The simplicity of it is logic defying. It used to be that you had to find crosswalks or move puzzle pieces or type blurred letters and numbers, but NOW all the sudden I can just click a box and HEY!, I’m human?

That’s hardly the Turing Test I’d expected.

  • Platypus@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    149
    arrow-down
    1
    ·
    4 months ago

    It tests whether your mouse movement looks human–we’re really bad at things like moving in straight lines, so it’s pretty evident from a mouse movement log whether you’re a human or a simple bot. It also takes a bunch of auxiliary browser/environment data into account. It’s not perfect, but it’s complicated enough to defeat to provide fine protection against cheap spam.

    • Random_Character_A@lemmy.world
      link
      fedilink
      arrow-up
      32
      arrow-down
      2
      ·
      4 months ago

      Shitty situation if you are used to using hotkeys and only use mouse cursor when no other means are available by moving it using numpad.

      • Thorry84@feddit.nl
        link
        fedilink
        arrow-up
        28
        ·
        4 months ago

        If it’s in doubt it just gives you extra challenges. So in the end everybody will get there, or not and then fuck you I guess.

      • Wugmeister@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        19
        ·
        4 months ago

        Nah that’s different as well. What they are filtering out is

        • a mouse teleporting to the exact center of the checkbox
        • a mouse smoothly gliding in a straight line to the center if the checkbook
        • a mouse traveling in a straight line to the center of the checkbook with some momentary stutters to add noise

        Et cetera. Humans are much noiser than anything a python script will spit out. Of course there are ways to get around this, like recording and reenacting a human mouse movement, but the point of any capcha system is to make it significantly more difficult to bot, not impossible.

        • s3p5r@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          Some provide screen-reader instructions, but most places barely remember blind people exist. It’s another example of people with disabilities being ignored and marginalised.

          And then even if they do remember blind people exist, they probably forget there are people who aren’t blind who can’t do their tests for other reasons, like dyslexia or dexterity impairments.

          And then you have hCaptcha who makes disabled people to sign up to their database to use their cookie.

    • Jimmycrackcrack@lemmy.ml
      link
      fedilink
      arrow-up
      15
      ·
      4 months ago

      I’ve learned from these that I must definitely move my mouse like a robot since it always asks me to do more puzzles afterwards. This is even if I try jiggling it around after clicking just to try and convince it.

        • spankinspinach@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          ·
          4 months ago

          Yeah this is my experience as well. I don’t have much technical knowledge about it, but Firefox with ublock seems to be the enemy of captcha and CloudFlare

      • Lucidlethargy@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        This is really interesting… Can you elaborate? I’ve never one had a follow up to the check mark.

        I use a high dpi mouse, what do you use?

        Spoiler: I think resolution matters here. The top comment is wrong, if anyone cares enough to take notice…

        • Jimmycrackcrack@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          Cheapest Logitech mouse I could find in the supermarket about 6-7 years ago.

          As others have said, it might be more to do with my browser choice, browser settings and extensions. That said I remember when I first started seeing these years ago that sometimes it’d think I was a robot and sometimes it wouldn’t and maybe it was a placebo effect, but I felt fairly confident then that me jiggling the mouse really helped. Now it doesn’t matter what I do. My natural movement, a deliberately wonky but still single and continuous movement or a totally artificial mouse wiggle after the clock, I’ll always have to do captchas.

      • xmunk@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        ·
        4 months ago

        Clicking percision and reaction time are still measurable and the checkbox can fall back to other captcha tactics if it has low faith in the user.

      • brianorca@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        4 months ago

        It’s also checking your other traffic. (Since Cloudflare handles traffic for so many companies.) Are you visiting other sites in a realistic fashion, or are you doing 99% of your traffic trying to do one thing over and over.

    • Phil_in_here@lemmy.ca
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      My question is how is it not trivial to add a noise wave or some shit to the bot path? Obviously, I have zero technical knowledge of how bots, pathing, or anti-bot analysis works

      • nick@campfyre.nickwebster.dev
        link
        fedilink
        arrow-up
        11
        ·
        4 months ago

        It uses other signals too, like what other sites you’ve visited with that checkbox on it, what CloudFlare has seen your IP address doing in the past, etc.

        The google one is able to see if you’re logged into a google account and take that into account.

