Google Broke reCAPTCHA for De-Googled Android Users
100 points
2 hours ago
| 9 comments
| reclaimthenet.org
| HN
coppsilgold
1 hour ago
[-]
My understanding is that this new reCAPTCHA is basically just remote attestation.

Remote attestation doesn't use blind signatures (as that would be 'farmable') so tying the device to the 'attestee' is technically possible with collusion of Google servers: EK (static burned-in private key) -> AIK (ephemeral identity key in secure enclave signed by a Google server) -> attestation (signed by AIK). As you can see if the Google server logs EK -> AIK conversions an attestation can be trivially traced to your device's EK. This is also why we don't really see and probably never will see online services which offer fake remote attestations, as it will be pretty obvious that the next step of running such a service is getting Google as a customer and having all your devices blacklisted. Private farms probably won't last long either as I'm sure Google logs everything and will correlate.

Unless something special is done with this new reCAPTCHA not only are you locking internet services behind TPM chips but you are also surrendering anonymity to Google. Unless you acquire untraceable burners for every service, the new reCAPTCHA will be technically capable to tying all your accounts across all these services together. Much like age verification. It may appear that the service would need to cooperate to link the reCAPTCHA session to your registration but the registration time alone will likely be sufficient (the anonymity set will be all but destroyed).

reply
dheera
9 minutes ago
[-]
> Google didn’t demand iPhone users install Google software to pass the test.

Can de-Googled Android phones present themselves as iPhones?

reply
coppsilgold
1 minute ago
[-]
Apple has their own remote attestation infrastructure and you will not be able to impersonate an Apple device without extracting private key material from the secure enclave of a legitimate Apple device or compromising Apple certificate authority private keys.
reply
cornholio
32 minutes ago
[-]
It's a move to block competitor AI agents while securing access for your own, classic ladder kick. The market for autonomous agents providing services and doing online work will be gigantic so, unless you want your own bots locked out from ie properties guarded by Amazon, CloudFlare, Microsoft etc., you will need a bargaining chip.
reply
spankibalt
39 minutes ago
[-]
Time for some lawfare!
reply
DANmode
21 minutes ago
[-]
The Government reviewed the Google situation on behalf of you,

and on behalf of the Government,

and said “data, so piss off”:

https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...

https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...

reply
ranger_danger
1 hour ago
[-]
Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:

- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.

- Discord immediately bans me any time I try to create an account.

- Can't buy flights from Delta, always gives a non-descript error.

- Can't buy concert tickets, it thinks I'm a fraudulent buyer.

- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.

- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).

- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.

I just take my business elsewhere... eventually I'll probably just stop using technology at all.

reply
Jigsy
57 minutes ago
[-]
> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

I had this problem recently with the Indeed website. (Cloudflare Captcha)

Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.

Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.

reply
anonymousiam
10 minutes ago
[-]
Why not just change your user agent string?
reply
hysan
50 minutes ago
[-]
Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.
reply
prism56
1 hour ago
[-]
Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.
reply
Milpotel
1 hour ago
[-]
Wouldn't a 1£ Linux VM as Wireguard access point suffice?
reply
ranger_danger
1 hour ago
[-]
Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.
reply
ck2
59 minutes ago
[-]
whenever I can't access a website for various stupid blocks

I fire up cloudflare warp and walk right through it

use wireguard with wgcf in environments without cloudflare client

yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden

reply
wafflemaker
32 minutes ago
[-]
You sir seem to have solved a problem many people here have.

Would you care to elaborate a little on how you did it?

It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.

reply
tardedmeme
25 minutes ago
[-]
He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.
reply
krackers
2 minutes ago
[-]
I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment
reply
citizenpaul
20 minutes ago
[-]
For Decades the huge tech companies basically faced no adversity whatsoever. Now for the first time in their existence the massive returned investments in AI they are experiencing ... we will call it pain.

I would say it will be interesting to see what they do but I think rent-seeking, oppression, human rights violations would be more apt.

They were of course trustworthy proviers while they were untouchable but now I know how things are gonna go.

reply
tamimio
46 minutes ago
[-]
And soon desktop OSes will follow, if you don’t have TPM you won’t be able to browse half of the internet.
reply
Andrex
11 minutes ago
[-]
A parallel, fully public and accessible internet being widespread and available for anyone with a slight tinkering kick... Could actually be really awesome.

Let the commerce-driven, corporatized hellhole that the modern web has become eat itself.

reply
hackernews682
1 hour ago
[-]
The gate to the pig pen is closing…
reply
kittikitti
1 hour ago
[-]
Please stop calling Android Linux. It's a marketing lie that continues to disappoint, including here. You're holding Linux back substantially by claiming Android is part of it. Just because it has Unix doesn't mean it's Linux as MacOS is also Unix.
reply
PaulHoule
1 hour ago
[-]
The kernel is a Linux kernel. The userspace is very different from a typical Linux distribution.
reply
IsTom
30 minutes ago
[-]
It's the punishment for all the times people laughed at calling regular Linux "GNU/Linux".
reply
prophesi
1 hour ago
[-]
Unless it was in a previous iteration of the submission's title, I don't see Linux mentioned anywhere.
reply
ChrisArchitect
1 hour ago
[-]
Related:

Google Cloud fraud defense, the next evolution of reCAPTCHA

https://news.ycombinator.com/item?id=48039362

Google Cloud Fraud Defence is just WEI repackaged

https://news.ycombinator.com/item?id=48063199

reply