The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?

That’s hardly the Turing Test I’d expected.

  • Platypus@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    184
    arrow-down
    2
    ·
    3 months ago

    It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.

    • Random_Character_A@lemmy.world
      link
      fedilink
      arrow-up
      46
      arrow-down
      2
      ·
      3 months ago

      Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

      • Thorry84@feddit.nl
        link
        fedilink
        arrow-up
        45
        ·
        3 months ago

        If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

      • Wugmeister@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        33
        arrow-down
        1
        ·
        3 months ago

        Nah that’s different as well. What they are filtering out is

        • a mouse teleporting to the exact center of the checkbox
        • a mouse smoothly gliding in a straight line to the center if the checkbook
        • a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

        Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

        • Jessica@discuss.tchncs.de
          link
          fedilink
          arrow-up
          4
          ·
          3 months ago

          No OP was right. If the reCaptcha is on the same page as a login, and I use my password manager to fill the fields, I fail the reCaptcha almost every time. I have to manually paste in the user name and password separately to slow things down to act more human…

        • s3p5r@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          ·
          3 months ago

          Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.

          And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.

          And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.

    • Jimmycrackcrack@lemmy.ml
      link
      fedilink
      arrow-up
      18
      ·
      3 months ago

      I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

      • Lucidlethargy@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        This is really interesting… Can you elaborate? I’ve never one had a follow up to the check mark.

        I use a high dpi mouse, what do you use?

        Spoiler: I think resolution matters here. The top comment is wrong, if anyone cares enough to take notice…

        • Jimmycrackcrack@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          Cheapest Logitech mouse I could find in the supermarket about 6-7 years ago.

          As others have said, it might be more to do with my browser choice, browser settings and extensions. That said I remember when I first started seeing these years ago that sometimes it’d think I was a robot and sometimes it wouldn’t and maybe it was a placebo effect, but I felt fairly confident then that me jiggling the mouse really helped. Now it doesn’t matter what I do. My natural movement, a deliberately wonky but still single and continuous movement or a totally artificial mouse wiggle after the clock, I’ll always have to do captchas.

      • xmunk@sh.itjust.works
        link
        fedilink
        arrow-up
        7
        ·
        3 months ago

        Clicking percision and reaction time are still measurable and the checkbox can fall back to other captcha tactics if it has low faith in the user.

      • brianorca@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        3 months ago

        It’s also checking your other traffic. (Since Cloudflare handles traffic for so many companies.) Are you visiting other sites in a realistic fashion, or are you doing 99% of your traffic trying to do one thing over and over.

    • Phil_in_here@lemmy.ca
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works

    • Melatonin@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      9
      arrow-down
      4
      ·
      3 months ago

      Interesting that my mouse movement is available to anyone who wants it.

      It seems like a small step from that to accessing my keyboard.

      • sbv@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        45
        ·
        3 months ago

        Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.

        This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.

        There’s lots of shady stuff going on in browsers, this isn’t really one of them.

          • Takumidesh@lemmy.world
            link
            fedilink
            arrow-up
            7
            ·
            3 months ago

            I mean, how do you think websites work? Of course your mouse and keyboard events are available, otherwise you wouldn’t be able to interact with a website at all.

            • Melatonin@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              5
              ·
              edit-2
              3 months ago

              This was the slap on the head I needed. I now get what you mean by interact with my keyboard. In other words = can tell what I’m typing. Like perfectly normal function of websites.

              I didn’t understand the “focus” part and how it helped. I think I said earlier, I’m not particularly smart.

            • Melatonin@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              3 months ago

              Like those sites that ask me to sign in using Google (or other options) and then Google asks me for the password?

              Pretty easy to grab passwords I think.

              • howrar@lemmy.ca
                link
                fedilink
                arrow-up
                12
                ·
                3 months ago

                Those websites send you directly to Google, so they no longer have control of the web page when you’re entering your password.

