Google broke reCAPTCHA for de-googled Android users

Posted by anonymousiam 16 hours ago

Google broke reCAPTCHA for de-googled Android users(reclaimthenet.org)

Related: Google Cloud fraud defense, the next evolution of reCAPTCHA - https://news.ycombinator.com/item?id=48039362

also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199

1071 points | 370 comments

coppsilgold 15 hours ago|

My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

palata 1 hour ago||

> Much like age verification

Age verification as a technical concept can be done in a privacy-preserving manner! Whether or not we want age verification is another debate, but let's stop making wrong technical claims about that: it doesn't help.

bpfrh 49 minutes ago||

Really, how?

At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.

These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site

michaelt 11 minutes ago|||

The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.

For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.

Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.

Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.

So in a very narrow sense, privacy is preserved.

You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.

Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.

maccard 36 minutes ago||||

Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.

Scaled 34 minutes ago||||

Parental controls on device are a better solution that work today and don't carry a risk of data breach.

harshreality 18 minutes ago|||

They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.

There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).

raverbashing 8 minutes ago|||

Are they a better solution? Yes

Do they work currently? Not really

Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)

palata 44 minutes ago|||

With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.

deIeted 5 hours ago|||

worth noting that google/twitter/facebook/reddit/others colluded to combine sessions, identifiers, so that any person getting identified on any one session / ip would be identified on all

so while this comment is apt, i would ask them what they think of the previous chicxulub impact of the 2012 era collusion - which to this day has not been reported on

(just realized emacs bindings work in comments, nice, no ctrl-x tho)

normie3000 5 hours ago|||

I was going to ask for more info on this collusion but you say it wasn't reported. And googling "chicxulub" just gives a volcano.

Is this speculation, or has it been confirmed somewhere?

TJSomething 3 hours ago||

"Chicxulub impact" seems to be functioning as a bit of hyperbole to imply that this collusion was absolutely devastating, by analogy to the K-T extinction event 66 million years ago.

Not that I really can tell what this was devastating to. Maybe United States v. Apple (2012), where Hachette Book Group, Inc., HarperCollins publishers, Macmillan publishers, Penguin Group, Inc., and Simon & Schuster, Inc. conspired with Apple to raise ebook prices?

Sophira 1 hour ago||

I can't say for sure, but is it possible they're referring to the founding of the Internet Association in 2012?[0]

I don't think it's that, because the Wikipedia article makes it seem like it was a force for good, but at the time, it wasn't certain at all that it would be that way.[1]

Beyond that, I'm not exactly sure what might be meant.

[0] https://en.wikipedia.org/wiki/Internet_Association

[1] https://reddit.com/r/technology/comments/xs4qw/google_facebo...

gorgonian 5 hours ago|||

Colluded how?

tardedmeme 13 hours ago|||

If you run a website, it seems trivial to forward the attestation to someone else by putting the same code up on your website, and getting their device banned from google instead of your own.

ChadNauseam 12 hours ago|||

The domain in the attestation would be yours, so that wouldn't work

chadgpt2 12 hours ago|||

How would the phone camera know the domain name of the website displaying the QR code it's scanning?

eddythompson80 11 hours ago|||

The camera isn't the part doing that verification. The google service serving that "reCAPTCHA" is what's doing that validation. Unless you're using a custom browser that is reporting a different domain to google than the one requesting the reCAPTCHA, google's service will know which domain is which.

tardedmeme 11 hours ago||

How does the verification app on your phone know what's in the URL bar on your desktop?

ranger_danger 11 hours ago||

The QR code/URL would be generated/requested by the javascript running on the website you're viewing, which knows what's in your address bar.

tardedmeme 11 hours ago||

It would be generated by some other website like Amazon. Because I own, say, Meta, I copy these Amazon-generated codes over to Meta, make people scan them on their phones to sign into Meta and then pass the solution back to Amazon so my bots can sign into Amazon.

ranger_danger 10 hours ago||

We don't yet know how the client side works, perhaps there will be a decompilation posted soon.

It's possible this scenario is acceptable to them because it means they can still tie your access to something that's easier to ban without requiring a full account login.

tardedmeme 9 hours ago||

They're tying my access to random users of a completely different service, and a different random user each time.

ranger_danger 7 hours ago||

What are you implying? That it will become ineffective due to that?

That's possible... and they might change their mind if so, we will see.

I feel like it's a similar issue to when scrapers pretend to be an allowed-origin webpage in order to abuse "public" API keys for web services.

They could also require the mobile device to interact with the requesting webpage in some manner, similar to mutual PIN/codes for Bluetooth/TV pairing these days. That way bulk sharing of the codes would still require active participation from the device that requested it in the first place, likely with a short time limit.

gruez 9 hours ago|||

After you scan the code, the verification app asks you "do you want to verify for example.com?"

tardedmeme 8 hours ago||

If you don't verify for example.com you won't be allowed to view example2.com. So do you want to or not?

Groxx 11 hours ago|||

Some people will notice, some will not

coppsilgold 11 hours ago|||

Realistically, what Google will do in such a scenario is collect data about the illicit service, enumerate the devices the farm uses and what other activities the devices participate in. What you suggested has far less control over the devices that generate the attestations and it will show.

Also, if the implementation is competently done the phone will show the website for which you scanned the QR code. A user would be able to see whether or not that matches the site where they observed the QR code and proceed accordingly. In time Google will probably integrate it into the Chrome browser where a proxied QR code cannot even be shown.

getpokedagain 13 hours ago|||

Stop visiting sites and using services that use reCAPTCHA. Problem solved.

palata 1 hour ago|||

> Stop visiting sites and using services that use reCAPTCHA. Problem solved.

