this post was submitted on 24 Aug 2024
387 points (97.1% liked)

Asklemmy

43970 readers
662 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I'm human?

That's hardly the Turing Test I'd expected.

top 50 comments
sorted by: hot top controversial new old
[–] platypode 192 points 3 months ago (25 children)

It tests whether your mouse movement looks human--we're really bad at things like moving in straight lines, so it's pretty evident from a mouse movement log whether you're a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It's not perfect, but it's complicated enough to defeat to provide fine protection against cheap spam.

[–] [email protected] 48 points 3 months ago (3 children)

Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

[–] [email protected] 46 points 3 months ago

If it's in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

[–] [email protected] 33 points 3 months ago (4 children)

Nah that's different as well. What they are filtering out is

  • a mouse teleporting to the exact center of the checkbox
  • a mouse smoothly gliding in a straight line to the center if the checkbook
  • a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

load more comments (4 replies)
[–] savedbythezsh 14 points 3 months ago (3 children)

Yeah, never thought about this before, but how do blind users deal with captchas?

[–] [email protected] 29 points 3 months ago

There are audio captchas.

load more comments (2 replies)
[–] [email protected] 18 points 3 months ago (3 children)

I've learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

[–] [email protected] 25 points 3 months ago (1 children)

Could also be browser settings. I often get infinite captcha'd on private Firefox tabs

load more comments (1 replies)
load more comments (2 replies)
[–] [email protected] 14 points 3 months ago (2 children)

What if you're on a phone or tablet?

load more comments (2 replies)
load more comments (22 replies)
[–] [email protected] 64 points 3 months ago (5 children)

Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it's less about clicking the box and what happens after you've clicked the box.

[–] [email protected] 62 points 3 months ago

This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google's captcha which frequently doesn't recognize me as a human but is easily bypassed by bots.

load more comments (4 replies)
[–] [email protected] 59 points 3 months ago (2 children)

https://blog.cloudflare.com/turnstile-private-captcha-alternative/

TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.

this is not only cool because you don't have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr

[–] [email protected] 25 points 3 months ago (1 children)

That's actually kinda cool. Punish the scrapers, but allow regular people to not waste time.

Meanwhile, Google is having you find the zebra crossing for the 400th time....

[–] [email protected] 29 points 3 months ago

*training their ai using humans

[–] [email protected] 11 points 3 months ago (2 children)

Thanks for being the only person in this thread who doesn't joke or talk out of their ass order-of-lenin

Quite interesting really and a genius solution (it they don't lie about not stealing your data)

load more comments (2 replies)
[–] [email protected] 44 points 3 months ago (3 children)

These type of β€œcaptchas” look at your browsing behavior. It is sort of a β€œtrade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.

load more comments (3 replies)
[–] [email protected] 43 points 3 months ago (2 children)

Theres a few answrs to this

  1. It uses your movements before this to determine whether it feels like your a bot or not
  2. It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
  3. Google uses catchphas with images to choose. They use this to train their own AI or data to sell
load more comments (2 replies)
[–] [email protected] 34 points 3 months ago (12 children)

I always fail Cloudflare captchas because I'm clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can't pass a captcha.

I've found that Google's reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that's pretty stupid; if I can pass the test by clicking the squares why not let me in?

load more comments (12 replies)
[–] [email protected] 33 points 3 months ago (1 children)

Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I'm proud of you, fellow human!

load more comments (1 replies)
[–] [email protected] 29 points 3 months ago (1 children)

Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.

[–] [email protected] 11 points 3 months ago* (last edited 3 months ago) (1 children)

I like that when I'm on tor browser with VPN behind it they're like "Yeah, cool, go on through"

[–] [email protected] 13 points 3 months ago (9 children)

Don't mix tor plus VPN.

If you're using tor browser without tor for some reason, carry on.

load more comments (9 replies)
[–] [email protected] 28 points 3 months ago (3 children)

it also sees your mouse movements on your way to that box.

load more comments (3 replies)
[–] [email protected] 26 points 3 months ago (2 children)

Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.

[–] [email protected] 14 points 3 months ago (1 children)

Whoa what happened on the 9th?

[–] [email protected] 19 points 3 months ago

Recaptcha gained sentience

load more comments (1 replies)
[–] [email protected] 25 points 3 months ago

Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.

[–] [email protected] 24 points 3 months ago (4 children)

Cloudflare knows almost everything done from your IP address because they're used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package

So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)

load more comments (4 replies)
[–] Lucidlethargy 23 points 3 months ago (4 children)

I'm sorry, but "now"? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?

[–] [email protected] 10 points 3 months ago* (last edited 3 months ago)

I have not been in a coma but....

I could possibly be the least aware person you've ever had a conversation with, digital or otherwise.

I used to have "weekends" that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, "It's not so bad. At least Thanksgiving falls on a Thursday this year. I checked." She looked at me and said, "Thanksgiving is on a Thursday every year." I was over thirty. Had no idea.

She's a very patient woman.

load more comments (3 replies)
[–] [email protected] 22 points 3 months ago (1 children)

I've been told that it's analyzing your behavior from right before you click the button

[–] [email protected] 22 points 3 months ago

The newest models already know whether you're a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.

Checking the box really just confirms what they already know. There's a second form which I'm sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.

[–] [email protected] 20 points 3 months ago (2 children)

The timing of the click captcha loading is randomized and it probably is looking for human-ish cursor movement? (Like you're probably moving your hand in imperceptibly small ways that are difficult to replicate). Clicking before it loads and doing it repeatedly probably triggers detection.

[–] [email protected] 20 points 3 months ago

I used to think it was timing based, but now leaning on the idea that it just performs more fingerprinting in the background: user agent per ip pool, canvas or puppeteer checks.

[–] [email protected] 14 points 3 months ago (1 children)

This is correct. Those captchas are tracking everything they can and comparing it to other results to try and figure this out. Mouse movement, delay before you click, everything.

load more comments (1 replies)
[–] [email protected] 18 points 3 months ago

Clicking the button doesn't proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company's network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.

[–] [email protected] 17 points 3 months ago (1 children)

Beats me. I have a script that clicks all those boxes for me.

load more comments (1 replies)
[–] [email protected] 15 points 3 months ago (3 children)

I'm pretty sure I'm a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.

load more comments (3 replies)
[–] [email protected] 13 points 3 months ago

I don't know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes 'yeah, that is either a cat that got lucky which is close enough or a human'. The reason I think this is that I've failed same site's checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.

[–] [email protected] 12 points 3 months ago

I think it's monitoring your mouse inputs somehow to determine if you're a person

load more comments
view more: next β€Ί