        There’s even a new variant of the Google captcha that is invisible and doesn’t even bother to show a checkbox.

    • Melatonin@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      7
      arrow-down
      4
      ·
      4 months ago

      Interesting that my mouse movement is available to anyone who wants it.

      It seems like a small step from that to accessing my keyboard.

      • sbv@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        42
        ·
        4 months ago

        Your mouse movement and keyboard events are available to webpages that you’ve loaded, when the browser window is focused.

        This isn’t nefarious - it allows websites to build nice UIs that most people enjoy using, most of the time.

        There’s lots of shady stuff going on in browsers, this isn’t really one of them.

          • Takumidesh@lemmy.world
            link
            fedilink
            arrow-up
            6
            ·
            4 months ago

            I mean, how do you think websites work? Of course your mouse and keyboard events are available, otherwise you wouldn’t be able to interact with a website at all.

            • Melatonin@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              5
              ·
              edit-2
              4 months ago

              This was the slap on the head I needed. I now get what you mean by interact with my keyboard. In other words = can tell what I’m typing. Like perfectly normal function of websites.

              I didn’t understand the “focus” part and how it helped. I think I said earlier, I’m not particularly smart.

            • Melatonin@lemmy.dbzer0.comOP
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              4 months ago

              Like those sites that ask me to sign in using Google (or other options) and then Google asks me for the password?

              Pretty easy to grab passwords I think.

              • howrar@lemmy.ca
                link
                fedilink
                arrow-up
                10
                ·
                4 months ago

                Those websites send you directly to Google, so they no longer have control of the web page when you’re entering your password.

              • Aatube@kbin.melroy.org
                link
                fedilink
                arrow-up
                8
                ·
                4 months ago

                This is why Google sign-in can’t be embedded and uses the password input type for the password type. Most SSOs do this as well.

              • naticus@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                ·
                4 months ago

                To clarify, websites can’t capture keyboard events that were typed into a different website like you’re thinking. Think of going to a web game that let’s you use WASD for controlling your character. It’s able to capture those events on that page because its in focus. When a site goes out of focus (such as switching tabs or switching to another window that’s not the browser), it loses that ability. Overall, it’s very secure.

                I was more wondering how you thought capturing the mouse movements would lead to security issues.

      • MoonManKipper@lemmy.world
        link
        fedilink
        English
        arrow-up
        12
        ·
        4 months ago

        If you’re using a webpage JavaScript can see your mouse cursor and anything you type. But only if the browser has focus. So if you’re typing in another window it can’t

      • Shadow@lemmy.ca
        link
        fedilink
        arrow-up
        12
        ·
        4 months ago

        Your mouse movement on that page is. Just like if you typed into the page.

        It’s not tracking you in other windows and apps.

      • linearchaos@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        4 months ago

        They can only access it while you’re focused on their webpage. CORS is all about that.

        If you click off to another web page and enter information or type of password into a secondary app they can’t gather that. As soon as they lose focus they lose the ability to capture your data.

        • Septimaeus@infosec.pub
          link
          fedilink
          arrow-up
          2
          ·
          4 months ago

          Nbd, but it sounds like you’re talking about encapsulation of event capture (viewport stops receiving events after losing focus).

          CORS is a protocol for client-side enforcement of a server-side security policy. It ensures that a resource request (e.g. “my-totally-safe-resource.wasm”) only loads from a location your server permits (e.g. “my-valid-origin.biz”, “friends-valid-origin.org”, etc).

      • whoareu@lemmy.ca
        link
        fedilink
        arrow-up
        5
        ·
        4 months ago

        There is a lot of other data available to sites you visit unless you are using some kind of fingerprint protection

      • boatswain@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        If loaded with pages didn’t have access to keyboard events, you wouldn’t be able to write comments on Lemmy posts. I’m not a front-end guy, but that should be limited to just white the browser is focused.

    • Vince@lemmy.world
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      4 months ago

      Couldn’t I just record my mouse movements clicking on it a couple dozen times and randomly replay one of those recordings?

    • Lucidlethargy@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      This feels only partially accurate. I’m a web developer, and I know websites don’t track all of what you suggest. Can you clarify, or come clean on what actually takes place?

      Honestly, I doubt it… I’m sorry. I don’t mean to be abrasive.