Not solved at all: 99.999% of users don't give a damn and use a Google-signed Android.

My opinion is that because they don't give a damn does NOT mean regulations should not protect them. What Google is doing here is anticompetitive and they should be fined (antitrust and all that).

duskdozer 48 minutes ago||||

That's great until it's some essential government, medical, educational, etc. service that you have either no alternative to or no alternative that isn't also using the same thing. I'm already being slowly and incrementally softlocked out of some (fortunately non-essential so far) sites either by cloudflare or other more subtle "anti-bot" networks as time goes on, including some like I've listed above. I can only expect this will continue until it's something I can't avoid.

medvidek 10 minutes ago||

For some reason, I'm softlocked from booking tickets from Deutsche Bahn. The website errors out with a cryptic "Your browser's behavior resembles that of a bot." message with no option to try again or pass a captcha or whatever. The website itself described several possible solutions but none helped (I tried using different computers, different internet connections, even a phone connected to internet using a SIM from a different country).

As for now, when I need to travel to Germany, I just book tickets through the national carrier of my home country, which for cross-border tickets often turns out to actually be cheaper than booking through DB. Thankfully I don't live in Germany proper and my need for travel there is not that high (once or twice a year at most) but I wonder what would I do if I had to move to Germany and use trains there more often.

tardedmeme 13 hours ago||||

With the new reCAPTCHA this is going to happen because most human visitors will actually be unable to pass the CAPTCHA. It will be interesting to see whether this makes websites ditch reCAPTCHA or whether they literally just don't care about having customers, an attitude that seems to be getting more and more common every day.

papercruncher 12 hours ago|||

I have been unable to give my money to Home Depot, REI and a growing list of online retailers because they use Akamai EdgeSuite, which just assumes I am a bot and 403s on protected API calls. This happens consistently on any IP and any browser on my Linux desktop/laptop.

spystath 10 hours ago|||

There are not enough words to describe how much I hate Akamai EdgeSuite. So many random validation loops and 403s across different physical computers, different operating systems, different connections and even countries. A couple of services I need use it and it's 30% I'll make it past their stupid "protection".

drew870mitchell 11 hours ago||||

Same, i'm doing a kitchen reno and gave up on Home Depot because of this

ksenzee 7 hours ago||||

It sure makes debugging headers a pain. curl -sLIXGET https://… never mind, that won’t work, _fires up browser yet again_

userbinator 9 hours ago|||

Home Depot at least has a physical presence, which you can go and directly give some much-needed feedback to.

tardedmeme 8 hours ago||

It has a zero percent chance of reaching anyone who can do anything about it.

You could try handwriting and posting a letter to their CEO. I think that sometimes works. Probably not very often but there are more than zero CEOs who read those letters.

userbinator 8 hours ago|||

The point is to spread the word.

petre 6 hours ago||||

Maybe they'll figure it out when their revenue drops next quorter or the ones after that?

I was thinking in the same terms: you put up a QR capcha, you don't get my traffic and money. Just the amount of extra work needed, let alone the Google tracking turns me off. As if traffic lights, crosswalks and bridges weren't enough of a hassle.

komali2 8 hours ago|||

REI is allegedly a co-op, maybe there's a committee or something it could be presented to?

smcin 4 hours ago|||

REI Co-op has an Annual Members Meeting in Seattle, where it announces the results of the board of directors election. The 2026 one happened Feb 5. Apparently the presentation is only 8m long, some saying it's pre-recorded and it's near-impossible for members to submit a question that actually gets answered:

https://www.rei.com/newsroom/article/2026-rei-board-of-direc...

https://www.rei.com/newsroom/article/rei-announces-2026-boar...

https://www.reddit.com/r/REI/comments/1qw14k6/rei_hosts_thei...

tardedmeme 8 hours ago|||

Usually that just means the owners of the individual stores are the shareholders.

raincole 9 hours ago||||

> most human visitors will actually be unable to pass the CAPTCHA

Most human visitors will never ever notice the change. reCAPTCHA is completely invisible for most human visitors because they are allowed to pass just by fingerprint.

It's not like an average user is going to have to scan a QR code every time they visit a site via web browser. If it were like this then it would be a non-issue because no sane website would adopt this system. But it isn't.

g-b-r 13 hours ago||||

One problem with these things is that businesses have minimal visibility on the amount of users they lose.

On the opposite, if they see reports of many visitors not completing the captcha, they're likely to think "Wow so many bots!!! This defense nowadays is indispensable..!".

Sometimes you need to pass a captcha even to contact them (if you want to tell them that you can't pass their captcha).

jbvlkt 12 hours ago|||

I wanted to give money to charity and they have whole form protected by recaptcha. So I would have to allow all my personal information and amount donated sent to google (and agree with google terms for data processing). I have contacted them but they did not understand why this is problem they just wanted to protect themself against bots. IMHO unless those things are not disallowed by antitrust laws we have lost.

vanviegen 1 hour ago||

We wouldn't want bots throwing money at us!

bar000n 12 hours ago||||

i say technofeudalism, not sure i know what i'm writing about though

chadgpt2 12 hours ago|||

Luckily the marketplace of money will ensure that businesses who block their customers shrink and businesses who don't block their customers grow.

sandworm101 8 hours ago|||

>> whether they literally just don't care about having customers

So every government website. Every website where people simply have no choice (DMV) or where failure to login results in them not claiming the money/benefits they are due (all tax websites). And every website handling post-sale complaints (Airlines, insurance).

lxgr 12 hours ago||||

I'd love to, but I'd not be able to visit many sites anymore thanks to Cloudflare...

