Trying to pass ReCaptcha v3 ... (EN)

28.09.2018

Today on mastodon I read a @allo@chaos.social 's tweet about ReCaptcha v3, Googles next version of ReCaptcha. allo tried to pass the ReCaptcha v3 beta version which returns a score, with default settings, you pass if you score => 0.5. allo "did not manage to meet the score threshold even with a fresh firefox profile, probably due to a VPN IP address." Let's test some scenarios ...

About ReCaptcha v3

According to Google Developer Docs ReCaptcha v3 just returns a score between 0.0 and 1.0 Based on the score, the site owner can take "variable actions".
Google made some "recommendations":

Use case Recommendation
homepage See a cohesive view of your traffic on the admin console while filtering scrapers.
login With low scores, require 2-factor-authentication or email verification to prevent brute force attacks.
social Limit unanswered friend requests from abusive users and send risky comments to moderation.
e-commerce Put your real sales ahead of bots and identify risky transactions.

-- from https://developers.google.com/recaptcha/docs/v3

We could assume, that some pages will block clients with a low score completely!

Tests

Tested here. Note: normal means my daily used profile, but not logged in.

Nr. Browser VPN/Tor/x Distro Score Passed? Notes
1 Chromium, normal no Archlinux 0.9 yes
2 Chromium, private window no Archlinux 0.7 yes
3 Chromium, normal NordVPN Archlinux 0.9 yes
4 Chromium, private window or fresh profile NordVPN Archlinux 0.1 no
5 Firefox mobile (few extensions) NordVPN Android 6 0.3 no
6 fresh Firefox Mullvad ? 0.1 no
7 Google Chrome NordVPN Archlinux 0.9 yes
8 Google Chrome NordVPN Archlinux 0.9 yes
9 Firefox Klar mobile connection (O2 Germany) Android 6 0.1 no
10 Google Chrome for Android mobile connection (O2 Germany) Android 6 0.9 yes
11 Tor Browser Tor Archlinux 0.1 no
12 Chromium, normal, with uMatrix blocking googleanalytics and googletagmanager NordVPN ArchLinux 0.1 no
13 Firefox 62 (Inkognito) no Windows 10 0.7 yes
14 Firefox Klar no Android 8 0.7 yes
15 Firefox Klar mobile connection (Telekom Germany) Android 8 0.3 no
16 Google Chrome for Android, private window no Android 8 0.7 yes
17 Google Chrome for Android, private window mobile connection (Telekom Germany) Android 8 0.7 yes
18 Google Chrome for Android no Android 8 0.9 yes
19 Internet Explorer 11 no Windows none no Test doesn't continue after Token received
20 Firefox with tracking protection work network Windows 10 none no Scripts are blocked, test can't continue. Tracking protection (privacy.trackingprotection.enabled) will become default in one of the next releases
21 Vivaldi work network Windows 10 0.1 no
22 Chromium, with Do-Not-Track no Archlinux 0.9 yes
23 Chromium, Google Bot User-Agent no Archlinux 0.1 no User-Agent was Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

I will extend the test soon, feel free to participate and send your results to ares@anghenfil.de or @anghenfil@chaos.social .