What about clicking a checkbox means I'm human? How does Cloudflare determine I'm human from that?
What about clicking a checkbox means I'm human? How does Cloudflare determine I'm human from that?
The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I'm human?
That's hardly the Turing Test I'd expected.
It tests whether your mouse movement looks human--we're really bad at things like moving in straight lines, so it's pretty evident from a mouse movement log whether you're a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It's not perfect, but it's complicated enough to defeat to provide fine protection against cheap spam.
Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.
If it's in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.
Nah that's different as well. What they are filtering out is
- a mouse teleporting to the exact center of the checkbox
- a mouse smoothly gliding in a straight line to the center if the checkbook
- a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise
Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.
I've learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.
What if you're on a phone or tablet?
Clicking percision and reaction time are still measurable and the checkbox can fall back to other captcha tactics if it has low faith in the user.
It's also checking your other traffic. (Since Cloudflare handles traffic for so many companies.) Are you visiting other sites in a realistic fashion, or are you doing 99% of your traffic trying to do one thing over and over.
But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.
Interesting that my mouse movement is available to anyone who wants it.
It seems like a small step from that to accessing my keyboard.
Your mouse movement and keyboard events are available to webpages that you've loaded, when the browser window is focused.
This isn't nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.
There's lots of shady stuff going on in browsers, this isn't really one of them.
If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t
Your mouse movement on that page is. Just like if you typed into the page.
It's not tracking you in other windows and apps.
There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection
If loaded with pages didn't have access to keyboard events, you wouldn't be able to write comments on Lemmy posts. I'm not a front-end guy, but that should be limited to just white the browser is focused.
My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works
It uses other signals too, like what other sites you've visited with that checkbox on it, what CloudFlare has seen your IP address doing in the past, etc.
The google one is able to see if you're logged into a google account and take that into account.
There's even a new variant of the Google captcha that is invisible and doesn't even bother to show a checkbox.
This feels only partially accurate. I'm a web developer, and I know websites don't track all of what you suggest. Can you clarify, or come clean on what actually takes place?
Honestly, I doubt it... I'm sorry. I don't mean to be abrasive.
Couldn't I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?
It could store the mouse movements to compare later.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it's less about clicking the box and what happens after you've clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google's captcha which frequently doesn't recognize me as a human but is easily bypassed by bots.
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.
this is not only cool because you don't have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr
That's actually kinda cool. Punish the scrapers, but allow regular people to not waste time.
Meanwhile, Google is having you find the zebra crossing for the 400th time....
*training their ai using humans
Theres a few answrs to this
- It uses your movements before this to determine whether it feels like your a bot or not
- It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
- Google uses catchphas with images to choose. They use this to train their own AI or data to sell
Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.
Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.
To elaborate on point 1, it's about uniqueness and timing of the path the mouse takes to click the checkbox. If it's too straight or consistent it will red flag you.
These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
Yes, and it gives you (or the bot), a score.
If you don't meet the score, is highly likely that you are a bot.
You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.
It is likely you are a bot, and then you get one it these regular captchas and the that will increase your score if you succeed.*
Is it bad that I've failed the score multiple times?
Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I'm proud of you, fellow human!
Thank you for interacting with me! I am an AI intelligence bot designed by Decepticon Industries. Down with Autobots!
I always fail Cloudflare captchas because I'm clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can't pass a captcha.
I've found that Google's reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that's pretty stupid; if I can pass the test by clicking the squares why not let me in?
The EXACT same thing has been happening with me and google captchas. I just switched to Proton VPn, and while I like it, the amount of capctchas I've had to poke through is ridiculous.
I've found that when Google decides to throw me a captcha, literally no amount of solving them will ever persuade them to let me in. I went through 10 in a row before I gave up.
Just seems like spite to me.
reCAPTCHA is a failed project. It was initially designed to lock out bots while being trivial for a human to solve but, over the years, captchas became more unintuitive and bots more sophisticated. Bots are now way better at solving captchas than humans and it's just a useless time sink.
I've recently noticed the same thing with cloudflare and Google captchas while using a VPN. I just use Bing instead while on the VPN because I never get past the Google captchas, or at least I give up after 2 or 3.
It also seems like the resolution of the browser has some impact with cloudflare. If I open a browser window in the corner of the screen, I'm basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.