1vuio0pswjnm7 7 hours ago||||

HN uses reCAPTCHA under certain conditions

getpokedagain 6 hours ago||

I've not hit it but that would suck.

g-b-r 13 hours ago||||

Yeah, live in a cave, and problem solved.

However much I hate it, right now among the sites using reCAPTCHA there are many that I strongly want to use.

Let's find a better solution please

flatIronSteak 12 hours ago|||

> Let's find a better solution please

Is there an argument here that Google is creating a monopoly?

Could this be challenged on similar grounds that forced Microsoft to recommend other browsers to users on Windows?

KPGv2 12 hours ago||

There is, but at least in the US neither party cares. They want to get rid of anonymity online, one to throw anyone who googles "trans" in jail, and the other because their biggest donors are tech companies that want to denonymize everyone.

Our antitrust laws have been toothless for decades, and both parties love billionaires controlling the rest of us with an iron fist.

GrapheneOS is looking more and more worth the headache that my limited free time generally does not like. I don't need Google to know my smut fanfiction is written by my IRL.

ggiigg 9 hours ago||

Felt same way about GrapheneOS but a few friends set it up so i gave it a try. It is easy to install and use. As evidence, I gave my 70 year old father one and he loves it.

komali2 8 hours ago|||

When my friend was telling me about GrapheneOS I was thinking back to the old days of android custom roms, all the bugs and bullshit, the time I couldn't dial out to 911 because my custom ROM crashes when I did, or other issues. So I gave it a pass.

However he's been on it now for months and every time he shows me something on it I get a little more jealous. Everything seems to be working fine, including e.g. bank apps, and he has interesting features like some kind of app zoning thing limiting permissions on a zone to zone basis.

The only problem is it's only available on massive phones without headphone jacks and SD card slots, so I'm sticking with Xperia for now.

pocksuppet 3 hours ago||

Breathlessly awaiting the upcoming Motorola/Graphene crossover phone.

Ygg2 1 hour ago|||

Can you run Graphene on non Pixel phones?

Sophira 1 hour ago|||

Not yet. They've partnered with Motorola, though, so we'll probably be seeing some of their phones in the future that can run GrapheneOS.

duskdozer 44 minutes ago|||

You can use Lineage [/with microG]

g-b-r 12 hours ago||||

sieabahlpark, I probably hate this more than you, you misunderstood

sieabahlpark 13 hours ago|||

[dead]

vasco 8 hours ago||||

So what are you doing here?

> Ask HN: Did HN just start using Google recaptcha for logins? [0]

> dang

> No recent changes, but we do sometimes turn captchas on for logins when HN is under some kind of (possible) attack or other. That's been happening for a few hours. Hopefully it goes away soon.

[0] https://news.ycombinator.com/item?id=34312937

reaperducer 12 hours ago||||

Stop visiting sites and using services that use reCAPTCHA. Problem solved.

No. Bigger problem created, since there are innumerable government, health care, and educational web sites that use reCAPTCHA.

I'm not going to give up reading the test results from my doctor because of some simplistic ideologue decides that it's "problem solved."

ethin 10 hours ago|||

The other problem with this is that there are few CAPTCHA alternatives.

CF turnstile is one, but of course that means Cloudflare owns even more of the web.

HCaptcha is inaccessible and actively discriminatory against individuals with disabilities and refuses to change, to the point that I suspect the only way that they will do anything is to file a class-action against them and sue them into the ground.

And I... Can't think of anything else. Other than to just get rid of Captchas entirely.

userbinator 4 hours ago|||

You could just have a custom one that asks domain-specific questions (and ones which will trip up LLMs are not hard to come by.) I've seen a few forums ask such questions for registration, long before the rise of LLMs.

ribtoks 5 hours ago|||

There are other captcha alternatives like Turnstile, for example Private Captcha, Altcha etc. - they are owned by mostly “small” independent companies, they are not visual captchas (proof-of-work based) and very accesssible.

Roark66 2 hours ago||||

At least in my country (Poland) you should be able to make a pretty bug fuss and resulting in them fixing it, if indeed one of ego services made you leak all your data to Google.

People do care about such things.

I hope the same is true in other EU countries.

unethical_ban 12 hours ago||||

I agree, and I think CAPTCHA is a disservice on public websites.

yehat 4 hours ago||||

Compliance is what makes all that shit possible. Sadly most people are compliant and made so by gradually increasing their dependency on "commodities" which really are anchors to a shit lake.

majorchord 11 hours ago|||

> I'm not going to give up reading the test results from my doctor

You could just call them.

andwur 8 hours ago|||

Oh just wait, the AI phone service on their side will be more than happy to complete your device attestation key challenge by touch tone. We have to make sure you are still you after all!

But in all seriousness, many services are making it difficult through to impossible to communicate outside of their web or app platforms. Call centres are expensive and messy, and it's now apparently acceptable as a society to treat customers/clients/whatever as adversaries so they can get away with making it hard to communicate with them.

petre 6 hours ago||

I was unable to book a doctors meeting through the clinic's website, so I declared "screw tech" and called their call center, which still worked better. The app just searched for the "first available spot" and never found anything. If they axe the call center I'm going to have to go to their place.

getpokedagain 6 hours ago|||

Or ask for a print out.

rdedev 12 hours ago|||

When companies like this exist, what is the point of relying of TPM? Looks like the future is bright for VC backed bots

https://doublespeed.ai/

NikolaNovak 12 hours ago|||

I'm assuming that's a troll / sarcasm / fake... But that could just be my last vestige of faith in humanity.

