I have noticed that some CAPTCHA pages, like Cloudflare’s, simply ask you to check a box to proceed. There is no clicking on traffic lights or entering characters. How does clicking on a check box tell them I am not a robot?
Its not sure how it exactly works, but most probably this captcha processes a lot of data like your mouse movement, mouse click but also your browser fingerprints, search history and ip. You can actually get ‘traffic lights’ test from this clicking button captacha if You have privacy protection in place, such as using brave, tor, firefox or mullvad browser and/or vpn, pluse some privacy browser extensions
You passed the test before you clicked the checkbox. Your mouse movement, momentary pause, IP address, browsing history, etc, gave away that you’re a human.
Then why do we still need to click it, instead of just loading the page at once?
Because it measures how your mouse moves to the checkbox. If there was nothing to move to, you wouldn’t move your mouse.
I get the checkbox even on mobile sometimes, I imagine as long as you’re not perfectly hitting the center pixel it knows you’re human.
I don’t think random websites get access to my browser history without me explicitly giving them permission.
They pretty much do if they’re run through something like Cloudflare or they use Google Analytics. That probably covers about 80% of websites. Not the website, but the company that’s running the Captcha.
Browser fingerprinting and borderline Spyware: https://youtu.be/4UuvwY6CdLo?si=EEK_jCqsKY1Osi9S
I suspected this was the case! Like a silly human, I’ve been intentionally “wiggly” with my mouse movements for this very reason, hoping i don’t have to do a harder form of capthca. Haha. Now I only know I’m only a little crazy for doing so.
And, cloudflare creates a proxy (including it’s own SSL certificate by default!) between you and every cloudflare site. So they’re able to see all data, even on https secured pages.
And they make up a huge portion of the Internet 😊
don’t forget about 1.1.1.1, cloudflare’s dns.
Big part of the internet is going through Cloudflare these days, so it tracks you as you browse, and does something clever to figure out if you’re a robot. Google can do the same, they’ll have a cookie on you. If they’re not sure they’ll show you one of those challenges.
Rather than try to unilaterally deprecate and replace CAPTCHA with a single alternative, we built a platform to test many alternatives and rotate new challenges in and out as they become more or less effective.
With Turnstile, we adapt the actual challenge outcome to the individual visitor or browser. First, we run a series of small non-interactive JavaScript challenges gathering more signals about the visitor/browser environment. Those challenges include, proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser-quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request and avoid ever showing a visual puzzle to a user.
Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor, but is targeted to run fast.
https://developers.cloudflare.com/turnstile/
TL;DR A bunch of heuristics that it’s hard to spoof all of. Fun side effect of this method is that if you spoof your user agent, you’ll often end up locked out in a loop. Lack of a captcha fallback is obnoxious.
I have been stuck in one its hell you will be hoping this will be the last.
also the subtle but not so subtle ‘we will fingerprint errrrbody’
so what do they do with that data?
