←back to thread

405 points blindgeek | 3 comments | | HN request time: 0.652s | source
Show context
jchw ◴[] No.42173090[source]
I hope we can end the CAPTCHA experiment soon. It didn't work.

Phone verification isn't good either, but for as much as I hate phone verification at least it actually raises the cost of spamming somewhat. CAPTCHA does not. Almost all turnkey CAPTCHA services can be solved for pennies.

Solving the problems of SPAM and malicious traffic will be challenging... I am worried it will come down to three possible things:

- Anonymity of users: validating someone's real-life identity sufficiently would make it possible to permanently ban malicious individuals and filter out bots with good effectiveness, but it will destroy anonymity online. In my opinion, literally untenable.

- Closing the platform: approaches like Web Environment Integrity and Private Access Tokens pave the way for how the web platform could be closed down. The vast majority of web users use Google Chrome or Safari on a device with Secure Boot, so the entire boot chain can be attested. The number of users that can viably do this will only increase over time. In this future, the web ceases to meaningfully be open: alternatives to this approach will continue to become less and less useful (e.g. machine learning may not achieve AGI but it's going to kick the ass of every CAPTCHA in sight) so it will become increasingly unlikely you'll be able to get into websites without it.

- Accountability of network operators: Love it or hate it, the Internet benefits a lot from gray-area operators that operate with little oversight or transparency. However, another approach to getting rid of malicious traffic is to push more accountability to network operators, severing non-compliant providers off of the Internet. This would probably also suck, and would incentivize abusing this power.

It's tricky, though. What else can you do? You can try to reduce the incentives to have malicious traffic, but it's hard to do this without decreasing the value that things offer. You can make malicious traffic harder by obfuscation, but it's hard to stop motivated parties.

Either way, it feels like the era of the open web is basically over. The open web may continue to exist, but it will probably be overshadowed by a new and much more closed off web.

replies(15): >>42173427 #>>42173571 #>>42173573 #>>42173636 #>>42173652 #>>42173854 #>>42174051 #>>42174079 #>>42174452 #>>42174502 #>>42174730 #>>42174882 #>>42175601 #>>42175632 #>>42175764 #
1. mindslight ◴[] No.42173573[source]
meh, continuing the pearl clutching and asserting there has to be some general "solution" is itself part of the problem. The sheer majority of captchas I come across are while browsing essentially static content. If simple source IP based rate limiting can't keep the server load at something manageable, then the real problem is with how the site is built. And adding even more bloat to address another managerial bullet point is exactly how it got that way.
replies(1): >>42173790 #
2. jchw ◴[] No.42173790[source]
Two things:

- I don't believe there is a general solution to this problem, but that won't stop people with lots of money and influence from trying to find a general solution. Especially one that is cheap. I still hope for the least user- and ecosystem-hostile approach among the flawed approaches to win. (I guess of the ones I listed, the one that bothers me the least is having more policing of the service providers.)

- CAPTCHAs from static content are almost assuredly for anti-scraping measures. I think anti-scraping measures are mostly pointless and antithetical to an open web in the first place, but, an effective anti-scraping measure kind of has to work off of reputation, because getting access to a very large number of IP addresses isn't free, but it doesn't cost that much (especially if IPv6 is on the table.) I personally doubt it has much to do with server load in most cases, but maybe I am wrong.

replies(1): >>42178019 #
3. mindslight ◴[] No.42178019[source]
There are indeed many powerful motives supporting the march of technological authoritarianism. But validating the narratives about why ever-more control is needed is a form of support, which we should avoid doing.

Rather we need to recognize that they're merely instances of the same old authoritarian fallacy of more control promising better outcomes, because what increased control ends up ruining cannot be enumerated. In actuality, reducing independent autonomy stifles invention and suffocates society.

"Anti-scraping" is a dubious problem in the context of web sites aimed at publishing information. The best "anti-scraping" solution is a published API that includes bulk downloads. I'll admit there's a tiny sliver of sites for which controlling consumption might make sense, but it's certainly not ones that allow browsing without even logging in.