I'm starting to see sites put CAPTCHAs in front of login forms. Patreon, Meetup, and Disqus are the offenders that come to mind right now.

Is this some new asinine "security" fad? Have people forgotten how to implement cool-offs and send login tokens by email?

I think I'm just going to start deleting accounts when I run into this. I've got a good password, I don't need to prove to you that I'm human. Save that for the people with "p@ssword1".


This is one of those days I'm disgusted by what the web has become. Dubious Google CAPTCHAs sprinkled everywhere, in-page modals, 3 MB pages to show 280 characters, sites that only work in Google Chrome (motto: "The New IE6") or have sunk even lower to only being phone apps. Cloudflare hiding random strings with @ signs in them unless you have JS enabled. Videos instead of text.

Maybe I can just... not use the web, except for work? Can I do that? I kinda want to give it a try.

Often you aren't even able to solve those captures when you are using a VPN. This is so annyoing and as you've already mentioned this 'feature' is almost used everywhere! I try to avoid services who use Google captures.

Not to forget: autoplay videos, user tracking, paywalls, giant and annoying cookie/ gdpr forms, UI dark patterns...

@R10T @varx
I block those GDPR/cookie things with uBlock Origin's "Fanboy's Cookiemonster list", and annoyances with "Fanboy's Annoyance list".

However, it sucks that sites have such crap. Living without uBlock Origin is horrific experience...

@elias Good reminder to refresh my filter lists on my machine.
I wouldn't use the internet with adblocker.

@varx …or rather fight to change that situation 😃

@rugk I sometimes advocate for a simpler web directly to website owners, such as encouraging them to use JS only as a progressive enhancement, but mostly I just complain about it socially. 😅 Ultimately, I can only do so much by keeping my own sites written in a mid-00's style; I'm not the one coding up Google and Twitter's stuff.

(And I can only do so much of this sort of advocacy at work before I'm just That Guy.)

Honestly, given the security maturity of the Chrome sandbox, I now have no problem with running JS in my browser.

Bad integration of foreign unverified JS in websites by the website developers themselves is what keeps me awake.
No, I won't type my password in a login page that includes an non-sandboxed ad!

@x_cli @varx First, BTW, all browsers nowadays have very secure sandboxes – as if CHrome would be effectively better here. Also Firefox e.g. introduced multi-processes (electrolysis) architectures and also improved the speed quite a lot.
(There may rather be privacy problems with Chrome though: social.wiuwiu.de/@rugk/1011116)

Anyway, yes, that's a problem, but (theoretically) a solved one: #SubresourceIntegrity (#SRI) can e.g. be used.

@x_cli @rugk I block JS for multiple reasons:

- Sandbox escapes (e.g. Spectre)
- Tracking scripts
- Ads
- Excessive resource consumption
- Capturing of browser commands (e.g. Github stealing the '/' keyboard action, or things that screw with scrolling)
- Various other irritations, such as cookie/GDPR/paywall modals, animated crap, and infinite scrolling on magazine articles.

I agree that sandboxing is pretty good these days!

@varx I'm planning on setting up a search engine that only searches a specific set of sites once I get the time to do it. Though it just occurred to me that a large fraction of "Web: The Good Parts" could be stored/browsed offline/locally.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.