Hacker News new | past | comments | ask | show | jobs | submit login

What is the No CAPTCHA problem? What's being described here are problems that apply to all CAPTCHAs. Whatever 'human' detection system you put in place, humans can always be hired to solve them. The point of No CAPTCHA is not to fix these problems, it's to make it easier for 90% of people who don't care too much about cookie privacy etc. (or most likely have no idea it's even a thing).



The problem itself is described in the end: it's about using clickjacking to get a valid token on behalf of "good guys". And this problem has nothing to do with existing systems.

Google could have made it so much easier and more secure: a POST request to google.com/verify_me will have Origin header in it to prevent CSRF (only wordpress.com scripts will be able to get token). Also there would be no need to make a click. No CAPTCHA looks fancy but the real No CAPTCHA should always have visibility:none!


"No CAPTCHA looks fancy but the real No CAPTCHA should always have visibility:none!"

I agree, but I suppose they want something that's a Placeholder, if the user needs to type a captcha


Why? If no need to type any captcha - do the verification in the background, don't show me anything until you think I'm a bot


Because of page layout. Having a fixed size element is better than having something (that is not yours) that might be there or not.


There's still no need for a click.


IMHO the need for a click is just to lazy loading and thus, reducing server demand


Couldn't they just trigger that on form submission, then? "Please wait while we confirm you are human" is better than clicking and then waiting, and then submitting upon completion.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: