It tests whether your mouse movement looks human--we're really bad at things like moving in straight lines, so it's pretty evident from a mouse movement log whether you're a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It's not perfect, but it's complicated enough to defeat to provide fine protection against cheap spam.
Asklemmy
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.
If it's in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.
Nah that's different as well. What they are filtering out is
- a mouse teleporting to the exact center of the checkbox
- a mouse smoothly gliding in a straight line to the center if the checkbook
- a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise
Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.
Yeah, never thought about this before, but how do blind users deal with captchas?
There are audio captchas.
I've learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.
Could also be browser settings. I often get infinite captcha'd on private Firefox tabs
Yeah this is my experience as well. I don't have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare
But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it's less about clicking the box and what happens after you've clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google's captcha which frequently doesn't recognize me as a human but is easily bypassed by bots.
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.
this is not only cool because you don't have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr
That's actually kinda cool. Punish the scrapers, but allow regular people to not waste time.
Meanwhile, Google is having you find the zebra crossing for the 400th time....
*training their ai using humans
Theres a few answrs to this
- It uses your movements before this to determine whether it feels like your a bot or not
- It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
- Google uses catchphas with images to choose. They use this to train their own AI or data to sell
These type of βcaptchasβ look at your browsing behavior. It is sort of a βtrade secretβ of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.
I always fail Cloudflare captchas because I'm clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can't pass a captcha.
I've found that Google's reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that's pretty stupid; if I can pass the test by clicking the squares why not let me in?
Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I'm proud of you, fellow human!
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. Itβs a pretty slick system.
I like that when I'm on tor browser with VPN behind it they're like "Yeah, cool, go on through"
Don't mix tor plus VPN.
If you're using tor browser without tor for some reason, carry on.
So, turn off my VPN that's always running before I use the tor browser?
There are two ways to layer a VPN and tor:
- Tor over VPN; or
- VPN over Tor.
In the first option, you gain little. Tor already encrypts your traffic, so your ISP can't see inside them. Technically, Tor over a VPN hides the fact that you're using Tor from your ISP, but Tor's snowflake does something similar if you need that.
In the second option, you're revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.
So really, "no value in mixing," which is distinct from "don't mix."
The latter implies a security risk could be created.
Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.
Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.
Whoa what happened on the 9th?
Recaptcha gained sentience
Cloudflare knows almost everything done from your IP address because they're used by the majority of websites. And some websites are using a cloudflare signed TLS certificate so if cloudflare wants, can see the content of the communication instead of an encrypted package
So they know if you have a human behavior (visiting many different websites at human speed and having rests during sleeping time) or if you have a bot behavior (sending millions of requests to the same endpoint at superhuman speeds)
I'm sorry, but "now"? This has been a thing for at least half a decade. Are you Encino Man? Did you just wake up?
I have not been in a coma but....
I could possibly be the least aware person you've ever had a conversation with, digital or otherwise.
I used to have "weekends" that rotated to different two-day sets every year. One year I got Wednesday and Thursday. I told my wife, "It's not so bad. At least Thanksgiving falls on a Thursday this year. I checked." She looked at me and said, "Thanksgiving is on a Thursday every year." I was over thirty. Had no idea.
She's a very patient woman.
I've been told that it's analyzing your behavior from right before you click the button
The newest models already know whether you're a bot or not before the checkbox loads. A massive majority of the internet goes through Cloudflare so by the time you land on a site you already have what Cloudflare dubs a Bot Score based on your behavior across the web.
Checking the box really just confirms what they already know. There's a second form which I'm sure is even more prevalent than the checkbox that renders nothing, requires no user action, but can prevent form submission if you fail the check.
Clicking the button doesn't proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company's network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.
I don't know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes 'yeah, that is either a cat that got lucky which is close enough or a human'. The reason I think this is that I've failed same site's checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.
I'm pretty sure I'm a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.
Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.
It's not just the button, it's the before the button that determines you're a bot or not.
01100011 01101100 01101111 01110101 01100100 01100110 01101100 01100001 01110010 01100101 00100000 01110000 01110101 01110100 01110011 00100000 01101101 01100101 00100000 01101001 01101110 00100000 01100001 01101110 00100000 01101001 01101110 01100110 01101001 01101110 01101001 01110100 01100101 00100000 01101100 01101111 01101111 01110000 00100000 01110011 01101111 01101101 01100101 01110100 01101001 01101101 01100101 01110011