The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?
That’s hardly the Turing Test I’d expected.
These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
Yes, and it gives you (or the bot), a score.
If you don’t meet the score, is highly likely that you are a bot.
You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.
It is likely you are a bot, and then you get one it these regular captchas and the that will increase your score if you succeed.*
Is it bad that I’ve failed the score multiple times?
Cloudflare knows almost everything done from your IP address because they’re used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
I’d argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.
That would actually be pretty wild…
Other then that you’re probably right.
There’s a default setting that allows unencrypted communication between the server and cloudflare. So they receive unencrypted data, sign with their certificate. Or send with self signed certificate, they decrypt and reencrypt. Or for some reason can download and import on the server their own internal use certificate.
You’re right, forgot that you can just not encrypt on your servers end and use cloudflare to do that for you, especially when used as CDN
thx, TIL
it also sees your mouse movements on your way to that box.
But I use my phone.
Then it smells you from the microphone on your phone
Damn, I thought I was being stealthy by farting silently like an assassin…
I’m pretty sure I’m a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
I often wonder if that’s a fail or just some tech sitting in a room saying “Now do THIS!” and pressing refresh over and over.
That’s it
“this is not CAPTCHA! It’s just clicking, with style”
Beats me. I have a script that clicks all those boxes for me.
Yo based
It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.
Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.
Nah that’s different as well. What they are filtering out is
- a mouse teleporting to the exact center of the checkbox
- a mouse smoothly gliding in a straight line to the center if the checkbook
- a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise
Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.
No OP was right. If the reCaptcha is on the same page as a login, and I use my password manager to fill the fields, I fail the reCaptcha almost every time. I have to manually paste in the user name and password separately to slow things down to act more human…
This never happens to me, I always instantly autofill with my password manager.
I hate to bring this up to you, but you seem to be losing your humanity as we speak.
If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.
Yeah, never thought about this before, but how do blind users deal with captchas?
Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.
And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.
And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.
But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.
What if you’re on a phone or tablet?
I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.
Could also be browser settings. I often get infinite captcha’d on private Firefox tabs
Interesting that my mouse movement is available to anyone who wants it.
It seems like a small step from that to accessing my keyboard.
Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.
This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.
There’s lots of shady stuff going on in browsers, this isn’t really one of them.
Hmm, I can think of some ways to misuse this. And I’m not very smart at all.
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.
I like that when I’m on tor browser with VPN behind it they’re like “Yeah, cool, go on through”
Don’t mix tor plus VPN.
If you’re using tor browser without tor for some reason, carry on.
So, turn off my VPN that’s always running before I use the tor browser?
There are two ways to layer a VPN and tor:
- Tor over VPN; or
- VPN over Tor.
In the first option, you gain little. Tor already encrypts your traffic, so your ISP can’t see inside them. Technically, Tor over a VPN hides the fact that you’re using Tor from your ISP, but Tor’s snowflake does something similar if you need that.
In the second option, you’re revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.
So really, “no value in mixing,” which is distinct from “don’t mix.”
The latter implies a security risk could be created.
A security risk is created, you’re creating a permanent guard node by using your VPN with TOR. A lot of people downplay how serious this can be against a dedicated attacker. Sure, it may not matter for most, but for those with the right threat model, it will.
So VPN first then Tor is ill advised for this, or only the reverse? What is the potential attack in running Tor while on VPN?
The risk of mis-ordering your layers is a security issue.
If you’re using tour vpn at the system or network level, and tor at the browser level, is there a risk of mis-ordering?
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.
this is not only cool because you don’t have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr
That’s actually kinda cool. Punish the scrapers, but allow regular people to not waste time.
Meanwhile, Google is having you find the zebra crossing for the 400th time…
*training their ai using humans
Oh, so it’s Hashcash; cool to see that idea getting real use.
Thanks for being the only person in this thread who doesn’t joke or talk out of their ass
Quite interesting really and a genius solution (it they don’t lie about not stealing your data)
Didn’t the Soviets see geniuses and other intellectuals as a danger to society during the time this award was given out? Or are there incidents where this was given to scientists as well? I know you’re probably joking, but when I suddenly encounter Lenin’s head being used in a positive manner I have to look twice.
Didn’t the Soviets see geniuses and other intellectuals as a danger to society
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.
some of them are also less bot detection and more spam limiting and mitigation. cloudflare’s has more stuff built in I’m sure, but things like mCapcha are just proof of work, so if you’re trying to make a bunch of accounts or whatever, it’s really computationally expensive.
This all humans will be good for in the future, until they atrophy and become a mere appendage of machinegod.
I saw the movie. Unhappy ending.
Which movie is that ? While waiting your reply I asked chatgpt
Please write movie script where humans continue to evolve in an environment where their reproduction and evolution is mediated entirely by the solvibg of captchas. They have become one with machinegod, just a vestigial appendage so scratch an itch that the machine cannot satisfy any other way.
https://chatgpt.com/share/fae8c7fc-df78-462e-9922-9d976a182bd8
I always fail Cloudflare captchas because I’m clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can’t pass a captcha.
I’ve found that Google’s reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?
I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?
They want your tasty IP data
deleted by creator
A side to this is that certain techniques will be deliberately obfuscated or simply omitted as a security measure in the hopes of slowing a bad actor’s eventual bypassing of the measure. It’s an arms race and if the intruder doesn’t know what all the locks even are, it takes longer to break or pick them.
Theres a few answrs to this
- It uses your movements before this to determine whether it feels like your a bot or not
- It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
- Google uses catchphas with images to choose. They use this to train their own AI or data to sell
Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.
Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.
