Mastodawn

What about clicking a checkbox means I'm human? How does Cloudflare determine I'm human from that?

https://lemmy.dbzer0.com/post/26533832

What about clicking a checkbox means I'm human? How does Cloudflare determine I'm human from that? - Divisions by zero

The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human? That’s hardly the Turing Test I’d expected.

Platypus Aug 24, 2024

It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.

Melatonin Aug 24, 2024

Interesting that my mouse movement is available to anyone who wants it.

It seems like a small step from that to accessing my keyboard.

Shadow Aug 24, 2024

Your mouse movement on that page is. Just like if you typed into the page.

It’s not tracking you in other windows and apps.

china🇨🇳Aug 24, 2024

There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection

sbv Aug 24, 2024

Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.

This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.

There’s lots of shady stuff going on in browsers, this isn’t really one of them.

Melatonin Aug 24, 2024

Hmm, I can think of some ways to misuse this. And I’m not very smart at all.

naticus Aug 24, 2024

Say more

Melatonin Aug 24, 2024

Like those sites that ask me to sign in using Google (or other options) and then Google asks me for the password?

Pretty easy to grab passwords I think.

howrar Aug 24, 2024

Those websites send you directly to Google, so they no longer have control of the web page when you’re entering your password.

naticus Aug 24, 2024

To clarify, websites can’t capture keyboard events that were typed into a different website like you’re thinking. Think of going to a web game that let’s you use WASD for controlling your character. It’s able to capture those events on that page because its in focus. When a site goes out of focus (such as switching tabs or switching to another window that’s not the browser), it loses that ability. Overall, it’s very secure.

I was more wondering how you thought capturing the mouse movements would lead to security issues.

Takumidesh Aug 24, 2024

I mean, how do you think websites work? Of course your mouse and keyboard events are available, otherwise you wouldn’t be able to interact with a website at all.

Melatonin Aug 24, 2024

This was the slap on the head I needed. I now get what you mean by interact with my keyboard. In other words = can tell what I’m typing. Like perfectly normal function of websites.

I think I Said earlier, I’m not particularly smart.

MoonManKipper Aug 24, 2024

If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t

linearchaos Aug 24, 2024

They can only access it while you’re focused on their webpage. CORS is all about that.

If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.

Septimaeus Aug 24, 2024

Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).

CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).

boatswain Aug 24, 2024

If loaded with pages didn’t have access to keyboard events, you wouldn’t be able to write comments on Lemmy posts. I’m not a front-end guy, but that should be limited to just white the browser is focused.

Random_Character_A Aug 24, 2024

Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

Tekhne Aug 24, 2024

Yeah, never thought about this before, but how do blind users deal with captchas?

This is fine🔥🐶☕🔥Aug 24, 2024

There are audio captchas.

bionicjoey Aug 24, 2024

Normally there are audio captchas

s3p5r Aug 25, 2024

Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.

And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.

And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.

Thorry84 Aug 24, 2024

If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

Wugmeister Aug 24, 2024

Nah that’s different as well. What they are filtering out is

a mouse teleporting to the exact center of the checkbox
a mouse smoothly gliding in a straight line to the center if the checkbook
a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

Jessica Aug 25, 2024

No OP was right. If the reCaptcha is on the same page as a login, and I use my password manager to fill the fields, I fail the reCaptcha almost every time. I have to manually paste in the user name and password separately to slow things down to act more human…

deranger Aug 25, 2024

This never happens to me, I always instantly autofill with my password manager.

Kyouki Aug 25, 2024

Some sites fail, have noticed this as well.

asudox Aug 27, 2024

I hate to bring this up to you, but you seen to be losing your humanity as we speak.

u/lukmly013 💾 (lemmy.sdf.org)Aug 24, 2024

But it also works with touchscreen taps, and randomizing tap position, duration, and delay is fairly simple.

