The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?
That’s hardly the Turing Test I’d expected.
Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.
Cloudflare knows almost everything done from your IP address because they’re used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
thx, TIL
I’d argue that the certificate authority does not have the ability to decrypt your communication because of the nature of private and public key mechanism during the whole TLS certificate procedure. You do not send your web servers private key to cloudflare when requesting a certificate.
That would actually be pretty wild…
Other then that you’re probably right.
There’s a default setting that allows unencrypted communication between the server and cloudflare. So they receive unencrypted data, sign with their certificate. Or send with self signed certificate, they decrypt and reencrypt. Or for some reason can download and import on the server their own internal use certificate.
You’re right, forgot that you can just not encrypt on your servers end and use cloudflare to do that for you, especially when used as CDN
Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.
Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.
It’s not just the button, it’s the before the button that determines you’re a bot or not.
01100011 01101100 01101111 01110101 01100100 01100110 01101100 01100001 01110010 01100101 00100000 01110000 01110101 01110100 01110011 00100000 01101101 01100101 00100000 01101001 01101110 00100000 01100001 01101110 00100000 01101001 01101110 01100110 01101001 01101110 01101001 01110100 01100101 00100000 01101100 01101111 01101111 01110000 00100000 01110011 01101111 01101101 01100101 01110100 01101001 01101101 01100101 01110011
Pretty much every time for me. I just close the page when this thing happens. It’s not worth the headache.
I guess Bots started figuring out the previous puzzles.
They’re literally using captchas to train AI, that’s why you have to identify 50 ffucking bicycles and fire hydrants sometimes. I’m pissed off at all the fucking free work I’ve had to do just to log in to shit
Does this box with a sliver of bicycle handlebar count as containing a bicycle?
These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
Yes, and it gives you (or the bot), a score.
If you don’t meet the score, is highly likely that you are a bot.
You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.
It is likely you are a bot, and then you get one it these regular captchas and the that will increase your score if you succeed.*
I’m pretty sure I’m a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
I often wonder if that’s a fail or just some tech sitting in a room saying “Now do THIS!” and pressing refresh over and over.
some of them are also less bot detection and more spam limiting and mitigation. cloudflare’s has more stuff built in I’m sure, but things like mCapcha are just proof of work, so if you’re trying to make a bunch of accounts or whatever, it’s really computationally expensive.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.
I believe it’s less about clicking the box and what happens after you’ve clicked the box.
I think it’s before, not after.
I kinda think your browser makes sure you at least click before websites are allowed tracking things like your cursor.
I think the clicking is rather the part where you agree to allow your history to be checked, essentially.
Sorry for linking Reddit, but… https://www.reddit.com/r/askscience/s/Ws3Mr45qFV
Here, I got you: https://redlib.northboot.xyz/r/askscience/s/Ws3Mr45qFV
Interesting that it works so well for Tor Browser, given that there’s not much information to collect. Just the proof of work might be enough there.
It’s actually detecting you using emotion and aging. That’s the real test…
If I was walking in a desert and saw a tortoise on its back, struggling to get up, and I was not helping it
Listening to me talk about that birding hat I want to buy, checking thru Amazon to see if it’s on my wishlist.
Beats me. I have a script that clicks all those boxes for me.
Yo based
it also sees your mouse movements on your way to that box.
But I use my phone.
Then it smells you from the microphone on your phone
Damn, I thought I was being stealthy by farting silently like an assassin…
I’m sorry, but “now”? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?
If you don’t know you don’t need to reply.
What’s the purpose of making fun of someone for asking a question to try to learn?
Ha! They must have missed the billboards, front page newspaper articles, TV reports, and public service annou- oh wait.
Maybe this is the first time their bot score was low enough to get through with just a tick.
I have not been in a coma but…
I could possibly be the least aware person you’ve ever had a conversation with, digital or otherwise.
I used to have “weekends” that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, “It’s not so bad. At least Thanksgiving falls on a Thursday this year. I checked.” She looked at me and said, “Thanksgiving is on a Thursday every year.” I was over thirty. Had no idea.
She’s a very patient woman.
The timing of the click captcha loading is randomized and it probably is looking for human-ish cursor movement? (Like you’re probably moving your hand in imperceptibly small ways that are difficult to replicate). Clicking before it loads and doing it repeatedly probably triggers detection.
This is correct. Those captchas are tracking everything they can and comparing it to other results to try and figure this out. Mouse movement, delay before you click, everything.
I used to think it was timing based, but now leaning on the idea that it just performs more fingerprinting in the background: user agent per ip pool, canvas or puppeteer checks.
I think it’s monitoring your mouse inputs somehow to determine if you’re a person
