The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?
That’s hardly the Turing Test I’d expected.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.
I believe it’s less about clicking the box and what happens after you’ve clicked the box.
I think it’s before, not after.
I kinda think your browser makes sure you at least click before websites are allowed tracking things like your cursor.
I think the clicking is rather the part where you agree to allow your history to be checked, essentially.
Sorry for linking Reddit, but… https://www.reddit.com/r/askscience/s/Ws3Mr45qFV
Here, I got you: https://redlib.northboot.xyz/r/askscience/s/Ws3Mr45qFV
Interesting that it works so well for Tor Browser, given that there’s not much information to collect. Just the proof of work might be enough there.
Cloudflare knows almost everything done from your IP address because they’re used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
I’d argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.
That would actually be pretty wild…
Other then that you’re probably right.
There’s a default setting that allows unencrypted communication between the server and cloudflare. So they receive unencrypted data, sign with their certificate. Or send with self signed certificate, they decrypt and reencrypt. Or for some reason can download and import on the server their own internal use certificate.
You’re right, forgot that you can just not encrypt on your servers end and use cloudflare to do that for you, especially when used as CDN
thx, TIL
These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
Yes, and it gives you (or the bot), a score.
If you don’t meet the score, is highly likely that you are a bot.
You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.
Is it bad that I’ve failed the score multiple times?
It is likely you are a bot, and then you get one it these regular captchas and the that will increase your score if you succeed.*
This all humans will be good for in the future, until they atrophy and become a mere appendage of machinegod.
I saw the movie. Unhappy ending.
Which movie is that ? While waiting your reply I asked chatgpt
Please write movie script where humans continue to evolve in an environment where their reproduction and evolution is mediated entirely by the solvibg of captchas. They have become one with machinegod, just a vestigial appendage so scratch an itch that the machine cannot satisfy any other way.
https://chatgpt.com/share/fae8c7fc-df78-462e-9922-9d976a182bd8
it also sees your mouse movements on your way to that box.
But I use my phone.
Then it smells you from the microphone on your phone
Damn, I thought I was being stealthy by farting silently like an assassin…
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.
I like that when I’m on tor browser with VPN behind it they’re like “Yeah, cool, go on through”
Don’t mix tor plus VPN.
If you’re using tor browser without tor for some reason, carry on.
VPN behind it. So tor is under the VPN.
So, turn off my VPN that’s always running before I use the tor browser?
There are two ways to layer a VPN and tor:
- Tor over VPN; or
- VPN over Tor.
In the first option, you gain little. Tor already encrypts your traffic, so your ISP can’t see inside them. Technically, Tor over a VPN hides the fact that you’re using Tor from your ISP, but Tor’s snowflake does something similar if you need that.
In the second option, you’re revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.
So really, “no value in mixing,” which is distinct from “don’t mix.”
The latter implies a security risk could be created.
The risk of mis-ordering your layers is a security issue.
If you’re using tour vpn at the system or network level, and tor at the browser level, is there a risk of mis-ordering?
A security risk is created, you’re creating a permanent guard node by using your VPN with TOR. A lot of people downplay how serious this can be against a dedicated attacker. Sure, it may not matter for most, but for those with the right threat model, it will.
So VPN first then Tor is ill advised for this, or only the reverse? What is the potential attack in running Tor while on VPN?
Why?
I think it’s monitoring your mouse inputs somehow to determine if you’re a person
deleted by creator
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.
this is not only cool because you don’t have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr
Oh, so it’s Hashcash; cool to see that idea getting real use.
That’s actually kinda cool. Punish the scrapers, but allow regular people to not waste time.
Meanwhile, Google is having you find the zebra crossing for the 400th time…
*training their ai using humans
Thanks for being the only person in this thread who doesn’t joke or talk out of their ass
Quite interesting really and a genius solution (it they don’t lie about not stealing your data)
Didn’t the Soviets see geniuses and other intellectuals as a danger to society during the time this award was given out? Or are there incidents where this was given to scientists as well? I know you’re probably joking, but when I suddenly encounter Lenin’s head being used in a positive manner I have to look twice.
Didn’t the Soviets see geniuses and other intellectuals as a danger to society
Beats me. I have a script that clicks all those boxes for me.
Yo based
I’m sorry, but “now”? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?
I have not been in a coma but…
I could possibly be the least aware person you’ve ever had a conversation with, digital or otherwise.
I used to have “weekends” that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, “It’s not so bad. At least Thanksgiving falls on a Thursday this year. I checked.” She looked at me and said, “Thanksgiving is on a Thursday every year.” I was over thirty. Had no idea.
She’s a very patient woman.
Maybe this is the first time their bot score was low enough to get through with just a tick.
If you don’t know you don’t need to reply.
What’s the purpose of making fun of someone for asking a question to try to learn?
Ha! They must have missed the billboards, front page newspaper articles, TV reports, and public service annou- oh wait.
Theres a few answrs to this
- It uses your movements before this to determine whether it feels like your a bot or not
- It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
- Google uses catchphas with images to choose. They use this to train their own AI or data to sell
Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.
Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.
To elaborate on point 1, it’s about uniqueness and timing of the path the mouse takes to click the checkbox. If it’s too straight or consistent it will red flag you.
I’m pretty sure I’m a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
I often wonder if that’s a fail or just some tech sitting in a room saying “Now do THIS!” and pressing refresh over and over.
That’s it
“this is not CAPTCHA! It’s just clicking, with style”
deleted by creator
I’ve been told that it’s analyzing your behavior from right before you click the button
The newest models already know whether you’re a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.
Checking the box really just confirms what they already know. There’s a second form which I’m sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.
