The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?

That’s hardly the Turing Test I’d expected.

190 points

It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.

permalink
report
reply
47 points

Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

permalink
report
parent
reply
45 points

If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

permalink
report
parent
reply
33 points

Nah that’s different as well. What they are filtering out is

  • a mouse teleporting to the exact center of the checkbox
  • a mouse smoothly gliding in a straight line to the center if the checkbook
  • a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

permalink
report
parent
reply
4 points

No OP was right. If the reCaptcha is on the same page as a login, and I use my password manager to fill the fields, I fail the reCaptcha almost every time. I have to manually paste in the user name and password separately to slow things down to act more human…

permalink
report
parent
reply
14 points

Yeah, never thought about this before, but how do blind users deal with captchas?

permalink
report
parent
reply
29 points

There are audio captchas.

permalink
report
parent
reply
6 points

Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.

And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.

And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.

permalink
report
parent
reply
6 points

Normally there are audio captchas

permalink
report
parent
reply
18 points

I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

permalink
report
parent
reply
25 points

Could also be browser settings. I often get infinite captcha’d on private Firefox tabs

permalink
report
parent
reply
8 points

Yeah this is my experience as well. I don’t have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare

permalink
report
parent
reply
1 point

This is really interesting… Can you elaborate? I’ve never one had a follow up to the check mark.

I use a high dpi mouse, what do you use?

Spoiler: I think resolution matters here. The top comment is wrong, if anyone cares enough to take notice…

permalink
report
parent
reply
1 point

Cheapest Logitech mouse I could find in the supermarket about 6-7 years ago.

As others have said, it might be more to do with my browser choice, browser settings and extensions. That said I remember when I first started seeing these years ago that sometimes it’d think I was a robot and sometimes it wouldn’t and maybe it was a placebo effect, but I felt fairly confident then that me jiggling the mouse really helped. Now it doesn’t matter what I do. My natural movement, a deliberately wonky but still single and continuous movement or a totally artificial mouse wiggle after the clock, I’ll always have to do captchas.

permalink
report
parent
reply
14 points

What if you’re on a phone or tablet?

permalink
report
parent
reply
7 points

Clicking percision and reaction time are still measurable and the checkbox can fall back to other captcha tactics if it has low faith in the user.

permalink
report
parent
reply
5 points

It’s also checking your other traffic. (Since Cloudflare handles traffic for so many companies.) Are you visiting other sites in a realistic fashion, or are you doing 99% of your traffic trying to do one thing over and over.

permalink
report
parent
reply

But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.

permalink
report
parent
reply
5 points

Interesting that my mouse movement is available to anyone who wants it.

It seems like a small step from that to accessing my keyboard.

permalink
report
parent
reply
45 points

Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.

This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.

There’s lots of shady stuff going on in browsers, this isn’t really one of them.

permalink
report
parent
reply
-3 points

Hmm, I can think of some ways to misuse this. And I’m not very smart at all.

permalink
report
parent
reply
16 points

If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t

permalink
report
parent
reply
14 points

Your mouse movement on that page is. Just like if you typed into the page.

It’s not tracking you in other windows and apps.

permalink
report
parent
reply
9 points

They can only access it while you’re focused on their webpage. CORS is all about that.

If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.

permalink
report
parent
reply
3 points

Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).

CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).

permalink
report
parent
reply
5 points

There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection

permalink
report
parent
reply
2 points

If loaded with pages didn’t have access to keyboard events, you wouldn’t be able to write comments on Lemmy posts. I’m not a front-end guy, but that should be limited to just white the browser is focused.

permalink
report
parent
reply
5 points

My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works

permalink
report
parent
reply
13 points

It uses other signals too, like what other sites you’ve visited with that checkbox on it, what CloudFlare has seen your IP address doing in the past, etc.

The google one is able to see if you’re logged into a google account and take that into account.

There’s even a new variant of the Google captcha that is invisible and doesn’t even bother to show a checkbox.

permalink
report
parent
reply
3 points

This feels only partially accurate. I’m a web developer, and I know websites don’t track all of what you suggest. Can you clarify, or come clean on what actually takes place?

Honestly, I doubt it… I’m sorry. I don’t mean to be abrasive.

permalink
report
parent
reply
1 point

Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?

permalink
report
parent
reply
3 points

It could store the mouse movements to compare later.

permalink
report
parent
reply
64 points

Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.

permalink
report
reply
61 points

This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.

permalink
report
parent
reply
4 points

I believe it’s less about clicking the box and what happens after you’ve clicked the box.

I think it’s before, not after.

permalink
report
parent
reply
1 point

I kinda think your browser makes sure you at least click before websites are allowed tracking things like your cursor.

permalink
report
parent
reply
2 points

I think the clicking is rather the part where you agree to allow your history to be checked, essentially.

Sorry for linking Reddit, but… https://www.reddit.com/r/askscience/s/Ws3Mr45qFV

permalink
report
parent
reply
60 points

https://blog.cloudflare.com/turnstile-private-captcha-alternative/

TL:DR cloudflare made a new recaptcha which does some complex math and other stuff on your browser, which done once has no noticable effect but if someone were to scrape websites at an absurd speed it slows everything down significantly.

this is not only cool because you don’t have to manually solve the captcha, but also because it allows for low-speed scraping to be feasible, with tools like flaresolverr

permalink
report
reply
25 points

That’s actually kinda cool. Punish the scrapers, but allow regular people to not waste time.

Meanwhile, Google is having you find the zebra crossing for the 400th time…

permalink
report
parent
reply
29 points

*training their ai using humans

permalink
report
parent
reply
4 points

Oh, so it’s Hashcash; cool to see that idea getting real use.

permalink
report
parent
reply
45 points

Theres a few answrs to this

  1. It uses your movements before this to determine whether it feels like your a bot or not
  2. It makes you wait, the biggest issue with bots is they may try to log in say 50 different passwords for example, so if it takes 5 seconds to do each one it makes boting multiple acounts not worth it.
  3. Google uses catchphas with images to choose. They use this to train their own AI or data to sell
permalink
report
reply
7 points
*

Smarter bots know how to easily avoid being detected based on the speed of their requests by simply adding a random delay to them. A few years ago we discovered a very slow speed credential stuffing attack (testing usernames & passwords) against my employers site. It was only testing one set of credentials every couple of minutes.

Once we discovered it we didn’t block it though. We were able to spot the attack fairly easily once we knew what to look for, so we updated our system to always return a login failure no matter what credentials they sent.

permalink
report
parent
reply
1 point

To elaborate on point 1, it’s about uniqueness and timing of the path the mouse takes to click the checkbox. If it’s too straight or consistent it will red flag you.

permalink
report
parent
reply
43 points

These type of “captchas” look at your browsing behavior. It is sort of a “trade secret” of what it looks for, but it might be screen resolution, mouse behavior, cookies, OS, time to click, etc. Anything a website has access to that would look different from a bot.

permalink
report
reply
7 points

Yes, and it gives you (or the bot), a score.

If you don’t meet the score, is highly likely that you are a bot.

You can have a superficial an yet interesting read on the topic on the Google re-captch dev docs.

permalink
report
parent
reply
3 points

It is likely you are a bot, and then you get one it these regular captchas and the that will increase your score if you succeed.*

permalink
report
parent
reply
1 point

Is it bad that I’ve failed the score multiple times?

permalink
report
parent
reply

Asklemmy

!asklemmy@lemmy.ml

Create post

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it’s welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

Icon by @Double_A@discuss.tchncs.de

Community stats

  • 7.4K

    Monthly active users

  • 3.7K

    Posts

  • 83K

    Comments