User friendly CAPTCHAs have been defeated. Current technology relies on extensive fingerprinting but if you want to take out bots using that, you’ll also be taking out anyone not on Windows 10+/macOS with GPU drivers installed and no fingerprint resistence.
“Type these letters” is no longer a good filter. Neither is basic math or recognising words. Even these dice games can be done by ChatGPT just fine once you bypass the “I can’t do CAPTCHAs” limitation that they put in front of it.
We used to be able to make CAPTCHAs just slightly more difficult. Add in some colours, blur the edges some more, use different fonts. That’s no longer an option; CAPTCHAs need to be increased in cognitive complexity instead.
This is a huge problem. As AI becomes more advanced, more disabled people will start losing access to services because they can’t get through the CAPTCHAs. Audio transcription AI is becoming more advanced by the month and I expect audio CAPTCHAs to soon become unusable. These more complex puzzles, which AI can’t automatically describe, will also cause sighted and mentally disabled people to lose access. The days of CAPTCHAs are soon over.
I can see three solutions for this, and all of the suck donkeyballs.
One is remote attestation tied to a hardware key (the thing Google tried to add and the thing Apple has added to Safari). Your access will be determined by your possession of real hardware. If someone hacks the manufacturer of your device and steals the keys, your access will soon be revoked. However, this requires bots to buy real devices, which makes them too costly to operate at huge scales. Running Linux or older versions of Windows/macOS will make accessing the internet impossible.
A variant of this is the “apps for everything” outcome, where websites will stop being useful and tell you to install an app instead. Apps can do a lot more (invasive) analysis of your system, and existing DRM solutions should keep most bots out.
Another is to just put pay walls and accounts in front of everything. No spam bot or crawler will pay a dollar for every account they need to create.
The last one is to centralise on a few hosting providers which can use traffic analysis across many websites to determine bot status. No more VPNs, even more websites behind Cloudflare, but simple, accessible CAPTCHAs.
The non-solution is to try and cling to CAPTCHAs. Soon CAPTCHAs will start excluding anyone under some kind of education level that’ll affect a significant portion of the population, but it’ll maintain the status quo for most neurotypical people.
Many websites already employ a combination of these measures, and it’s only going to get worse. For general accessibility and for keeping the internet free and somewhat democratic, I’m putting my money on option one: remote attestation. Hardware trust can be implemented in free operating systems (many people will get huffy about it but I’m sure they’ll prefer it to not being able to use the internet) and older systems will take a hit, but it’s the best of the outcomes I can see.
User friendly CAPTCHAs have been defeated. Current technology relies on extensive fingerprinting but if you want to take out bots using that, you’ll also be taking out anyone not on Windows 10+/macOS with GPU drivers installed and no fingerprint resistence.
“Type these letters” is no longer a good filter. Neither is basic math or recognising words. Even these dice games can be done by ChatGPT just fine once you bypass the “I can’t do CAPTCHAs” limitation that they put in front of it.
We used to be able to make CAPTCHAs just slightly more difficult. Add in some colours, blur the edges some more, use different fonts. That’s no longer an option; CAPTCHAs need to be increased in cognitive complexity instead.
This is a huge problem. As AI becomes more advanced, more disabled people will start losing access to services because they can’t get through the CAPTCHAs. Audio transcription AI is becoming more advanced by the month and I expect audio CAPTCHAs to soon become unusable. These more complex puzzles, which AI can’t automatically describe, will also cause sighted and mentally disabled people to lose access. The days of CAPTCHAs are soon over.
I can see three solutions for this, and all of the suck donkeyballs.
One is remote attestation tied to a hardware key (the thing Google tried to add and the thing Apple has added to Safari). Your access will be determined by your possession of real hardware. If someone hacks the manufacturer of your device and steals the keys, your access will soon be revoked. However, this requires bots to buy real devices, which makes them too costly to operate at huge scales. Running Linux or older versions of Windows/macOS will make accessing the internet impossible.
A variant of this is the “apps for everything” outcome, where websites will stop being useful and tell you to install an app instead. Apps can do a lot more (invasive) analysis of your system, and existing DRM solutions should keep most bots out.
Another is to just put pay walls and accounts in front of everything. No spam bot or crawler will pay a dollar for every account they need to create.
The last one is to centralise on a few hosting providers which can use traffic analysis across many websites to determine bot status. No more VPNs, even more websites behind Cloudflare, but simple, accessible CAPTCHAs.
The non-solution is to try and cling to CAPTCHAs. Soon CAPTCHAs will start excluding anyone under some kind of education level that’ll affect a significant portion of the population, but it’ll maintain the status quo for most neurotypical people.
Many websites already employ a combination of these measures, and it’s only going to get worse. For general accessibility and for keeping the internet free and somewhat democratic, I’m putting my money on option one: remote attestation. Hardware trust can be implemented in free operating systems (many people will get huffy about it but I’m sure they’ll prefer it to not being able to use the internet) and older systems will take a hit, but it’s the best of the outcomes I can see.