Can Google reCAPTCHAs be handled locally?

[Gitoffthelawn]

Many sites, unbelievably, still use a Google recaptcha instead of using open-source solutions.

Is there any way that these could be hosted locally instead of from Google?

[Synzvato]

That's a good question. I assume the main problem here is the fact that, as far as I know, reCAPTCHA scripts are not strictly versioned, and response content expires pretty much immediately.

I would be all for a local, decentralized, solution if possible, as the situation is quite bad indeed.

[Gitoffthelawn]

My initial thought is that it's possible that the versioning is not too important if the website is just looking for a response. I could be wrong, of course.

As an oversimplification, if you have:

if captcha_approved do procedure

then whatever has to take place to generate a valid captcha_approved will generally not make a difference.

Even so, as you pointed out, there are other issues involved.

Although I prefer a totally local solution, another choice would be to convert CDN captcha's to _play-on-demand_ captchas, much like users can do with objects like flash. This way, the CDN is only called if the user actually wants to use the captcha.

Even sites like Mozilla.org _ridiculously_ call Google's recaptcha servers even when the user isn't doing anything that requires a captcha.

[Gitoffthelawn]

This project is about moving away from third-party CDNs and hosting commonly used files locally. If that's not appealing to you, then don't install this software!

I not prefer locally stuff because it's more an security issue...

This project has "locally stuff". If you are aware of this project causing security issues, please provide concrete exploitable examples, so the kind developer can fix them!

[Feodor2]

A possible way to hinder CAPTCHA abuse. If you encounter captcha on regular second-rate site where just is nothing to protect from the spam. Ban that site everywhere you can until they remove it.

[TriMoon]

I'm also against adding support to bypass security functionalities of online webpages in anyway. This project should not get related/linked to bypassing security of anything as it would make it a target for blocking in many systems...

[Gitoffthelawn]

We are discussing hosting third-party captcha's locally, not bypassing security functions. See https://github.com/Synzvato/decentraleyes/issues/88#issue-154155824

[Gitoffthelawn]

Actually, after thinking about it more, I have yet to come up with a case where captcha's actually provide significant security benefits. They may create the illusion of security, but they don't improve actual security. Software that bypasses captcha's is already available. Also, wages are so low in some parts of the world that have internet access that using people to manually enter captcha's is quite feasible.

If a site is relying on captcha's to prevent brute force attacks, then they are doing a disservice to their customers.

Captcha's only work well for preventing someone from writing the simplest of scripts to create multiple logins for a site.

Any site that relies on captcha's as an important part of their security is not a secure site in the first place.

[9Morello]

I'd love a way to use reCAPTCHA without phoning Google, if thats even possible.

[elypter]

captchas are the most safe anonymous protection against bots but that is not the topic. i dont know how captchas are implemented usually but i assume that the check is done on a server and the website gets the response from that server. if that is the case then there is no way to bypass the captcha. however you can do the interfacing locally and just send the user input to the website or google depending on how it is done.

[WPFilmmaker]

To activate recaptcha you need to allow gstatic script, which is a webbug... I would love to have recaptcha being handled locally!