Edit: aaaand... That's another little sliver of my faith gone : https://www.theatlantic.com/podcasts/2026/04/how-fake-people...

djeastm 10 hours ago||

Yeah, it's real. Say goodbye, faith!

failuser 12 hours ago||||

How is this not grounds to be sued into oblivion by Google and Meta? They clearly violate ToS for profit. This is something I expect to find on a dark web forum where 0days are traded, not in public.

xmcp123 11 hours ago|||

This kind of thing has been common for ages. Obviously AI has kicked it into overdrive, but it’s not darkweb kind of stuff.

Note that they do not mention any specific companies on that landing page. That is pretty intentional.

But realistically going after bots is expensive and rarely successful, so most companies don’t do it. Even if you find the guy, the chances they can be legally reached are pretty low.

SlinkyOnStairs 10 hours ago||||

> How is this not grounds to be sued into oblivion by Google and Meta?

Because they don't care. It doesn't matter that it's AI slop, it generates views. And Google and Meta can bill advertisers for those views.

Zuckerberg is paying people to put AI slop Shrimp Jesus on facebook. (Not directly to platforms like this, but with the incentive structure)

Really, they're not just cashing in on the views of AI slop being put in front of boomers. They're cashing both ways; While the low end spam industry is merely guessing and iterating on whatever generates views, the more refined spammer does not leave the performance of their latest slop post up to chance, and just uses good old viewbotting. Viewbotting that these days, is mostly done on real devices. Which show ads, to the bots or underpaid developing world workers. Google and Meta'll still charge you for those impressions though.

The losers? People who sincerely try to use these platforms, and whatever idiot businesses are still paying for ads by the impression or click, rather than conversions that immediately generate revenue.

chadgpt2 12 hours ago|||

Violating ToS isn't illegal in most cases. Companies just put scary looking clauses in their ToS to discourage you from doing things they don't like.

eddythompson80 11 hours ago||

That's not true of course. There are hundreds of such cases with varying outcomes [0][1][2]

[0] https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur....

[1] https://en.wikipedia.org/wiki/MDY_Industries,_LLC_v._Blizzar....

[2] https://en.wikipedia.org/wiki/EBay_v._Bidder%27s_Edge

pocksuppet 3 hours ago||

Note that all those guys were gotten for breaking the law, not for breaking terms of service.

dakolli 12 hours ago||||

Why is every startup using that same Serif font now, Garamond or whatever. Is it an LLM design phenomenon? Its kinda ruining that font style for me.

Also $1,500 a month for 10 "influencers" is wild. This doesn't seem that sophisticated unless they're doing something special to increase trust scores of accounts. They say they have "in house warming algorithm" which honestly doesn't inspire confidence for me.

Whats funny is its almost a certainty (if they are doing things correctly) that they have literal farms of phones (probably in SEA). The only real way to keep trust high is to have a real mobile connection and unique devices. Proxies are okay, but you really need to use the apps on real hardware.

etaioinshrdlu 12 hours ago|||

I think the font is mimicking old Apple ads, eg: https://i.insider.com/5bf8592eb73c284de50e2f28

dakolli 11 hours ago||

Ahh, that makes sense.

alexspring 9 hours ago||||

Yep. They got hacked in the past, 1k+ smartphones reported.

The cost is the attestation keys of a real phone. Once it gets burned, the phone is useless to them.

https://www.penligent.ai/hackinglabs/inside-the-ai-phone-far...

dakolli 8 hours ago||

Interesting article, thanks. I've done a bit of small scale phone farming (for my own cheap mobile proxies). In all reality the phones aren't that expensive, I went with Moto 5gs that cost $130 (retail), so in their case the phones pay for themselves in the first month.

Probably a decent amount of compute cost for video generation, but I'm sure they have access to free compute and inference for being in bed with a16z.

dr_kiszonka 4 hours ago|||

Reckless Condensed?

tardedmeme 10 hours ago||||

These companies would have to buy one phone per fake influencer.

tcoff91 12 hours ago||||

Wow that is so dystopian.

huflungdung 12 hours ago|||

[dead]

thaumasiotes 13 hours ago|||

> My understanding is that this new reCAPTCHA is basically just remote attestation.

Yes, somehow "parse this QR code" would not have made my top 500,000 list of 'tasks that a human can do more effectively than a computer'.

lxgr 11 hours ago||

I'm sure some people still remember how to mentally decode QR codes and verify ECDSA signatures from Covid days. Public transit ticket inspectors in my city also seem to be quite proficient at it :)

g-b-r 13 hours ago|||

I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

I think it's most likely to be attested by Google remotely; they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone, officially to make better humanity assessments based on it all.

For people using a Google account it probably won't make a huge difference, in terms of data collected.

If that's how it would work, spoofing would probably be theoretically possible, but it would be easy for Google to detect attestations used by multiple people.

Let's not forget that this is an update to a very approximate system, absolute security is not (yet) required.

But there's a good chance that it will be extremely hard to sidestep, despite that.

palata 1 hour ago|||

> I don't see any requirement to support hardware attestation in the recaptcha documentation, the Play Services seem to be "enough".