              • Aatube@kbin.melroy.org
                link
                fedilink
                arrow-up
                9
                ·
                3 months ago

                This is why Google sign-in can’t be embedded and uses the password input type for the password type. Most SSOs do this as well.

              • naticus@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                3 months ago

                To clarify, websites can’t capture keyboard events that were typed into a different website like you’re thinking. Think of going to a web game that let’s you use WASD for controlling your character. It’s able to capture those events on that page because its in focus. When a site goes out of focus (such as switching tabs or switching to another window that’s not the browser), it loses that ability. Overall, it’s very secure.

                I was more wondering how you thought capturing the mouse movements would lead to security issues.

      • MoonManKipper@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        ·
        3 months ago

        If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t

      • Shadow@lemmy.ca
        link
        fedilink
        arrow-up
        14
        ·
        3 months ago

        Your mouse movement on that page is. Just like if you typed into the page.

        It’s not tracking you in other windows and apps.

      • linearchaos@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        3 months ago

        They can only access it while you’re focused on their webpage. CORS is all about that.

        If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.

        • Septimaeus@infosec.pub
          link
          fedilink
          arrow-up
          3
          ·
          3 months ago

          Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).

          CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).

      • whoareu@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        3 months ago

        There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection

      • boatswain@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        If loaded with pages didn’t have access to keyboard events, you wouldn’t be able to write comments on Lemmy posts. I’m not a front-end guy, but that should be limited to just white the browser is focused.

    • Lucidlethargy@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      This feels only partially accurate. I’m a web developer, and I know websites don’t track all of what you suggest. Can you clarify, or come clean on what actually takes place?

      Honestly, I doubt it… I’m sorry. I don’t mean to be abrasive.

    • Vince@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      3 months ago

      Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?

  • elrik@lemmy.world
    link
    fedilink
    English
    arrow-up
    62
    ·
    3 months ago

    Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.

    • SerotoninSwells@lemmy.world
      link
      fedilink
      arrow-up
      61
      arrow-down
      1
      ·
      3 months ago

      This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.

    • Dasus@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      I believe it’s less about clicking the box and what happens after you’ve clicked the box.

      I think it’s before, not after.

  • isolatedscotch@discuss.tchncs.de
    link
    fedilink
    arrow-up
    61
    ·
    3 months ago

    https://blog.cloudflare.com/turnstile-private-captcha-alternative/

    TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.

    this is not only cool because you don’t have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr

    • madcaesar@lemmy.world
      link
      fedilink
      arrow-up
      25
      ·
      3 months ago

      That’s actually kinda cool. Punish the scrapers, but allow regular people to not waste time.

      Meanwhile, Google is having you find the zebra crossing for the 400th time…

    • newerAccountWhoDis [they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      3
      ·
      3 months ago

      Thanks for being the only person in this thread who doesn’t joke or talk out of their ass order-of-lenin

      Quite interesting really and a genius solution (it they don’t lie about not stealing your data)

      • Treachery4524@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 months ago

        Didn’t the Soviets see geniuses and other intellectuals as a danger to society during the time this award was given out? Or are there incidents where this was given to scientists as well? I know you’re probably joking, but when I suddenly encounter Lenin’s head being used in a positive manner I have to look twice.

  • trustnoone@lemmy.sdf.org
    link
    fedilink
    arrow-up
    45
    ·
    3 months ago

    Theres a few answrs to this

    1. It uses your movements before this to determine whether it feels like your a bot or not
    2. It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
    3. Google uses catchphas with images to choose. They use this to train their own AI or data to sell
    • IphtashuFitz@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      3 months ago

      Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.

      Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.

    • mynameisigglepiggle@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      To elaborate on point 1, it’s about uniqueness and timing of the path the mouse takes to click the checkbox. If it’s too straight or consistent it will red flag you.

  • Ballistic_86@lemmy.world
    link
    fedilink
    arrow-up
    42
    ·
    3 months ago

    These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.

    • hswolf@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      Yes, and it gives you (or the bot), a score.

      If you don’t meet the score, is highly likely that you are a bot.

