenges is to keep bots from registering fake accounts and conducting other sorts of online abuse.
The biz also has also been concerned about the availability of reCAPTCHA in China, given that Google services are intermittently blocked there. China is home to about a quarter of the world's internet users so a significant number of people could be unable to access websites barricaded behind inaccessible reCAPTCHA puzzles.
Prince and Isasi note that Cloudflare has had some issues with this in China and elsewhere. But over the past decade, this hasn't been enough to warrant action.
Finally, earlier this year, Google told Cloudflare it plans to begin charging for reCAPTCHA, a service it has previously offered for free because the answers people provide improve its services and machine learning systems.
In an email to The Register, a Google spokesperson said there's no charge for reCAPTCHA unless you exceed one million queries per month or 1,000 API calls per second.
Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truthREAD MORE
Faced with the prospect of paying millions for a service it offered at no charge to customers, Cloudflare decided something had to be done.
"That was finally enough of an impetus for us to look for a better alternative," said Prince and Isasi.
The biz held a bake-off to pick a new provider, and settled on hCaptcha, a service released last year as an alternative to reCAPTCHA.
According to Prince and Isasi, hCaptcha doesn't sell personal data and made commitments to use info collected from Cloudflare only to improve the service. Also, they said the service performs well and has options for the visually impaired and those with other accessibility concerns.
Finally, they note, hCaptcha works where Google services are blocked and hCaptcha was responsive – Google has never been known for attentive customer support.
The Register asked Cloudflare if it could provide data comparing how automated systems fare when trying to defeat hCaptcha and reCAPTCHA puzzles. The biz responded by reiterating its non-specific endorsement of hCaptcha.
"hCaptcha is at least as secure and faster to respond to changes that we see," said Isasi in an email to The Register. "We also have a lot more options with hCaptcha which allows us to be more directly responsive to attacks on our customers."
hCaptcha works with a bidding system that uses the Ethereum blockchain for payments, but the service relies on a more traditional payment scheme with enterprise customers.
Instead of charging customers that need their images classified and paying web publishers to put hCaptchas on their sites, Cloudflare is just paying for the service directly and providing it to its non-paying and paying customers alike.
In an email to The Register, Eli-Shaoul Khedouri, CEO of hCaptcha inventor Intuition Machines, said the company only uses blockchain technology when it's appropriate. "If there is no multi-party transaction there's less benefit to it, although having an immutable audit log can be nice in some scenarios," he said.
Khedouri said that hCaptcha, before its deal with Cloudflare, was doing more than one billion requests per month, nearly all of which involved Ethereum bounties for thousands of publishers. That business continues, he said, and the enterprise version of hCaptcha will eventually be rebranded to reduce confusion between the two services.
Khedouri expressed reluctance to release data comparing how hCaptcha and reCAPTCHA fare against automated attacks but pointed to Cloudflare's statement that "performance (both in speed and solve rates) was as good as or better than expected during our A/B testing."
"Anecdotally, the dark web was furious when they switched," he said. "We saw a ton of botherders complaining."
Cloudflare, however, hopes to get rid of audio and visual CAPTCHAs eventually because they're "an imperfect answer to a number of difficult problems." Meanwhile, an older version of reCAPTCHA, v2, can be defeated more than 92 per cent of the time under the right conditions.
Prince and Isasi say Cloudflare is working toward eliminating CAPTCHAs, and will share details on that work along the way. ®