Doesn't Play Integrity use hardware attestation, but specifically checking the Google keys?

If you use the Play Services on GrapheneOS, you still don't pass Play Integrity because your system is signed by GrapheneOS and not by Google.

lxgr 11 hours ago|||

> they might be using an app (with enormous access to the phone as the Play Services have) to be able to link a ton of data together, possibly including the local activity on the phone

But anything your phone can possibly do in software can be spoofed, so how would that help?

varispeed 11 hours ago|||

Shouldn't that be illegal under GDPR?

gib444 3 hours ago||

There are massive exemptions for the prevention and detection of crime

And https://gdpr.eu/recital-49-network-and-information-security-... :

> Recital 49 - Network and Information Security as Overriding Legitimate Interest

> The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems,...

It's funny how people after all this time think 99 Articles, 173 Recitals and a huge tech lobby equals a water-tight, pro-citizen, impenetrable privacy law with almost no exemptions.

dheera 14 hours ago|||

> Google didn’t demand iPhone users install Google software to pass the test.

Can de-Googled Android phones present themselves as iPhones?

coppsilgold 13 hours ago|||

Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.

lxgr 11 hours ago||

Is this actually available in Safari?

e28eta 10 hours ago||

Since iOS 16, apparently

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

https://developer.apple.com/news/?id=huqjyh7k

thaumasiotes 13 hours ago|||

Can they present themselves as... web browsers?

tardedmeme 13 hours ago||

Yes, and then they'll get served a QR code that you have to scan on a phone Google approves of.

baybal2 1 hour ago||

[dead]

palata 1 hour ago||

> People running de-Googled phones chose those setups because they read the data practices, understood what Play Services phones home about, and decided they didn’t consent.

This is wrong. Many (most?) users of alternative Android OSes do use a variant of the Play Services (be it sandboxed Play Services like on GrapheneOS, or an open source, reverse engineered implementation like microG that phones home just the same).

Google seems to be leveraging Play Integrity here, which requires that the phone OS is signed by Google. This is clearly anticompetitive, I hope the DMA will do something about that.

bjackman 8 minutes ago||

There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?

Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.

I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.

mnadkvlb 1 hour ago||

Exactly. Imagine them blocking captchas on iphone or windows

dwedge 12 hours ago||

I've kept a spare cheap android for too long and recently went with Graphene instead. I have one Google profile and only use it for Uber, work's Google Chat and maps. One bank refused to work (even with Google services) so I moved bank. I've moved most of my mobile use to self hosted (freshrss full text, password manager, calendar, tasks) with no direct internet connection.

It's a bit irritating but I'm glad I started down this journey because it looks more and more like I'm going to be avoiding the internet

palata 1 hour ago||

> One bank refused to work (even with Google services) so I moved bank

Banks are implementing terrible "security" checks. Users of alternative OSes should be a lot more vocal: change bank, but also complain a lot to the offending one, and make sure to leave them a bad review on the Play Store.

Actually people not using an alternative OS but caring about that should also leave bad reviews to those banks on the Play Store.

At the end of the day, the problem comes from humans in those banks who don't understand and don't give a shit. The only way to make them care about it is to complain enough that it becomes their problem.

drnick1 9 hours ago|||

My setup is similar and nearly 100% self-hosted, including email, files, AI. If something does not work on Graphene, I will do without it. I also have a Google profile, mostly for testing purposes.

palata 1 hour ago|||

I said it already in another comment, but if you care enough to use GrapheneOS, I believe you should not only "do without it". You should also complain to those services.

If enough people complain, those services will start caring. If all they see is "one user complains every 3 years", they will just ignore it. That's how it works.

xerox13ster 9 hours ago|||

How have you managed to accomplish self-hosted email? I tried similar in 2022 and found it damn near impossible without business static IP or a cloud provider.

dwedge 7 minutes ago|||

A VPS or cheap dedicated is enough to get the static IP. I have very few problems with email, I use one VPS and one dedicated server though some zealots would argue a vps isn't self hosting

tuzakey 7 hours ago||||

You can't do it reliably without a static IP in a non residential subnet that lets you set reverse dns. If you have a static residential IP and they don't filter inbound SMTP you can make it work with a smarthost/relay like mailgun. Its not the insurmountable obstacle everyone makes it out to be, but its not going to be free unless you already have an IP that meets the criteria.

If you don't have a static IP you need will want to think about a MX relay service too ~ although mail is surprisingly tolerant of offline MX hosts if you can wait a little bit for your mail.

degamad 1 hour ago||

I do it self-hosted on a rented VPS, which gets around the IP address issue.

drnick1 9 hours ago|||

I have access to a commercial (non-residential), fixed IP. You could also use an outgoing relay as a compromise, since presumably the issue you are facing is other servers rejecting email that you send from a disreputable IP. That being said, you really want a fixed IP as a matter of convenience if you are going to self-host anything.

manmal 3 hours ago||

How often are your emails being marked as spam, for others? A few years ago it read like there’s a whole science behind avoiding getting flagged. Is this easier now with agents aiding the setup?

dwedge 1 minute ago|||

Not the person you replied to, and it's impossible to know with certainty how often you're in someone else's spam, but very rarely.

I had an issue with yahoo a couple of years ago that's all. The "it read like there's a whole science" is sadly a trope mostly repeated by people who have never tried because it gets upvotes on Reedit.

