The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?
That’s hardly the Turing Test I’d expected.
Apart from the mouse thing (which I’m skeptical about), cloudflare also correlates your traffic with other sites hosted on cloudflare. Bots typically don’t visit many sites, click around there, find another one, etc, whereas humans will have visited other sites, will be slower at clicking the button, will have left comments on some sites.
Humans have mouse movement that, on August 8, 2024, are very hard to reproduce. But just like regular captchas we are just teaching computers to do the same thing.
Aaaaand why would CloudFlare want to teach the computers to mimic mouse movements?
Whoa what happened on the 9th?
Recaptcha gained sentience
I always fail Cloudflare captchas because I’m clicking it with Vimium-C lol. I hate captchas for making me reach for my mouse. It also seems like a genuine accessibility issue if people who cannot use a mouse can’t pass a captcha.
I’ve found that Google’s reCAPTCHA has also started rejecting me no matter what I do. I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?
I’ve found that when Google decides to throw me a captcha, literally no amount of solving them will ever persuade them to let me in. I went through 10 in a row before I gave up.
Just seems like spite to me.
I’ve recently noticed the same thing with cloudflare and Google captchas while using a VPN. I just use Bing instead while on the VPN because I never get past the Google captchas, or at least I give up after 2 or 3.
It also seems like the resolution of the browser has some impact with cloudflare. If I open a browser window in the corner of the screen, I’m basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.
If I open a browser window in the corner of the screen, I’m basically guaranteed to get more cloudflare captchas, but if I open it full screen I only get one, maybe two.
That’s interesting. If you run a browser full screen they can get your screen resolution as part of fingerprinting you; that’s why LibreWolf and Tor Browser have their letterboxing features. So they just don’t like browser users who take actions to improve their privacy, huh
The EXACT same thing has been happening with me and google captchas. I just switched to Proton VPn, and while I like it, the amount of capctchas I’ve had to poke through is ridiculous.
It’s those edges
I think it might be because my IP address is a VPN, but that’s pretty stupid; if I can pass the test by clicking the squares why not let me in?
They want your tasty IP data
That’s when I just use another search engine.
Reddit blocks VPN and won’t let me in. OK bye reddit too lazy to turn off VPN ffs
I’ve had a few burner reddit accounts using a randomly generated yopmail email for the rare moments that I just want to read an answer for something I can only find on reddit lol
Use redlib, e.g. the instance I use: https://redlib.ducks.party/
This is helpful, thanks
No worries. You can also use LibRedirect to automatically redirect any reddit links to a redlib instance of your choice
reCAPTCHA is a failed project. It was initially designed to lock out bots while being trivial for a human to solve but, over the years, captchas became more unintuitive and bots more sophisticated. Bots are now way better at solving captchas than humans and it’s just a useless time sink.
This all humans will be good for in the future, until they atrophy and become a mere appendage of machinegod.
I saw the movie. Unhappy ending.
Which movie is that ? While waiting your reply I asked chatgpt
Please write movie script where humans continue to evolve in an environment where their reproduction and evolution is mediated entirely by the solvibg of captchas. They have become one with machinegod, just a vestigial appendage so scratch an itch that the machine cannot satisfy any other way.
https://chatgpt.com/share/fae8c7fc-df78-462e-9922-9d976a182bd8
Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.
Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.
It’s not just the button, it’s the before the button that determines you’re a bot or not.
deleted by creator
Beats me. I have a script that clicks all those boxes for me.
Yo based
I’m pretty sure I’m a robot since they often force me to select the motorcycle from a picture that is just one motor cycle. If I select every part of it I fail every time. Same thing with street lights and fire plugs.
“this is not CAPTCHA! It’s just clicking, with style”
I often wonder if that’s a fail or just some tech sitting in a room saying “Now do THIS!” and pressing refresh over and over.
That’s it
Others mention the mouse motion, and monitoring your other traffic to similar sites. When it shows the checkbox, it has already determined you are probably human. If you had suspicious activity, they will give you more advanced tests instead of just a checkbox.
Cloudflare has a bot score. Depending on how sus your bot score is you can use several different levels of verification. The checkbox you refer to is kind of in the middle. There is also a more complicated intrusive captcha and a totally transparent javascript. It’s a pretty slick system.
I like that when I’m on tor browser with VPN behind it they’re like “Yeah, cool, go on through”
Don’t mix tor plus VPN.
If you’re using tor browser without tor for some reason, carry on.
VPN behind it. So tor is under the VPN.
So, turn off my VPN that’s always running before I use the tor browser?
There are two ways to layer a VPN and tor:
- Tor over VPN; or
- VPN over Tor.
In the first option, you gain little. Tor already encrypts your traffic, so your ISP can’t see inside them. Technically, Tor over a VPN hides the fact that you’re using Tor from your ISP, but Tor’s snowflake does something similar if you need that.
In the second option, you’re revealing your VPN account information, which could theoretically be associated back to you. Tor adds nothing over just a VPN in this case.
So really, “no value in mixing,” which is distinct from “don’t mix.”
The latter implies a security risk could be created.
The risk of mis-ordering your layers is a security issue.
If you’re using tour vpn at the system or network level, and tor at the browser level, is there a risk of mis-ordering?
A security risk is created, you’re creating a permanent guard node by using your VPN with TOR. A lot of people downplay how serious this can be against a dedicated attacker. Sure, it may not matter for most, but for those with the right threat model, it will.
So VPN first then Tor is ill advised for this, or only the reverse? What is the potential attack in running Tor while on VPN?
Why?
Clicking the button doesn’t proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company’s network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.
The timing of the click captcha loading is randomized and it probably is looking for human-ish cursor movement? (Like you’re probably moving your hand in imperceptibly small ways that are difficult to replicate). Clicking before it loads and doing it repeatedly probably triggers detection.
I used to think it was timing based, but now leaning on the idea that it just performs more fingerprinting in the background: user agent per ip pool, canvas or puppeteer checks.
This is correct. Those captchas are tracking everything they can and comparing it to other results to try and figure this out. Mouse movement, delay before you click, everything.
Yeah and if the user are suspicious they make them solve a puzzle.
Proof of work, which becomes computationally expensive to scale, along with other heuristics based on your browser and page interaction. I believe it’s less about clicking the box and what happens after you’ve clicked the box.
This is correct. I work in bot detections. There are baseline checks for various browser automation used as bot frameworks like Puppeteer or Playwright. Then there is basic analysis of server side and client side fingerprints; meaning, do the fingerprints you claim make sense. There are other heuristics too and I imagine Cloudflare is monitoring movements that point to automation. All of this happens after you click. I personally prefer this over Google’s captcha which frequently doesn’t recognize me as a human but is easily bypassed by bots.
I believe it’s less about clicking the box and what happens after you’ve clicked the box.
I think it’s before, not after.
I kinda think your browser makes sure you at least click before websites are allowed tracking things like your cursor.
I think the clicking is rather the part where you agree to allow your history to be checked, essentially.
Sorry for linking Reddit, but… https://www.reddit.com/r/askscience/s/Ws3Mr45qFV
Here, I got you: https://redlib.northboot.xyz/r/askscience/s/Ws3Mr45qFV
Interesting that it works so well for Tor Browser, given that there’s not much information to collect. Just the proof of work might be enough there.
some of them are also less bot detection and more spam limiting and mitigation. cloudflare’s has more stuff built in I’m sure, but things like mCapcha are just proof of work, so if you’re trying to make a bunch of accounts or whatever, it’s really computationally expensive.
those will fail anyway on a few sites I’ve gone to. No idea why and sometimes months later it will work for a random interval of time.