Cloudflare's invisible CAPTCHA works by probing browsers with JavaScript Cloudflare has begun a public beta test of a CAPTCHA alternative that runs quietly in the background to automatically determine if the webpage visitor is an actual human. Its goal is to allow netizens to avoid having to complete those tedious prove-you're-not-a-bot tests on websites. The widget is dubbed Turnstile, and is …
So long as it runs on the device and only the token is returned to Cloudflare that's fine. If it is sending a bunch of information for them to determine whether you're a human or not this is no better than CAPTCHAs that turn humans into Google's slaves forcing them to work on their image recognition.
It looks like it might be OK, and PAT is an open source standard so could be adopted by others but I'd like to learn more about it because the devil is in the details. Here's what I found so far: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/
It adds more points of communication so it would slow things down, but at least this is something that is only done once and most sites won't care about it at all (i.e. only for stuff where they are currently using CAPTCHAs)
This isn't a good long term solution, and will not be immune to spoofing, false positives, false negatives, and all of the problems that plague CAPTCHAs and browser fingerprinting. The description of how it operates also makes me want to hate it. I have seen pages using the more intrusive versions of Cloudflares screening scripts, and they can delay page loads by seconds.
Every version of this idea has been a plague to users that run a tightened up browser config, use a cookie manager, or have their browser set to dump the cache on reloads. In addition, it's going to mean hassles for users on VMs and other platforms that the ad fraud gangs use, and that list will just expand as the fraudsters realize they are blocked and adapt.
Architecturally there is nothing here that will block them from making a counter move, so it's just another twist in the endless game of whack-a-mole.
Serving a fake postal site asking for your credit card? Don't care. Serving stores selling fake or illegal drugs? Don't care. Spam click-through loggers, key loggers, PI loggers, credit card loggers, command and control systems... Don't care. They're not the Internet police!
A bot viewing an advertisement? A bot polluting a credit card logger? Throws all resources at blocking and policing those data patterns. Deploys invasive checkpoints for visitors. Adds tracking cookies for monitoring access patterns.
I can understand requiring some sort of evidence you're human before allowing you to sign up for an account ("When that user subsequently tries to do anything on the website – such as log in, search, or sign-up – the token can be presented to the site to confirm there isn't a bot at play"), but less-so for logins, and not for searches.
For any given user, signing-up is a relatively rare event; I don't mind the occasional xCAPTCHA. How much CPU does this new method use? Many people browse from low-CPU-power devices.
> but less-so for logins
Indeed, if I have created an account (and probably proven at that time I'm not a bot) I don't see why any further interaction with that site should entail a CAPTCHA of any kind.
Website developers remember, creating an account is not just a marketing data harvesting operation, it's actually supposed to henceforth indicate you're a known, identified person.
The irony of being rejected by a bot for not proving my humanity never ceases to amuse.
I work on the assumption that the spammers et al will continue to work around these new obstacles within days of their being erected and so it's clearly the explicit *intention* of those who put them up to annoy their legitimate customers.
It's basically like how, whenever you walk into a supermarket, the security guard jumps up and slams a hood over your face until you've been probed and formally identified. And confirmed that you like it.
(the internet is a big place).
Cornwall council tell me that I MUST verify voting information every year and they give a convenient link to do this. Stupidly not only do I need to enter password and keyphrase I must also do a captcha with US based themes. I have told them this is stupid as they are sending this request to a verified email address.
What are trying to guard against? A bot that registers 50 new voters.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
