The Bilk Road: Verification Routes in Mainland China

Kevin Gosschalk
Arkose Labs
Published in
3 min readJan 11, 2018

The Silk Road stretched from China to Europe. It connected vastly different cultures from Asia, Africa, the Middle East, and Europe, through a network of trade routes that lasted centuries. These trade routes were highly lucrative and gave rise to products like silk, paper, and gunpowder. And like every source of profit, they were the target of many attacks. Today, the Internet is our Silk Road. It connects us to the global economy, and bridges the geographical divide between people around the world. But just like its forerunner, the routes we take remain under constant attack.

For the last 20 years, most brands have used CAPTCHA as a verification gateway along the most important routes on their website — whether it be registering an account, making a transaction, or even sharing a post. They are gatekeepers who protect online spaces from being pillaged by bots. And they hold enough power to lock everyone out, and to let anything in. But, what happens if these gateways seemingly disappear?

In 1997, China implemented a country-wide firewall to combat cybercrime and promote a nationally-oriented Internet. The firewall imposed many restrictions, to varying degrees, on websites beyond China’s borders. Perhaps the most notable restriction was that placed on Google, with all Google services — encrypted or not — being blocked. Then in 2009, following its acquisition by Google, the same fatal blow was delivered to reCAPTCHA. At the time, and very much still to this day, reCAPTCHA was one of the most-used anti-bot products on the market. Consequently, any website using reCAPTCHA was rendered inaccessible to users in mainland China.

What makes this consequence particularly interesting is how it is effectively invisible to the user. For example, consider a faulty vending machine posted with a sign that reads “out of order.” It’s clear that attempting to use it will only result in lost change. But, what if the same faulty vending machine had no sign? You’d wind up sinking your cash and leave feeling frustrated, right? That’s exactly how users in China feel when they encounter a website that uses reCAPTCHA. There’s no warning or placeholder…reCAPTCHA is simply censored from the page entirely. These users don’t even know it’s meant to appear, so to them it looks like a fully-completed form — or a blank page — that keeps returning an error.

To make matters worse, brands using reCAPTCHA are often unaware of this restriction. Their websites clear smoke tests completed in uncensored regions, only to fail in the world’s second-largest economy. It’s almost inconceivable to imagine how much business is squandered because of such a simple oversight. In fact, some brands have gone so far as to eliminate CAPTCHA so their products remain accessible to users in mainland China. But, pulling the pin on human verification creates a security problem far more aggressive than accessibility. Without a frontline defence like CAPTCHA, brands leave the door wide open to bots and automated attacks.

Verification is a necessary security measure that can provide a real, and effective defence against automation. What isn’t necessary, however, is a CAPTCHA that’s plagued by high-risk vulnerabilities and impossible challenges that block human users. CAPTCHA is the most effective way to verify humanity, but it takes an exceptional approach to get it right. In contrast to reCAPTCHA, FunCaptcha remains fully accessible to users in mainland China, and accommodates them with three local dialects. Therefore, the answer to restoring the modern-day Silk Road is not to forego verification, but to be discerning in the CAPTCHA you choose.

--

--