      You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.

  • communism@lemmy.ml
    link
    fedilink
    arrow-up
    33
    ·
    3 months ago

    I always fail Cloudflare captchas because I’m clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can’t pass a captcha.

    I’ve found that Google’s reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?

    • LaGG_3 [he/him, comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      8
      ·
      3 months ago

      I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?

      They want your tasty IP data

    • Sarothazrom@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      3 months ago

      The EXACT same thing has been happening with me and google captchas. I just switched to Proton VPn, and while I like it, the amount of capctchas I’ve had to poke through is ridiculous.

    • Lemonculus@fedia.io
      link
      fedilink
      arrow-up
      4
      ·
      3 months ago

      I’ve found that when Google decides to throw me a captcha, literally no amount of solving them will ever persuade them to let me in. I went through 10 in a row before I gave up.

      Just seems like spite to me.

    • Karyoplasma@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      3 months ago

      reCAPTCHA is a failed project. It was initially designed to lock out bots while being trivial for a human to solve but, over the years, captchas became more unintuitive and bots more sophisticated. Bots are now way better at solving captchas than humans and it’s just a useless time sink.

    • UnrepentantAlgebra@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      I’ve recently noticed the same thing with cloudflare and Google captchas while using a VPN. I just use Bing instead while on the VPN because I never get past the Google captchas, or at least I give up after 2 or 3.

      It also seems like the resolution of the browser has some impact with cloudflare. If I open a browser window in the corner of the screen, I’m basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.

      • communism@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 months ago

        If I open a browser window in the corner of the screen, I’m basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.

        That’s interesting. If you run a browser full screen they can get your screen resolution as part of fingerprinting you; that’s why LibreWolf and Tor Browser have their letterboxing features. So they just don’t like browser users who take actions to improve their privacy, huh

  • Xeroxchasechase@lemmy.world
    link
    fedilink
    arrow-up
    32
    ·
    3 months ago

    Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I’m proud of you, fellow human!

    • Melatonin@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      Thank you for interacting with me! I am an AI intelligence bot designed by Decepticon Industries. Down with Autobots!

  • xylogx@lemmy.world
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    1
    ·
    3 months ago

    Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.

      • cadekat@pawb.social
        link
        fedilink
        arrow-up
        16
        arrow-down
        3
        ·
        3 months ago

        Don’t mix tor plus VPN.

        If you’re using tor browser without tor for some reason, carry on.

          • cadekat@pawb.social
            link
            fedilink
            arrow-up
            9
            ·
            3 months ago

            There are two ways to layer a VPN and tor:

            1. Tor over VPN; or
            2. VPN over Tor.

            In the first option, you gain little. Tor already encrypts your traffic, so your ISP can’t see inside them. Technically, Tor over a VPN hides the fact that you’re using Tor from your ISP, but Tor’s snowflake does something similar if you need that.

            In the second option, you’re revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.

            • wolfpack86@lemmy.world
              link
              fedilink
              arrow-up
              18
              arrow-down
              1
              ·
              3 months ago

              So really, “no value in mixing,” which is distinct from “don’t mix.”

              The latter implies a security risk could be created.

              • nyxia@lemmy.blahaj.zone
                link
                fedilink
                arrow-up
                1
                ·
                3 months ago

                A security risk is created, you’re creating a permanent guard node by using your VPN with TOR. A lot of people downplay how serious this can be against a dedicated attacker. Sure, it may not matter for most, but for those with the right threat model, it will.

                • wolfpack86@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  3 months ago

                  So VPN first then Tor is ill advised for this, or only the reverse? What is the potential attack in running Tor while on VPN?

    • u/lukmly013 💾 (lemmy.sdf.org)@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      3 months ago

      Bank and government website behind Cloudflare???

      Fuck, I just checked, my bank is also behind Cloudflare, what the fuck…
      I kind of assumed a bank wouldn’t put another company with ability to view all transferred data between customers and themselves.

