What about clicking a checkbox means I'm human? How does Cloudflare determine I'm human from that?

Lemjukes , 8 minutes ago

A side to this is that certain techniques will be deliberately obfuscated or simply omitted as a security measure in the hopes of slowing a bad actor’s eventual bypassing of the measure. It’s an arms race and if the intruder doesn’t know what all the locks even are, it takes longer to break or pick them.

brian , 13 minutes ago

some of them are also less bot detection and more spam limiting and mitigation. cloudflare’s has more stuff built in I’m sure, but things like mCapcha are just proof of work, so if you’re trying to make a bunch of accounts or whatever, it’s really computationally expensive.

Empricorn , 17 minutes ago

It’s actually detecting you using emotion and age. That’s the real test…

davel , 52 minutes ago

01100011 01101100 01101111 01110101 01100100 01100110 01101100 01100001 01110010 01100101 00100000 01110000 01110101 01110100 01110011 00100000 01101101 01100101 00100000 01101001 01101110 00100000 01100001 01101110 00100000 01101001 01101110 01100110 01101001 01101110 01101001 01110100 01100101 00100000 01101100 01101111 01101111 01110000 00100000 01110011 01101111 01101101 01100101 01110100 01101001 01101101 01100101 01110011

01189998819991197253 , 39 minutes ago

Pretty much every time for me. I just close the page when this thing happens. It’s not worth the headache.

TheChemist , 56 minutes ago

I guess Bots started figuring out the previous puzzles.

Mambert , 1 hour ago

Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.

Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.

It’s not just the button, it’s the before the button that determines you’re a bot or not.

NightEagle , 2 hours ago

Clicking the button doesn’t proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company’s network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.

LaGG_3 , 2 hours ago

I think it’s monitoring your mouse inputs somehow to determine if you’re a person

themoonisacheese , 2 hours ago

Apart from the mouse thing (which I’m skeptical about), cloudflare also correlates your traffic with other sites hosted on cloudflare. Bots typically don’t visit many sites, click around there, find another one, etc, whereas humans will have visited other sites, will be slower at clicking the button, will have left comments on some sites.

Xeroxchasechase , 2 hours ago

Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I’m proud of you, fellow human!

Melatonin OP , 1 hour ago

Thank you for interacting with me! I am an AI intelligence bot designed by Decepticon Industries. Down with Autobots!

ChicagoCommunist , 2 hours ago

The best is when it fails to verify, offers no backup option, and you’re simply blocked from accessing your own bank account or government website. Fuck cloudflare

user224 , 1 hour ago

Bank and government website behind Cloudflare???

Fuck, I just checked, my bank is also behind Cloudflare, what the fuck…
I kind of assumed a bank wouldn’t put another company with ability to view all transferred data between customers and themselves.

How much of the internet is not behind CF?
I should probably try blocking their IPs and see what will still work.

BaroqueInMind , 21 minutes ago

I’ve tried this and you essentially break resolving of most of the internet on your device by doing this. Almost the entire internet relies on both Amazon Web Services and Cloudflare.

Cephalotrocity , 2 hours ago

I don’t know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes ‘yeah, that is either a cat that got lucky which is close enough or a human’. The reason I think this is that I’ve failed same site’s checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.

platypode , 2 hours ago

It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.

Melatonin OP , 2 hours ago

Interesting that my mouse movement is available to anyone who wants it.

It seems like a small step from that to accessing my keyboard.

Shadow , 2 hours ago

Your mouse movement on that page is. Just like if you typed into the page.

It’s not tracking you in other windows and apps.

kionite231 , 2 hours ago

There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection

sbv , 2 hours ago

Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.

This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.

There’s lots of shady stuff going on in browsers, this isn’t really one of them.

Melatonin OP , 58 minutes ago

Hmm, I can think of some ways to misuse this. And I’m not very smart at all.

naticus , 29 minutes ago

Say more

Melatonin OP , 22 minutes ago

Like those sites that ask me to sign in using Google (or other options) and then Google asks me for the password?

Pretty easy to grab passwords I think.

howrar , 14 minutes ago

Those websites send you directly to Google, so they no longer have control of the web page when you’re entering your password.

Aatube , 12 minutes ago

This is why Google sign-in can’t be embedded and uses the password input type for the password type. Most SSOs do this as well.

MoonManKipper , 2 hours ago

If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t

linearchaos , 1 hour ago

They can only access it while you’re focused on their webpage. CORS is all about that.

If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.

Septimaeus , 12 minutes ago

Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).

CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).

boatswain , 16 minutes ago

If loaded with pages didn’t have access to keyboard events, you wouldn’t be able to write comments on Lemmy posts. I’m not a front-end guy, but that should be limited to just white the browser is focused.

random_character_a , 2 hours ago

Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

savedbythezsh , 2 hours ago

Yeah, never thought about this before, but how do blind users deal with captchas?

TheBat , 1 hour ago

There are audio captchas.

bionicjoey , 1 hour ago

Normally there are audio captchas

Thorry84 , 1 hour ago

If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

user224 , 1 hour ago

But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.

Jimmycrackcrack , 1 hour ago

I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

ICastFist , 26 minutes ago

Could also be browser settings. I often get infinite captcha’d on private Firefox tabs

Vince , 1 hour ago

Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?

Catsrules , 1 hour ago

It could store the mouse movements to compare later.

Phil_in_here , 10 minutes ago

My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works