A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I'm human?
That's hardly the Turing Test I'd expected.
It tests whether your mouse movement looks human--we're really bad at things like moving in straight lines, so it's pretty evident from a mouse movement log whether you're a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It's not perfect, but it's complicated enough to defeat to provide fine protection against cheap spam.
Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.
If it's in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.
Nah that's different as well. What they are filtering out is
Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.
Yeah, never thought about this before, but how do blind users deal with captchas?
There are audio captchas.
I've learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.
Could also be browser settings. I often get infinite captcha'd on private Firefox tabs
Yeah this is my experience as well. I don't have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare
But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it's less about clicking the box and what happens after you've clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google's captcha which frequently doesn't recognize me as a human but is easily bypassed by bots.
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.
this is not only cool because you don't have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr
That's actually kinda cool. Punish the scrapers, but allow regular people to not waste time.
Meanwhile, Google is having you find the zebra crossing for the 400th time....
*training their ai using humans
Theres a few answrs to this
Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.
Once we discovered it we didnβt block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.
These type of βcaptchasβ look at your browsing behavior. It is sort of a βtrade secretβ of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I'm proud of you, fellow human!
I always fail Cloudflare captchas because I'm clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can't pass a captcha.
I've found that Google's reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that's pretty stupid; if I can pass the test by clicking the squares why not let me in?
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. Itβs a pretty slick system.
I like that when I'm on tor browser with VPN behind it they're like "Yeah, cool, go on through"
Don't mix tor plus VPN.
If you're using tor browser without tor for some reason, carry on.
So, turn off my VPN that's always running before I use the tor browser?
There are two ways to layer a VPN and tor:
In the first option, you gain little. Tor already encrypts your traffic, so your ISP can't see inside them. Technically, Tor over a VPN hides the fact that you're using Tor from your ISP, but Tor's snowflake does something similar if you need that.
In the second option, you're revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.
So really, "no value in mixing," which is distinct from "don't mix."
The latter implies a security risk could be created.
Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.
Whoa what happened on the 9th?
Recaptcha gained sentience
Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.
Cloudflare knows almost everything done from your IP address because they're used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
I'm sorry, but "now"? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?
I have not been in a coma but....
I could possibly be the least aware person you've ever had a conversation with, digital or otherwise.
I used to have "weekends" that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, "It's not so bad. At least Thanksgiving falls on a Thursday this year. I checked." She looked at me and said, "Thanksgiving is on a Thursday every year." I was over thirty. Had no idea.
She's a very patient woman.
I've been told that it's analyzing your behavior from right before you click the button
The newest models already know whether you're a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.
Checking the box really just confirms what they already know. There's a second form which I'm sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.
Clicking the button doesn't proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company's network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.
I don't know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes 'yeah, that is either a cat that got lucky which is close enough or a human'. The reason I think this is that I've failed same site's checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.
I'm pretty sure I'm a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.
Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.
It's not just the button, it's the before the button that determines you're a bot or not.