this post was submitted on 24 Aug 2024
376 points (97.0% liked)

Asklemmy

43945 readers
584 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
 

The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I'm human?

That's hardly the Turing Test I'd expected.

top 50 comments
sorted by: hot top controversial new old
[–] platypode@sh.itjust.works 190 points 3 months ago (25 children)

It tests whether your mouse movement looks human--we're really bad at things like moving in straight lines, so it's pretty evident from a mouse movement log whether you're a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It's not perfect, but it's complicated enough to defeat to provide fine protection against cheap spam.

[–] random_character_a@lemmy.world 47 points 3 months ago (3 children)

Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

[–] Thorry84@feddit.nl 45 points 3 months ago

If it's in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

[–] ThisIsAManWhoKnowsHowToGling@lemmy.dbzer0.com 33 points 3 months ago (4 children)

Nah that's different as well. What they are filtering out is

  • a mouse teleporting to the exact center of the checkbox
  • a mouse smoothly gliding in a straight line to the center if the checkbook
  • a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

load more comments (4 replies)
[–] savedbythezsh@sh.itjust.works 14 points 3 months ago (3 children)

Yeah, never thought about this before, but how do blind users deal with captchas?

[–] TheBat@lemmy.world 29 points 3 months ago

There are audio captchas.

load more comments (2 replies)
[–] Jimmycrackcrack@lemmy.ml 18 points 3 months ago (3 children)

I've learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

[–] ICastFist@programming.dev 25 points 3 months ago (1 children)

Could also be browser settings. I often get infinite captcha'd on private Firefox tabs

Yeah this is my experience as well. I don't have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare

load more comments (2 replies)
[–] pineapplelover@lemm.ee 14 points 3 months ago (2 children)

What if you're on a phone or tablet?

load more comments (2 replies)
[–] user224@lemmy.sdf.org 8 points 3 months ago

But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.

load more comments (21 replies)
[–] elrik@lemmy.world 64 points 3 months ago (5 children)

Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it's less about clicking the box and what happens after you've clicked the box.

[–] SerotoninSwells@lemmy.world 61 points 3 months ago

This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google's captcha which frequently doesn't recognize me as a human but is easily bypassed by bots.

load more comments (4 replies)
[–] isolatedscotch@discuss.tchncs.de 60 points 3 months ago (2 children)

https://blog.cloudflare.com/turnstile-private-captcha-alternative/

TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.

this is not only cool because you don't have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr

[–] madcaesar@lemmy.world 25 points 3 months ago (1 children)

That's actually kinda cool. Punish the scrapers, but allow regular people to not waste time.

Meanwhile, Google is having you find the zebra crossing for the 400th time....

[–] bastion@feddit.nl 29 points 3 months ago

*training their ai using humans

load more comments (1 replies)
[–] trustnoone@lemmy.sdf.org 45 points 3 months ago (2 children)

Theres a few answrs to this

  1. It uses your movements before this to determine whether it feels like your a bot or not
  2. It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
  3. Google uses catchphas with images to choose. They use this to train their own AI or data to sell
[–] IphtashuFitz@lemmy.world 7 points 3 months ago* (last edited 3 months ago)

Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.

Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.

load more comments (1 replies)
[–] Ballistic_86@lemmy.world 43 points 3 months ago (3 children)

These type of β€œcaptchas” look at your browsing behavior. It is sort of a β€œtrade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.

load more comments (3 replies)
[–] Xeroxchasechase@lemmy.world 33 points 3 months ago (1 children)

Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I'm proud of you, fellow human!

load more comments (1 replies)
[–] communism@lemmy.ml 33 points 3 months ago (6 children)

I always fail Cloudflare captchas because I'm clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can't pass a captcha.

I've found that Google's reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that's pretty stupid; if I can pass the test by clicking the squares why not let me in?

load more comments (6 replies)
[–] FiskFisk33@startrek.website 29 points 3 months ago (3 children)

it also sees your mouse movements on your way to that box.

load more comments (3 replies)
[–] xylogx@lemmy.world 29 points 3 months ago (1 children)

Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.

[–] Melatonin@lemmy.dbzer0.com 11 points 3 months ago* (last edited 3 months ago) (1 children)

I like that when I'm on tor browser with VPN behind it they're like "Yeah, cool, go on through"

[–] cadekat@pawb.social 13 points 3 months ago (3 children)

Don't mix tor plus VPN.

If you're using tor browser without tor for some reason, carry on.

[–] Melatonin@lemmy.dbzer0.com 8 points 3 months ago* (last edited 3 months ago) (1 children)

So, turn off my VPN that's always running before I use the tor browser?

[–] cadekat@pawb.social 9 points 3 months ago (1 children)

There are two ways to layer a VPN and tor:

  1. Tor over VPN; or
  2. VPN over Tor.

In the first option, you gain little. Tor already encrypts your traffic, so your ISP can't see inside them. Technically, Tor over a VPN hides the fact that you're using Tor from your ISP, but Tor's snowflake does something similar if you need that.

In the second option, you're revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.

[–] wolfpack86@lemmy.world 17 points 3 months ago (4 children)

So really, "no value in mixing," which is distinct from "don't mix."

The latter implies a security risk could be created.

load more comments (4 replies)
load more comments (2 replies)
[–] wuphysics87@lemmy.ml 26 points 3 months ago (2 children)

Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.

[–] GiveOver@feddit.uk 14 points 3 months ago (1 children)

Whoa what happened on the 9th?

[–] intensely_human@lemm.ee 19 points 3 months ago

Recaptcha gained sentience

load more comments (1 replies)
[–] brianorca@lemmy.world 25 points 3 months ago

Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.

[–] Magnetic_dud@discuss.tchncs.de 24 points 2 months ago (4 children)

Cloudflare knows almost everything done from your IP address because they're used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package

So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)

load more comments (4 replies)
[–] Lucidlethargy@sh.itjust.works 23 points 3 months ago (4 children)

I'm sorry, but "now"? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?

[–] Melatonin@lemmy.dbzer0.com 10 points 3 months ago* (last edited 3 months ago)

I have not been in a coma but....

I could possibly be the least aware person you've ever had a conversation with, digital or otherwise.

I used to have "weekends" that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, "It's not so bad. At least Thanksgiving falls on a Thursday this year. I checked." She looked at me and said, "Thanksgiving is on a Thursday every year." I was over thirty. Had no idea.

She's a very patient woman.

load more comments (3 replies)
[–] tilefan@lemm.ee 22 points 3 months ago (2 children)

I've been told that it's analyzing your behavior from right before you click the button

[–] tills13@lemmy.world 22 points 3 months ago

The newest models already know whether you're a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.

Checking the box really just confirms what they already know. There's a second form which I'm sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.

load more comments (1 replies)
[–] Burn_The_Right@lemmy.world 17 points 3 months ago (1 children)

Beats me. I have a script that clicks all those boxes for me.

load more comments (1 replies)
[–] NightEagle@lemmy.world 17 points 3 months ago

Clicking the button doesn't proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company's network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.

[–] Cephalotrocity@biglemmowski.win 16 points 3 months ago

I don't know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes 'yeah, that is either a cat that got lucky which is close enough or a human'. The reason I think this is that I've failed same site's checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.

[–] Itdidnttrickledown@lemmy.world 15 points 3 months ago (3 children)

I'm pretty sure I'm a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.

load more comments (3 replies)
[–] Mambert@beehaw.org 14 points 3 months ago

Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.

Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.

It's not just the button, it's the before the button that determines you're a bot or not.

load more comments
view more: next β€Ί