      How much of the internet is not behind CF?
      I should probably try blocking their IPs and see what will still work.

      • BaroqueInMind@lemmy.one
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        3 months ago

        I’ve tried this and you essentially break resolving of most of the internet on your device by doing this. Almost the entire internet relies on both Amazon Web Services and Cloudflare.

    • invertedspear@lemm.ee
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      It redirects, it doesn’t proxy. The workflow is: user navigates to URL->DNS sends it to cloudflare->cloudflare ensures request is allowed based on selected rules (human check, geo check, DDOS check, etc) and remembers->request is redirected to non-cloudflare address->server response goes direct from server to user browser->subsequent requests are redirected without the test as long as the cookie remembers. I don’t like cloudflare, every time I have an issue pop up out of nowhere, it’s usually cloudflare and some over eager netsec engineer that broke CORS, or decided css wasn’t important, or that machine to machine traffic was a DOS attack. But it’s not reading your statements or anything else the server sends back. It could conceivably read your username and password and any other data you send in your request, but it doesn’t have the TLS certificate. So even though it doesn’t even try, if CF decided to be nefarious, as long as your banks engineers are at least somewhat competent CF is only getting encrypted data that it can’t do anything with. Hate on CF all you want, but hate it for the right reasons.

    • ayaya@lemdro.id
      link
      fedilink
      English
      arrow-up
      4
      ·
      3 months ago

      Yeah at least Google will let you in after you solve 5 puzzles. It’s shit but it’s possible. With CloudFlare you are at the mercy of whatever hidden criteria they’re using.

      If you change your user agent from Firefox to Chrome for instance, CloudFlare will never let you through.

  • wuphysics87@lemmy.ml
    link
    fedilink
    arrow-up
    24
    ·
    3 months ago

    Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.

  • brianorca@lemmy.world
    link
    fedilink
    arrow-up
    24
    ·
    3 months ago

    Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.

  • Magnetic_dud@discuss.tchncs.de
    link
    fedilink
    arrow-up
    22
    ·
    3 months ago

    Cloudflare knows almost everything done from your IP address because they’re used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package

    So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)

    • kahdbrixk@feddit.org
      link
      fedilink
      Deutsch
      arrow-up
      4
      ·
      3 months ago

      I’d argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.

      That would actually be pretty wild…

      Other then that you’re probably right.

      • Magnetic_dud@discuss.tchncs.de
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        There’s a default setting that allows unencrypted communication between the server and cloudflare. So they receive unencrypted data, sign with their certificate. Or send with self signed certificate, they decrypt and reencrypt. Or for some reason can download and import on the server their own internal use certificate.

        • kahdbrixk@feddit.org
          link
          fedilink
          Deutsch
          arrow-up
          2
          ·
          3 months ago

          You’re right, forgot that you can just not encrypt on your servers end and use cloudflare to do that for you, especially when used as CDN

    • tills13@lemmy.world
      link
      fedilink
      arrow-up
      20
      ·
      3 months ago

      The newest models already know whether you’re a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.

      Checking the box really just confirms what they already know. There’s a second form which I’m sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.

  • The_Walkening [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    20
    ·
    3 months ago

    The timing of the click captcha loading is randomized and it probably is looking for human-ish cursor movement? (Like you’re probably moving your hand in imperceptibly small ways that are difficult to replicate). Clicking before it loads and doing it repeatedly probably triggers detection.

    • tetris11@lemmy.ml
      link
      fedilink
      arrow-up
      20
      ·
      3 months ago

      I used to think it was timing based, but now leaning on the idea that it just performs more fingerprinting in the background: user agent per ip pool, canvas or puppeteer checks.

    • Paradachshund@lemmy.today
      link
      fedilink
      arrow-up
      14
      ·
      3 months ago

      This is correct. Those captchas are tracking everything they can and comparing it to other results to try and figure this out. Mouse movement, delay before you click, everything.

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        3 months ago

        Yeah and if the user are suspicious they make them solve a puzzle.