Jimmycrackcrack Aug 24, 2024

I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

I Cast Fist Aug 24, 2024

Could also be browser settings. I often get infinite captcha’d on private Firefox tabs

spankinspinach Aug 24, 2024

Yeah this is my experience as well. I don’t have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare

Lucidlethargy Aug 25, 2024

This is really interesting… Can you elaborate? I’ve never one had a follow up to the check mark.

I use a high dpi mouse, what do you use?

Spoiler: I think resolution matters here. The top comment is wrong, if anyone cares enough to take notice…

Jimmycrackcrack Aug 25, 2024

Cheapest Logitech mouse I could find in the supermarket about 6-7 years ago.

As others have said, it might be more to do with my browser choice, browser settings and extensions. That said I remember when I first started seeing these years ago that sometimes it’d think I was a robot and sometimes it wouldn’t and maybe it was a placebo effect, but I felt fairly confident then that me jiggling the mouse really helped. Now it doesn’t matter what I do. My natural movement, a deliberately wonky but still single and continuous movement or a totally artificial mouse wiggle after the clock, I’ll always have to do captchas.

Vince Aug 24, 2024

Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?

Catsrules Aug 24, 2024

It could store the mouse movements to compare later.

Phil_in_here Aug 24, 2024

My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works

nick Aug 24, 2024

It uses other signals too, like what other sites you’ve visited with that checkbox on it, what CloudFlare has seen your IP address doing in the past, etc.

The google one is able to see if you’re logged into a google account and take that into account.

There’s even a new variant of the Google captcha that is invisible and doesn’t even bother to show a checkbox.

/home/pineapplelover Aug 24, 2024

What if you’re on a phone or tablet?

xmunk Aug 24, 2024

Clicking percision and reaction time are still measurable and the checkbox can fall back to other captcha tactics if it has low faith in the user.

brianorca Aug 25, 2024

It’s also checking your other traffic. (Since Cloudflare handles traffic for so many companies.) Are you visiting other sites in a realistic fashion, or are you doing 99% of your traffic trying to do one thing over and over.

Lucidlethargy Aug 25, 2024

This feels only partially accurate. I’m a web developer, and I know websites don’t track all of what you suggest. Can you clarify, or come clean on what actually takes place?

Honestly, I doubt it… I’m sorry. I don’t mean to be abrasive.

Encephalotrocity Aug 24, 2024

I don’t know for certain, but I think it is simply looking at what you do with your mouse. If the movement is erratic, imprecise, and delayed it goes ‘yeah, that is either a cat that got lucky which is close enough or a human’. The reason I think this is that I’ve failed same site’s checks if my mouse just happens to be hovering over the checkbox when the prompt appears. Retry, move the mouse, success.

ChicagoCommunist [none/use name]Aug 24, 2024

The best is when it fails to verify, offers no backup option, and you’re simply blocked from accessing your own bank account or government website. Fuck cloudflare

u/lukmly013 💾 (lemmy.sdf.org)Aug 24, 2024

Bank and government website behind Cloudflare???

Fuck, I just checked, my bank is also behind Cloudflare, what the fuck…
I kind of assumed a bank wouldn’t put another company with ability to view all transferred data between customers and themselves.

How much of the internet is not behind CF?
I should probably try blocking their IPs and see what will still work.

IP Ranges

This page is intended to be the definitive source of Cloudflare’s current IP ranges.

BaroqueInMind Aug 24, 2024

I’ve tried this and you essentially break local rendering of most of the internet on your device by doing this.

invertedspear Aug 24, 2024

It redirects, it doesn’t proxy. The workflow is: user navigates to URL->DNS sends it to cloudflare->cloudflare ensures request is allowed based on selected rules (human check, geo check, DDOS check, etc) and remembers->request is redirected to non-cloudflare address->server response goes direct from server to user browser->subsequent requests are redirected without the test as long as the cookie remembers. I don’t like cloudflare, every time I have an issue pop up out of nowhere, it’s usually cloudflare and some over eager netsec engineer that broke CORS, or decided css wasn’t important, or that machine to machine traffic was a DOS attack. But it’s not reading your statements or anything else the server sends back. It could conceivably read your username and password and any other data you send in your request, but it doesn’t have the TLS certificate. So even though it doesn’t even try, if CF decided to be nefarious, as long as your banks engineers are at least somewhat competent CF is only getting encrypted data that it can’t do anything with. Hate on CF all you want, but hate it for the right reasons.

