Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA.
Now let's open it in incognito tab... Wait, annoying CAPTCHA again? But i'm a human!
So what Google is trying to sell us as a comprehensive bot detecting algorithm is simply a whitelist based on your previous online behavior, CAPTCHAs you solved. Essentially - your cookies. Under the hood they replaced challenge/response pairs with token "g-recaptcha-response". Good guys get it "for free", bad guys still have to solve a challenge.
Does it make bot's job harder? No at all. The legacy flow is still available and old OCR bots can keep recognizing.
But what about new "find a similar image" challenges? Bots can't do that!
The thing is No CAPTCHA actually introduces a new weakness!
Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us - make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user's browser).
It's pretty much a serious weakness of new reCAPTCHA - instead of making everyone recognize those images we can make a bunch of good "trustworthy" users generate g-recaptcha-response-s for us. Bot's job just got easier!
You're probably surprised, how can we use 3rd party data-sitekey on our website?
P.S. Many developers still think you need to wait a while to get a new challenge.
@homakov I've used them in the past, accuracy is about 80% and response time about 10 seconds per attempt. Still too slow for some attacks.
In fact you can prepare as many challenges as you want and then start spaming later. It's another reCAPTCHA weakness that will never be fixed.
— Stephen de Vries (@stephendv) December 4, 2014