Ctrl.blog

Coinhive, the in-web-browser crypto-currency-mining service, has an interesting new approach to CAPTCHA challenges. Instead of asking people to perform meaningless tasks, Coinhive asks their computers to perform a processor-intensive task for a few seconds instead.

Here is why I decided to use Coinhive’s CAPTCHA service despite their tainted reputation over the many malicious implementations of their technology on hijacked websites in recent times.

Update (2018-03-13): So that was a short-lived experiment. Coinhive CAPTCHA is now blocked everywhere including on DNS and ISP levels so I’d to stop using them. Unfortunately, I haven’t found any other alternative CAPTCHA services available with the same level of privacy and ease-of-use on the user. But I’ll keep looking!

Update (2019-02-28): Coinhive have closed down.

CAPTCHAs are those little interactive gatekeepers/roadblocks at the end of online forms that try to prevent automated tools from submitting said form.

Historically, CAPTCHAs required people to fill in some distorted numbers and letters shown on an image into a text field. Robots have been better than us humans at this task for quite some time, and it’s been an enormous roadblock for anyone with reduced vision or accessibility needs.

Today, you’ll most likely be asked to click on a single checkbox saying “I’m not a robot” or you’ll be asked to identify a specific object on a set of photos. Those type of CAPTCHAs are for the most part delivered by Google reCAPTCHA; a service that Google offers at no-charge to website owners. reCAPTCHA has somewhere between 94 and 99,3 % global marketshare out of all CAPTCHA service providers according to BuiltWith and Wappalyzer respectively.

The reCAPTCHA service is covered by Google’s regular end-user privacy policy and terms of service. In short, it means that any website that implements reCAPTCHA to protect their forms agrees to share information about their visitors’ behavior with Google.

If you aren’t paying for it, you’re not the customer; you’re the product being sold.

I believe that Google already has more than enough information about every human being on the planet, so I’ve been looking for a more privacy-friendly CAPTCHA service provider. A service provider that don’t store and analyze personal data would also greatly simplify compliance with the European Union’s new General Data Protection Regulation (GDPR).

Towards that end, I found only one cost-free CAPTCHA system provider with an admirable privacy policy and a clear business model that doesn’t involve data collection or display-ads. That service provider is Coinhive. Here is an excerpt from their privacy policy:

We only keep track of the absolute minimum of information that’s necessary to operate this service. […] We do not track users. We do not use cookies. […] We keep your IP address on our servers in working memory (RAM) only.

Coinhive’s CAPTCHA service looks and behaves much like Google’s no-CAPTCHA reCAPTCHA implementation. No-CAPTCHA admits people automatically based on Google’s observations about your behavior as they’re tracking you around the web.

Coinhive CAPTCHA on the other hand spends a few seconds to mine crypto-currencies using the visitor’s computer. This is a resource intensive operation that increases the near-zero cost and time it takes to submit millions of automated form requests

Google undoubtedly does a better job at blocking automated bots than Coinhive. However, Google only gets to be good at blocking bots by monitoring and logging people’s behavior across the web. Coinhive on the other hand doesn’t even attempt to block automated uses of their CAPTCHA.

Instead, the idea is that the processing power required to solve the crypto-currency mining task that’s required to complete their CAPTCHA would take up too much of the bot’s resources for it to be worth the attempt. There are plenty of softer targets, so why spend a lot of time on just one form submission that may not even succeed if they do solve the CAPTCHA?

The crypto-currency mining that takes place during Coinhive’s CAPTCHA magic also directly pays Coinhive for the service. They don’t need to collect and resell people’s behavioral data to make a profit, and they also don’t need to charge the publisher. In fact, Coinhive shares their earnings from their CAPTCHA service 30/70 % with the website publisher.

Coinhive is a somewhat controversial choice as for as an online service provider goes as their other web-browser-based crypto-currency mining services have a terrible reputation.

Coinhive’s web-browser-based miner scripts have been inserted onto hijacked websites and mobile apps to automatically mine crypto-currency on people’s devices running at full throttle indefinitely. Coinhive have been blocked by antivirus vendors, web browser vendors, ad-blocking software, and even DNS service providers over the rampant misuse of their service.

Notably, the Coinhive CAPTCHA service doesn’t run automatically. It only starts when people click on it, and it only run for a very limited amount of time (usually a few seconds). In my implementation, I’ve made sure the forms can still be submitted if the Coinhive CAPTCHA API goes down as I’m not completely convinced that Coinhive will be around forever and have anticipated that their servers may be unavailable for some time.

So, why do I still want to use Coinhive’s CAPTCHA service despite their terrible reputation?

I’ve literally worked as a professional CAPTCHA solver. That is to say, I’ve helped people who’ve emailed in to support to complain that they couldn’t create an account with one of my previous employers online services because they couldn’t solve the CAPTCHA. It was a awful CAPTCHA and it regularly took me 5–10 attempts to solve it on behalf of customers as I tried to help them setup their accounts. I hate traditional CAPTCHAs. They’re awful.

I find Coinhive’s transparent business model and privacy-friendly CAPTCHA to be preferable to traditional CAPTCHAs. Google No-CAPTCHA reCAPTCHA isn’t an option if you wish to run a privacy friendly website, and find unfortunate that Google reCAPTCHA has cornered 99,3 % of the global CAPTCHA market. Google has a monopoly on CAPTCHA services and I frankly want to see more diversity and innovation in this market as in any other market.

I only use CAPTCHAs on a few forms where readers can submit corrections to my articles or contact me for some other reason. So, I in no way expect to turn a minuscule profit from Coinhive’s crypto-mining in the CAPTCHAs on my website as the numbers are relatively small. (The number of automated submissions have been steadily increasing, however). I’m okay with Coinhive making a fractional minuscule profit of the mining as payment for the CAPTCHA service.

The Coinhive CAPTCHA can be slow to solve on older computers, yet I don’t believe that should be much of a problem. I do in fact believe that it’s probably a good thing if people were forced to cool down for a few seconds before they can contact me. I’ve literally received death threats over a positive Android app review where someone desperately wanted me to review their favorite app instead. Giving people a few seconds to breathe and think will probably be beneficial.

There are some accessibility and legacy-browser compatibility issues with Coinhive CAPTCHA. I’ve sent them some feedback regarding improved accessibility support and they’ve responded positively. I’m more worried that they won’t resolve legacy-browser compatibility issues as the technology simply isn’t there. Coinhive CAPTCHA displays a notice urging users to upgrade their browsers to a more recent version, but this is about the extent their legacy browser support goes.

I also hope to see a fractional reduction in the volume of correspondence from people who’re not all that invested in what they thought they wanted to say when faced with a small delay.