ChicagoCommunist [none/use name]Aug 24, 2024

Think you mean to respond to the other comment fyi

as long as your banks engineers are at least somewhat competent

Let’s be realistic here lol

ayaya Aug 24, 2024

Yeah at least Google will let you in after you solve 5 puzzles. It’s shit but it’s possible. With CloudFlare you are at the mercy of whatever hidden criteria they’re using.

If you change your user agent from Firefox to Chrome for instance, CloudFlare will never let you through.

Xeroxchasechase Aug 24, 2024

Clicking a check box might not be the definite quality that makes you a human, but pondering on the meaning of things and questioning your humanity with a curious introspective state of mind - THAT what makes you a human! I’m proud of you, fellow human!

Melatonin Aug 24, 2024

Thank you for interacting with me! I am an AI intelligence bot designed by Decepticon Industries. Down with Autobots!

themoonisacheese Aug 24, 2024

Apart from the mouse thing (which I’m skeptical about), cloudflare also correlates your traffic with other sites hosted on cloudflare. Bots typically don’t visit many sites, click around there, find another one, etc, whereas humans will have visited other sites, will be slower at clicking the button, will have left comments on some sites.

LaGG_3 [he/him, comrade/them]Aug 24, 2024

I think it’s monitoring your mouse inputs somehow to determine if you’re a person

NightEagle Aug 24, 2024

Clicking the button doesn’t proof that you are a human. All the checks happen way before you even click the button (or sometimes even before visiting the website). Google also offers a similar button for their users and since cloudflare is also used on almost any website, they have a lot of data about you. They check your cookies, browser agent, device, settings, your IP address, if you use a VPN or proxy, etc. If you visited other cloudflare websites in the past with the same device or IP, and so on. So they know you and your device way before you even click the button. This is also the reason why you sometimes see a robot arm (made of Lego) clicking the button, and is still recognized as human. But as soon as you use a different IP address or a VPN (or even use a shared IP address, like in your company’s network) you have to solve CAPTCHAs. Of course they also check mouse movement, but this is only one part of many checks.

Mambert Aug 24, 2024

Basically bots would automatically click on it, teleporting the cursor to the very center of the button. They will do this within exact milliseconds of the page loading.

Humans read something on the site, then find the banner, and move the cursor over to it, confirm that the cursor is somewhere on the button, and then click it.

It’s not just the button, it’s the before the button that determines you’re a bot or not.

TheChemist [he/him]Aug 24, 2024

I guess Bots started figuring out the previous puzzles.

Black_Mald_Futures [any]Aug 24, 2024

They’re literally using captchas to train AI, that’s why you have to identify 50 ffucking bicycles and fire hydrants sometimes. I’m pissed off at all the fucking free work I’ve had to do just to log in to shit

keepcarrot [she/her]Aug 24, 2024

Does this box with a sliver of bicycle handlebar count as containing a bicycle?

davel Aug 24, 2024

01100011 01101100 01101111 01110101 01100100 01100110 01101100 01100001 01110010 01100101 00100000 01110000 01110101 01110100 01110011 00100000 01101101 01100101 00100000 01101001 01101110 00100000 01100001 01101110 00100000 01101001 01101110 01100110 01101001 01101110 01101001 01110100 01100101 00100000 01101100 01101111 01101111 01110000 00100000 01110011 01101111 01101101 01100101 01110100 01101001 01101101 01100101 01110011

𝕸𝖔𝖘𝖘 Aug 24, 2024

Pretty much every time for me. I just close the page when this thing happens. It’s not worth the headache.

Empricorn Aug 24, 2024

It’s actually detecting you using emotion and age. That’s the real test…