Google's New NoCaptcha Captcha
Written by Alex Armstrong   
Thursday, 04 December 2014

We all hate them, but captcha's are a useful tool in keeping spam bots out of all sorts of opt-in lists. Now Google has offered us all a free captcha that, in most cases, doesn't ask the user anything at all. 

Google's reCAPTCHA has been the most used captcha for some time. While it is provided for free, Google gets something out of it because all those tasks you solve are useful. You get to read distorted text and identify things that are useful in improving optical character recognition and AI training. 

reCAPTCHA is well known for being tough on bots and humans alike and Google has been working on making it easier to use for a while. There is also the small matter that while us humans have not been improving, bots can read the distorted text with a 99.8% accuracy and without getting hot under the collar about it. 

Last year reCAPTCHA was augmented by an "Advanced Risk Analysis" backend. This performs unspecified checks on the user's interaction with the web page to determine the likelihood that the user is a bot. The challenge presented then depends on the likelihood - if you are thought to be human you get an easy task but potential bots get really tough tasks. 

Now Google has taken this Advanced Risk Analysis a step further - now there is a single task - just tick the box stating "I'm not a robot". 

 

captcha

 

Usually after a few moments thinking time a green tick appears and you are validated as a human. It couldn't be easier. As before, if there is any doubt then a captcha is generated and you have to solve it to earn a green tick. 

Early adopter data suggests that between 60% and 80% of traffic is let through without a captcha challenge.

You can see how Google would like us all to think about it in this video - and it is a very nicely crafted video:

 

Now we come to the slight downside as far as programmers are concerned. The API is just different enough from the ReCaptcha API for you to have to re-implement things. It might be that if you opt to be a late adopter then Google will have got round to crafting some easy-to-use libraries. 

If you want to get started - and I Programmer is already using the new No CAPTCHA reCAPTCHA - then this is what you need to know. 

You can use your existing private and public keys; otherwise you need to register. 

The client side is very easier - in fact easier than for reCAPTCHA. Just remove whatever JavaScript, including the NoScript tags, the page has and enter:

<div class="g-recaptcha"
     data-sitekey="your_site_key"></div>

in its place.

Or, if you are implementing captcha for the first time, place the div in the form that you want to protect. The div gives the location where the Google code will create the captcha.

You also need to load the code and this is done with: 

<script
  src="https://www.google.com/recaptcha/api.js"
  async defer></script>

which can be put almost anywhere on the page. When the script loads and runs it finds the div and constructs the widget.

There are more sophisticated ways of gettting the widget in a page, but this way should suit most situations. 

What happens on the server side depends on the language you are working in. In most the approach that is closest to the old captcha API is to use the POST parameter. 

The page that is loaded as a result of the form POST has a new POST parameter g-recaptcha-response. This has to be sent to the Google verify server using a GET:

 https://www.google.com/recaptcha/api/siteverify?
    secret=your_secret&
    response=response_string&
    remoteip=user_ip_address

and notice that the user's IP address is now optional. 

So all you have to do is construct a GET request. For example, in PHP this can be done in a number of ways but the simplest is:

$reponse=$_POST["g-recaptcha-response"];
$json = file_get_contents(
 "https://www.google.com/recaptcha/api/siteverify?
    secret=yourprivatekey &response=".$reponse);

The response is a JSON object 


  "success": true|false, 
  "error-codes": [...]   // optional

}

You could process this using a full JSON decode, but in PHP the simplest thing is to use a regex or similar:

preg_match('/true/',$json)

which will be true if the JSON contains true and the user is not a bot. This is sloppy. but effective. You can build a more complicted regex if you want to test for the name value pair or work with the error messages. 

The final question is how does it work?

Google isn't saying and you can understand why. This is one case where obscurity is going to help security.

You have to wonder what it is that the threat engine is taking into account though. Is it making use of any sort of tracking to work out if you are a bot or is the information localized to a single transaction. While the captcha was being updated for I Programmer it started off allowing the test user in as a human, but after three attempts it switched to a very difficult traditional captcha, which got easier as the test user got them right. So there has to be at least limited tracking. 

 captchaicon

Banner


TestSprite Announces End-to-End QA Tool
14/11/2024

TestSprite has announced an early access beta program for its end-to-end QA tool, along with $1.5 million pre-seed funding aimed at accelerating product development, expanding the team, and scaling op [ ... ]



Rust And C++ Should Be Friends?
20/11/2024

The Rust Foundation has just released a statement on Rust and C++ interoperability and Google is ponying up $1000,000 to see that it gets done.


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 04 December 2014 )