There are some steps you have to take, but not many, and systems like Mox mailserver or stalwart guide you through it, and mail-tester will check if you got it right.

Email, other than tweaking spam filters, is one of my lowest maintenance systems. I can't remember the last time I touched Exim or Mox config

tuzakey 1 hour ago|||

I imagine an agent would make a lot of the first time setup from scratch easier, but the fastest reliable way to get up and running is mail-in-a-box or mailcow. Before those were available I built a flurdy style Postfix+Courier+Amavisd+MySQL setup and have been evolving it ever since. Now I'm on Postfix+Dovecot+rspamd+MySQL but I don't think that's for everyone or even the best way to start.

The science of not getting flagged is easy when you're not sending large volumes of untrusted mail; it only gets complicated if you start hosting mail for "customers" or let your system forward mail unfiltered into gmail/yahoo.

Here's my hit list of universal things to configure:

* Start with an IP with good or neutral reputation, non-residential, its nearly impossible to fix an IP that has been burned by a spammer. (Network)

* Valid reverse dns for your IP matching your mailhost forward dns (DNS)

* Valid SPF record; -all (DNS)

* Valid DKIM; with sufficiently sized key (DNS+Config)

* Valid DMARC; start with p=none to test and move to p=reject once you're configured (DNS)

* ARC if you or your users will ever possibly forward mail (Config)

* Don't get your messages flagged as spam anywhere ever, filter outbound mail even if its just you. All it takes is one piece of malware and a saved password and you'll have to get a new IP. (Config)

* Don't configure services behind your mail server with example domains that you don't control ~ I get so much mis-configured test mail from people who think its cute to use my domain as an example in their practice lab. It all gets reported as spam or bounces and then their smart host bounce rate goes up. (Config)

* Test for open relay; only relay for authenticated users. (Config)

* Use strong authentication, preferably with certificates or MFA. (Config)

* Secure everything; IMAP/SMTP/POP are old AF make sure you're requiring STARTTLS and setup MTA-STS to prevent downgrade attacks and enforce encryption in transit. Use a real certificate from Lets Encrypt don't self-sign. (DNS+http+Config)

* fail2ban your auth, you're going to get so much driveby password spraying and credential stuffing; I fail2ban block entire subnets at a time with iptables actions. I also have a bunch of "poison pill" rules for weird stuff I see in my logs eg block anyone who tries to auth with the NTLM hash for 'password'. (Config)

* Don't bother with BIMI at home, you can't get a blue check mark without deep pockets and a trademark (vmc) and most platforms only show logos that have a matching vmc. (DNS+https+config)

* DMARC reporting and TLS-RPT reporting are a pain to manage but are helpful troubleshooting deliverability be prepared to read some XML reports or setup a stack to parse them as they arrive (DNS + Config + https)

* setup the SMTP Submission port (587), so many networks block port 25 outbound and its the right way for clients to connect. (Config)

* configure BACKUPS, don't skip this step, encrypted restic backups to s3 or backblaze b2 is cheap and easy. (config)

* track your configs in git, don't commit secrets. (config)

* configure a free blacklist monitor on mxtoolbox for your domain(s) (config)

If you do those things you'll be in a pretty good spot, you could probably paste that list/this post into your agent and vibe up solid mailserver.

For me keeping the spam and phishing out is a bigger hassle than deliverability issues. rspamd does a pretty good job of keeping it manageable.

I do all of those things and with all of that setup the only place I ever run into issues with with users on AT&T's residential broadband mail servers. AT&T appears to block you if you're not known to them and they have a short memory. If you don't have regular correspondence with AT&T users they will block you after a bit. I'm a fairly low volume sender so I end up blocked every other time I try to send to AT&T by no fault of my own. I've talked most of those friends off of AT&Ts free email and on to ProtonMail at this point.

ryukoposting 10 hours ago|||

If you don't mind me asking, what Bank? I've resolved that this phone will be my last googled phone, and my next will be GrapheneOS.

dwedge 5 hours ago|||

Halifax UK. It just refuses to work so I left it (Graphene is more secure, so forcing less security for the sake of tracking is off the cards). All the other banks so far say they won't work without Google services but if I click OK they work

dexterdog 9 hours ago|||

Not OP, but I've been on GrapheneOS for a few years and I have no problem with Chase, CiT or Wealthfront. I mostly use them to check balances and unlock debit cards, but they all login and function fine.

zx8080 7 hours ago|||

Nice that there's bank to move to. We need regulations against such lock ups.

dwedge 45 seconds ago||

Forced 2FA for banking in the EU is making this worse when it doesn't work

gonzalohm 11 hours ago||

What's the best alternative for Google drive? I also went this route but Samba is a bit annoying sometimes

drnick1 9 hours ago|||

What makes Samba annoying? I think it's perfect for its intended use (LAN).

If you need to share files externally, Nextcloud works very much like Google Drive and allows the creation of sharable links.