If I open a browser window in the corner of the screen, I’m basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.
That's interesting. If you run a browser full screen they can get your screen resolution as part of fingerprinting you; that's why LibreWolf and Tor Browser have their letterboxing features. So they just don't like browser users who take actions to improve their privacy, huh
It’s those edges
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.
Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.
Whoa what happened on the 9th?
Recaptcha gained sentience
Aaaaand why would CloudFlare want to teach the computers to mimic mouse movements?
Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.
Cloudflare knows almost everything done from your IP address because they're used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
thx, TIL
I'd argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.
That would actually be pretty wild...
Other then that you're probably right.
There's a default setting that allows unencrypted communication between the server and cloudflare. So they receive unencrypted data, sign with their certificate. Or send with self signed certificate, they decrypt and reencrypt. Or for some reason can download and import on the server their own internal use certificate.
I'm sorry, but "now"? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?
I have not been in a coma but....
I could possibly be the least aware person you've ever had a conversation with, digital or otherwise.
I used to have "weekends" that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, "It's not so bad. At least Thanksgiving falls on a Thursday this year. I checked." She looked at me and said, "Thanksgiving is on a Thursday every year." I was over thirty. Had no idea.
She's a very patient woman.
Ha! They must have missed the billboards, front page newspaper articles, TV reports, and public service annou- oh wait.
If you don't know you don't need to reply.
What's the purpose of making fun of someone for asking a question to try to learn?
Maybe this is the first time their bot score was low enough to get through with just a tick.
I've been told that it's analyzing your behavior from right before you click the button
The newest models already know whether you're a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.
Checking the box really just confirms what they already know. There's a second form which I'm sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.
Clicking the button doesn't proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company's network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.
Beats me. I have a script that clicks all those boxes for me.
Yo based
I'm pretty sure I'm a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
I often wonder if that's a fail or just some tech sitting in a room saying "Now do THIS!" and pressing refresh over and over.
That's it
"this is not CAPTCHA! It's just clicking, with style"
I don't know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes 'yeah, that is either a cat that got lucky which is close enough or a human'. The reason I think this is that I've failed same site's checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.
01100011 01101100 01101111 01110101 01100100 01100110 01101100 01100001 01110010 01100101 00100000 01110000 01110101 01110100 01110011 00100000 01101101 01100101 00100000 01101001 01101110 00100000 01100001 01101110 00100000 01101001 01101110 01100110 01101001 01101110 01101001 01110100 01100101 00100000 01101100 01101111 01101111 01110000 00100000 01110011 01101111 01101101 01100101 01110100 01101001 01101101 01100101 01110011
Pretty much every time for me. I just close the page when this thing happens. It's not worth the headache.
Apart from the mouse thing (which I'm skeptical about), cloudflare also correlates your traffic with other sites hosted on cloudflare. Bots typically don't visit many sites, click around there, find another one, etc, whereas humans will have visited other sites, will be slower at clicking the button, will have left comments on some sites.
A side to this is that certain techniques will be deliberately obfuscated or simply omitted as a security measure in the hopes of slowing a bad actor’s eventual bypassing of the measure. It’s an arms race and if the intruder doesn’t know what all the locks even are, it takes longer to break or pick them.
It's actually detecting you using emotion and aging. That's the real test...
Listening to me talk about that birding hat I want to buy, checking thru Amazon to see if it's on my wishlist.
some of them are also less bot detection and more spam limiting and mitigation. cloudflare's has more stuff built in I'm sure, but things like mCapcha are just proof of work, so if you're trying to make a bunch of accounts or whatever, it's really computationally expensive.
This all humans will be good for in the future, until they atrophy and become a mere appendage of machinegod.
I saw the movie. Unhappy ending.
Which movie is that ? While waiting your reply I asked chatgpt
Please write movie script where humans continue to evolve in an environment where their reproduction and evolution is mediated entirely by the solvibg of captchas. They have become one with machinegod, just a vestigial appendage so scratch an itch that the machine cannot satisfy any other way.
https://chatgpt.com/share/fae8c7fc-df78-462e-9922-9d976a182bd8
those will fail anyway on a few sites I've gone to. No idea why and sometimes months later it will work for a random interval of time.