The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?
That’s hardly the Turing Test I’d expected.
It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.
Interesting that my mouse movement is available to anyone who wants it.
It seems like a small step from that to accessing my keyboard.
Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.
This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.
There’s lots of shady stuff going on in browsers, this isn’t really one of them.
Hmm, I can think of some ways to misuse this. And I’m not very smart at all.
They can only access it while you’re focused on their webpage. CORS is all about that.
If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.
Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).
CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).
Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.
Yeah, never thought about this before, but how do blind users deal with captchas?
Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.
And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.
And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.
Nah that’s different as well. What they are filtering out is
- a mouse teleporting to the exact center of the checkbox
- a mouse smoothly gliding in a straight line to the center if the checkbook
- a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise
Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.
No OP was right. If the reCaptcha is on the same page as a login, and I use my password manager to fill the fields, I fail the reCaptcha almost every time. I have to manually paste in the user name and password separately to slow things down to act more human…
I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.
Could also be browser settings. I often get infinite captcha’d on private Firefox tabs
This is really interesting… Can you elaborate? I’ve never one had a follow up to the check mark.
I use a high dpi mouse, what do you use?
Spoiler: I think resolution matters here. The top comment is wrong, if anyone cares enough to take notice…
Cheapest Logitech mouse I could find in the supermarket about 6-7 years ago.
As others have said, it might be more to do with my browser choice, browser settings and extensions. That said I remember when I first started seeing these years ago that sometimes it’d think I was a robot and sometimes it wouldn’t and maybe it was a placebo effect, but I felt fairly confident then that me jiggling the mouse really helped. Now it doesn’t matter what I do. My natural movement, a deliberately wonky but still single and continuous movement or a totally artificial mouse wiggle after the clock, I’ll always have to do captchas.
Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?
My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works
It uses other signals too, like what other sites you’ve visited with that checkbox on it, what CloudFlare has seen your IP address doing in the past, etc.
The google one is able to see if you’re logged into a google account and take that into account.
There’s even a new variant of the Google captcha that is invisible and doesn’t even bother to show a checkbox.
I don’t know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes ‘yeah, that is either a cat that got lucky which is close enough or a human’. The reason I think this is that I’ve failed same site’s checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.
Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I’m proud of you, fellow human!
Apart from the mouse thing (which I’m skeptical about), cloudflare also correlates your traffic with other sites hosted on cloudflare. Bots typically don’t visit many sites, click around there, find another one, etc, whereas humans will have visited other sites, will be slower at clicking the button, will have left comments on some sites.
Clicking the button doesn’t proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company’s network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.