BloodyIron 9 hours ago||||

Nextcloud, Samba serving SMB isn't really equivalent.

komali2 8 hours ago||

Nextcloud also has lots of interesting plugins. I recently found a viable Splitwise alternative I chucked on my instance.

ianopolous 3 hours ago||||

There is Peergos: https://peergos.org (disclaimer: I am the creator)

danparsonson 11 hours ago||||

Syncthing is very nice.

cromka 5 hours ago||

I have nothing but issues with it, mostly because the iOS/Android apps are notoriously bad at syncing the files timely and also because of ridiculous filename restrictions on Android.

bsmith 11 hours ago||||

If you dont need filesharing, you can just setup wireguard, setup a network drive on your phone's files app.l, and then when connected it'll feel like native file browsing.

dwedge 11 hours ago|||

I only share with one person so we use Seafile

pixel_popping 12 hours ago||

archive.is just asked me for a QRcode scan, I'm so ashame of that crap (it's behind Cloudflare), forcing website visitors to KYC? Are you guys insane!?

the web is ruined if you push for this, this is millions of websites that will suddenly force KYC? What...the...f

https://ibb.co/X9Q6Y84

By KYC, obviously it's because there is very few non-criminal ways to have a SIM without KYC and get a Google account for Playstore without a number, so every website visits will be attached to a real ID.

I don't use a stock Android, right now I literally can't access many websites, this is genuinely crazy.

codedokode 12 hours ago||

Interesting, the text says "reCAPTCHA doesn't share your details with this site", but it says nothing about sharing your details with Google. Which means yes?

duskdozer 6 minutes ago||

Naturally, "Your data is private[ly] and secure[ly stored in plain text on our servers so that it's only accessed by us and shared with the advertising partners we choose]."

duskdozer 8 minutes ago|||

Seriously? I didn't realize this was already happening. FWIW I still got the old captcha testing that site, and I often get flagged and blocked, though it's possible you're doing better.

tocariimaa 7 hours ago|||

The water is already boiling and the frog can't get out anymore.

zelphirkalt 2 hours ago|||

For me this archive.is thing has been unusable for a long time already, because they rely on Google Captcha for a long time already and I block Google shit by default. Allowing Google is probably equivalent to showing them your id, due to fingerprinting in the name of "safety". That's why archive.is is not helpful and usually just a tab I close again right away.

riedel 3 hours ago|||

I just tried using archive.is on my non-degoogled phone using IronFox instead of Chrome and could not pass the recaptcha. Actually it presented me the mobile attestation on second try, but I was able to switch to images again. But I am also unable to pass that one with the tracking protections built into the browser. Hopefully some 'serious' website starts using this so I can bomb their customer support.

syntheticnature 10 hours ago|||

I thought archive.is were the ones squabbling with Cloudflare (extreme simplification)

j027 9 hours ago|||

You can still use the audio captcha, but I’m not sure how long that’ll be around.

BloodyIron 9 hours ago|||

Google will incur serious lawsuits if they remove that accessibility aspect.

a2128 8 hours ago|||

Google has already been crippling the audio CAPTCHA access for many years. If your trust score is low enough, the visual challenge is ridiculously slow and noisy, and pressing the audio challenge button will just give you an error saying "To protect our users, we can't process your request right now", accessibility be damned. Where are the lawsuits? I want to believe there are still forces that would create hell to pay for doing something so evil, but I'm not seeing any.

chrisjj 3 hours ago|||

They'll keep it, but require TPM in each ear.

velocity3230 4 hours ago|||

Sound advice.

tom1337 10 hours ago|||

i wondered the same earlier and i am pretty sure they are just mimicking cloudflare's validation page. no way that cloudflare is paying reCAPTCHA when they have theor product, turnstile, available.

stavros 10 hours ago|||

What? Don't Cloudflare literally have their own CAPTCHA service? Why are they using reCAPTCHA?

gruez 9 hours ago||

They mimic the cloudflare captcha page but they're not hosted by cloudflare.

Imustaskforhelp 12 hours ago||

> https://ibb.co/X9Q6Y84

Wow, This is really bad :-(

I think this is just gonna make viewing internet without a phone significantly harder especially with archive.is and the likes.

Not sure, how relevant this is to the discussion but if it helps, I have made a project[0] which allows to archive archive.is pages on archive.org/wayback machine (this uses singlefile)

Perhaps something like this can be used by community at scale too. Also, I hope that archive.is does something to fix this issue of requiring QR code and hopefully it doesn't become a permanent issue.

[0]: https://smileplease.mataroa.blog/blog/htmlpipe-and-how-we-ca...

cornholio 14 hours ago||

It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.

hedora 10 hours ago|

As someone that uses AI agents, this makes me want to install a browser plugin for "public windows" that just archives everything I see, and then farms out clicks of content that are missing from those sites.

The result of this would be to upload it all to a bot-friendly alternative to archive.org.

CaptainFever 6 hours ago||

That exists! Check out Hoardy Web. https://oxij.org/software/hoardy-web/

Its whole point is undetectable archiving because it just saves what your browser already sees.

sunshine-o 2 hours ago||

Nice, I understand it is similar to ArchiveBox + its web extension.

Now to be honest, while it's optimal to archive pages from you browser view I am not sure I want a random web extension to be in everything I see from a security point of view.

I would rather have a local proxy doing it. Maybe something like the InternetArchive warcproc [0]. Haven't tried yet.

- [0] https://github.com/internetarchive/warcprox

thecatapps 13 hours ago||

I'm failing to see why they didn't just adopt Private Access Tokens (not that they're great either), where they could have at least:

- pretended that it wasn't all about invading peoples' privacy.

- done a good ol' fashioned "but Apple does it"

- pretended to be standards-oriented

- advertised it as something completely transparent to the end-user

Seems like that would've caused a lot less backlash while still achieving the goal of having some form of device attestation -- but I'm guessing that's not the real goal.

treis 12 hours ago||

It doesn't fundamentally solve anything. You want to be able to identify a specific person or at least a relatively expensive device so that if you ban them they stay banned.

supriyo-biswas 5 hours ago|||

Private access tokens are also a repackaged WEI as far as I'm concerned.

nightpool 7 hours ago|||

The article mentions that they use Private Access Tokens on iOS, so I'm not sure where you're getting the idea that they're "not adopting" them from

incompatible 10 hours ago|||

"pretended" ... do they even care any more?

