Cloudflare is free of CAPTCHAs; Turnstile is free for everyone (blog.cloudflare.com)
from simple@lemm.ee to technology@lemmy.world on 07 Oct 2023 11:17
https://lemm.ee/post/10659352

I’ve actually noticed this in some websites the past ~two months. It’s neat to have a captcha that finally doesn’t need slowly clicking images to pass through.

#technology

threaded - newest

ayaya@lemdro.id on 07 Oct 2023 12:06 next collapse

I’m not actually sure it’s particularly effective at stopping bots, considering how easy it is to spin up a docker container that can bypass it. Ironically FlareSolverr wasn’t able to solve CAPTCHA so now with them gone it works even better.

Windex007@lemmy.world on 07 Oct 2023 12:23 next collapse

Yeah, I’m pretty skeptical of the premise… it’s looking for browser “abnormalities”? I mean… there wasn’t a strong motivation to correct those abnormalities for bots when it didn’t matter. Now that it does, I just suspect they’ll correct those abnormalities.

Just because the abnormalities were present in the past doesn’t imply that it’s intrinsically more difficult to emulate browser behaviour than it is to defeat captchas. There just hasn’t been a reason to do so up until now.

ryannathans@aussie.zone on 07 Oct 2023 14:15 collapse

Ok so bypass it

verysoft@kbin.social on 07 Oct 2023 12:45 next collapse

I mean it's always going to be an uphill battle, but I'd rather it stop some bots and be easier for me than them making me do a million captchas, that dont even work half the time, that still don't stop many bots.

DogMuffins@discuss.tchncs.de on 07 Oct 2023 12:57 next collapse

I’m curious how easy it would be to bypass with significant volume though?

Like a few requests might get through but it would get fairly easy to detect dozens of requests from the same bot i think?

It’s also doing some “light” proof of work - this would be a PITA if you were trying a bot net attack or something.

httpjames@sh.itjust.works on 07 Oct 2023 16:37 collapse

Nothing can stop 100% of bots. The goal with captchas like Turnstile is to use a significant portion of your resources to the point it’s expensive and slow to perform an attack.

Turnstile runs many background checks on your browser, so headless browsers automatically become futile.

JavaScript PoW challenges are performed that take up multiple seconds of execution time, memory and CPU. This alone is a deterrent because sequential attacks become extremely long to execute.

Concurrent attacks are still unfeasible because Turnstile ups the difficulty if it detects something is up, and receiving requests from thousands of botnet IPs is bound to trip an alarm.

Jaydeep@lemmy.world on 07 Oct 2023 12:12 next collapse

I absolutely hate it, in tachiyomi, it just keeps reloading the page instead of giving me a captcha to solve…

BloodSlut@lemmy.world on 07 Oct 2023 16:29 collapse

Same, I cant get to or log in to multiple sites with Firefox because of this.

It does seem to be able to work if I use a private window, though. So Im not exactly sure what’s causing the issue. Maybe something to do with cookies? But ive messed around with that and havent been able to get anywhere.

FaceDeer@kbin.social on 07 Oct 2023 17:24 collapse

You could check if it's the fault of an extension by launching Firefox in safe mode (shift-click the Firefox icon when launching).

BloodSlut@lemmy.world on 07 Oct 2023 19:10 collapse

Thats a good idea. Ive tried doing it with certain other extensions (content blockers, user agents, script and tracker blockers/modifiers, etc.) disabled but something completely unrelated may be interfering.

nucleative@lemmy.world on 07 Oct 2023 14:08 next collapse

Getting sick of these strange new hCaptchas. Click the thing that’s only appearing once? Click I this exact order 😱🥺😅😂🤞. Click the stadiums from SimCity?!? Hopefully websites switch to turnstile fast.

kadu@lemmy.world on 07 Oct 2023 14:45 next collapse

I fail hCaptcha a surprising number of times, and I’m sure it’s actually doing that on purpose so we help it label more images for AI training.

It’s like “select all flowers” and then you have 7 AI generated horses, and one AI generated flower. I pick the flower and “try again!” with a new set of images.

nucleative@lemmy.world on 07 Oct 2023 15:52 collapse

Yeah. Its better than reCaptcha - do I click those 3 pixels of the traffic signal it not!?! - but it’s still an obstacle that dimenishes the experience.

elouboub@kbin.social on 07 Oct 2023 15:08 collapse

Wow, people will complain about literally anything. "I hate Google's Recaptcha" --> hCaptcha. "I hate hCaptcha" --> turnstile. Inevitably it'll be "I hate turnstile".

nucleative@lemmy.world on 07 Oct 2023 15:55 collapse

Yes. Obstacles on the pathway to what I’m clicking in to are obnoxious. Hopefully turnstile isn’t an obstacle.

Saik0Shinigami@lemmy.saik0.com on 07 Oct 2023 18:01 collapse

And websites the have to protect access to their resources. You don’t have an innate right to unimpeded access to someone else’s server.

smileyhead@discuss.tchncs.de on 09 Oct 2023 18:05 collapse

Don’t like it.

I use VPNs, Tor and nonpopular browsers and I need to have a way to proof I am not a robot other than staying in the crowd.