Google broke reCAPTCHA for de-googled Android users
reclaimthenet.org187 points by anonymousiam 3 hours ago
187 points by anonymousiam 3 hours ago
Related: Google Cloud fraud defense, the next evolution of reCAPTCHA - https://news.ycombinator.com/item?id=48039362
also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199
I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it. I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone. It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers. Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation. Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong. My understanding is that this new reCAPTCHA is basically just remote attestation. Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate. Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed). If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own. Stop visiting sites and using services that use reCAPTCHA. Problem solved. With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day. One problem with these things is that businesses have minimal visibility on the amount of users they lose. On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!". Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha). Yeah, live in a cave, and problem solved. However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use. Let's find a better solution please Stop visiting sites and using services that use reCAPTCHA. Problem solved. No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA. I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved." I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough". I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all. For people using a Google account it probably won't make a huge difference, in terms of data collected. If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people. Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required. But there's a good chance that it will be extremely hard to sidestep, despite that. > My understanding is that this new reCAPTCHA is basically just remote attestation. Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'. > Google didn’t demand iPhone users install Google software to pass the test. Can de-Googled Android phones present themselves as iPhones? Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys. Can they present themselves as... web browsers? Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of. This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least: - pretended that it wasn't all about invading peoples' privacy. - done a good ol' fashioned "but Apple does it" - pretended to be standards-oriented - advertised it as something completely transparent to the end-user Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal. I don't even have a smart phone, I assume there is some sort of fallback behavior? I don't know why reclaimthenet hasn't embraced the obvious answer: Simply create a new smart device operating system with a fully disentangled cosmos of programs, libraries, APIs, app SDKs, hardware partners, drivers, trust networks, carrier agreements, app stores, documentation, conferences... It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip. Time for some lawfare! The Government reviewed the Google situation on behalf of you, and on behalf of the Government, and said “data, so piss off”: https://abcnews.com/Technology/google-hit-antitrust-lawsuit-... https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog... Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops. My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples: - I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all. - Discord immediately bans me any time I try to create an account. - Can't buy flights from Delta, always gives a non-descript error. - Can't buy concert tickets, it thinks I'm a fraudulent buyer. - Most CF sites produce a "Sorry, you have been blocked" page, or just loop. - Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one). - Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me. I just take my business elsewhere... eventually I'll probably just stop using technology at all. Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs. I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be. > Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops. I had this problem recently with the Indeed website. (Cloudflare Captcha) Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished. Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished. Why not just change your user agent string? That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version. Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops. Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop. Wouldn't a 1£ Linux VM as Wireguard access point suffice? Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now. whenever I can't access a website for various stupid blocks I fire up cloudflare warp and walk right through it use wireguard with wgcf in environments without cloudflare client yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden You sir seem to have solved a problem many people here have. Would you care to elaborate a little on how you did it? It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues. He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system. I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain. I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt. They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go. And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet. A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome. Let the commerce-driven, corporatized hellhole that the modern web has become eat itself. Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix. The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution. A fork of it, updated periodically And let's not pretend that we mean the kernel when we say Linux distribution Android literally is a Linux distro, though. Like, sure it has a weird userspace and is user hostile, but that doesn't make it not a Linux distro. Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere. It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux". Related: Google Cloud fraud defense, the next evolution of reCAPTCHA https://news.ycombinator.com/item?id=48039362 Google Cloud Fraud Defence is just WEI repackaged
Worf - 11 minutes ago
brikym - 6 minutes ago
freedomben - 2 minutes ago
coppsilgold - 3 hours ago
tardedmeme - an hour ago
getpokedagain - an hour ago
tardedmeme - 14 minutes ago
g-b-r - 8 minutes ago
g-b-r - 14 minutes ago
reaperducer - 4 minutes ago
g-b-r - 18 minutes ago
thaumasiotes - 25 minutes ago
dheera - an hour ago
coppsilgold - an hour ago
thaumasiotes - 24 minutes ago
tardedmeme - 14 minutes ago
cantalopes - 6 minutes ago
thecatapps - 41 minutes ago
kyrofa - 4 minutes ago
ezekiel68 - an hour ago
cornholio - 2 hours ago
spankibalt - 2 hours ago
DANmode - an hour ago
ranger_danger - 3 hours ago
miladyincontrol - 7 minutes ago
Jigsy - 2 hours ago
anonymousiam - an hour ago
mschuster91 - an hour ago
hysan - 2 hours ago
prism56 - 3 hours ago
Milpotel - 2 hours ago
ranger_danger - 2 hours ago
ck2 - 2 hours ago
wafflemaker - 2 hours ago
tardedmeme - an hour ago
krackers - an hour ago
citizenpaul - an hour ago
tamimio - 2 hours ago
Andrex - an hour ago
kittikitti - 2 hours ago
PaulHoule - 2 hours ago
g-b-r - an hour ago
yjftsjthsd-h - 40 minutes ago
prophesi - 2 hours ago
IsTom - 2 hours ago
ChrisArchitect - 2 hours ago