FateOfNations 13 hours ago||

Not Invented Here Syndrome?

cantalopes 13 hours ago||

This is crossing the line where the governments should step in and ban/fine google heavilly for this monopol behavior

data-ottawa 11 hours ago||

How you know this is a monopoly is that if you go on their documentation website half the video is how this rolls into Google Analytics.

This is using another product to reinforce the search and ads monopoly.

You can’t scrape content to build a better google or Gemini, you can’t make an OS to compete with Google or Apple, and you can’t make a Google Analytics competitor.

It’s plain anti competitive.

failuser 12 hours ago|||

The governments are the ones who needs the most. They want to know who all the potential and current dissidents are.

bigyabai 11 hours ago||

Bingo. Remember all the people on HN who canvassed for consumers to vote with their dollar? Absent-minded consumption is what consumers voted for.

Now everyone pretends like it's monopoly abuse because the Leopards Eating Faces company finally rang the dinner bell.

milderworkacc 12 hours ago|||

I agree. There are pretty clear grounds here to think about opening an investigation here into illegal tying, or a misuse of market power. Not sure if the FTC maintains a presence on here, but if you're listening...

KPGv2 12 hours ago||

[flagged]

OutOfHere 12 hours ago|||

Instead, our governments use this crap, meaning on .gov sites too, and impose it upon us.

chrisjj 3 hours ago|||

"Don't be evil. That's our job."

gib444 5 hours ago||

Oh man as if we still live in those times

tinycommit 10 hours ago||

Eww. Ok, so, I’ve used reCAPTCHA on sites I maintain at work, just on forms to prevent excessive bot spam submissions. No way do I want to subject users to this BS, though. Does anyone have recommendations for other decent captchas that could be used instead?

ksymph 10 hours ago||

I run into https://www.hcaptcha.com/ and https://friendlycaptcha.com/ from time to time as a user without complaint. Can't speak to the latter but I've used the former a bit and it does the job.

BloodyIron 9 hours ago||

Any chance for something 100% self-hostable? hcaptcha and friendlycaptcha last I checked require interfacing with their services.

aprilnya 7 hours ago|||

Cloudflare Turnstile, if you're already using Cloudflare (or not!): https://www.cloudflare.com/application-services/products/tur...

tardedmeme 10 hours ago||

hcaptcha is pretty popular these days. It uses a very wide variety of traditional visual puzzles.

himata4113 10 hours ago||

in my good ol' days I just sent a screenshot to 2captcha for grid of the entire captcha iframe which means that the solvers would have to figure out what to do instead of having to write code for each different type of captcha. to solve their new rotating puzzles I would just capture them at 50% opacity twice and change the prompt to pick the highest brightness object since 50% opacity would dim the moving elements.

amluto 12 hours ago||

I would love to see someone challenge this as an anti-trust violation. Google is using its market power (as the provider of reCAPTCHA) to actively prevent devices that don’t use Google Play Services from competing effectively.

palata 1 hour ago||

It's worse than forcing the Play Services: strict Play Integrity requires your system to be signed by Google. So if you use the Play Services on GrapheneOS, you're still locked out.

cromka 4 hours ago||

They're only doing that because the EU currently doesn't want to antagonize US any more with their tech fines. Noticed how there hasn't been any as of recently?

palata 1 hour ago|||

> because the EU currently doesn't want to antagonize US any more with their tech fines

Yeah, I say it as "because the US bully the EU to prevent them from doing it".

gib444 2 hours ago||||

https://www.cnbc.com/2026/04/10/google-meta-big-tech-6-billi... :

> April 2025: Apple fined €500 million for failing to comply with "anti-steering" obligations. Meta fined €200 million under the Digital Market Act for requiring users to consent to sharing their data with the company or pay for an ad-free service.

> December 2025: X fined €120 million under the Digital Services Act for breaching transparency obligations.

(Sure, not this year, but that's pretty recent by most standards. And not sure if they're still being contested and unpaid)

And recently, Google is working with the EU to avoid a fine: https://www.bloomberg.com/news/articles/2026-05-06/google-ma...

probably_wrong 3 hours ago|||

Alternative explanation: they're following the Meta playbook of releasing surveillance features during a "dynamic political environment" that's keeping their opponents distracted.

https://www.nytimes.com/2026/02/13/technology/meta-facial-re...

smallerize 9 hours ago|

This isn't just about weirdos (like me) who run GrapheneOS. Huawei phones don't have Google Play services installed, or Xiaomi phones with MIUI China. That's what, a billion and a half phones that can't get to your website now?

Amazon tablets don't have Google services either, which hints that the upcoming Amazon phones also might not work with this.

gene91 6 hours ago|

If you need access to both apps from China and websites/apps from outside China, non-Apple devices have been difficult before this, primarily due to push notification infrastructure.

This makes it more difficult. But I don’t think it matters given how difficult it was prior to this.

ickyforce 5 hours ago||

What's wrong with Apple push notifications in China?

poilcn 4 hours ago||

"non-Apple", i.e. Android

The problem is that most popular apps for Android outside Chinese app stores rely on Google services (specifically, Firebase) for push notifications.

More comments...