Cloudflare MITMs a good portion of internet traffic. They can even see inside SSL tunnels for most websites you visit. It’s an absolute privacy nightmare.
How does any of this fit into the reality that you can pay $1 per 1000 captchas for a real, actual human to solve them? It seems like so much effort is put into this cat&mouse narrative with bot makers, ignoring the reality that sometimes labour is actually much cheaper.
It’s about creating at least a small barrier for not-very motivated people.
If a script kiddie wants to create a couple accounts and spam a bit, paying for and integrating such a service might just discourage them from actually taking the time.
Just a small cost if you’re dedicated though, for sure
I just tested my favourite cloudflare-blocked site and it still hangs on “verifying the security of your connection” in my figerprinting-resistant browser profile.
Yeah I get infinite loops on half the Internet. It’s infuriating and should be illegal for them to deny my as a customer just because they can’t track me
Second, we find that a few privacy-focused users often ask their browsers to go beyond standard practices to preserve their anonymity. This includes changing their user-agent (something bots will do to evade detection as well), and preventing third-party scripts from executing entirely. Issues caused by this behavior can now be displayed clearly in a Turnstile widget, so those users can immediately understand the issue and make a conscientious choice about whether they want to allow their browser to pass a challenge.
Those of you that browse the internet with JS disabled (e.g. using NoScript), the time of reckoning has finally come. A huge swatch of internet will no longer be accessible without enabling javascript.
As a web developer who’s worked in the industry for 16 years, every snowflake requiring me to work harder to support their “choices” is just an annoyance. I get wanting to reduce tracking etc, but in all honesty, the 0.0X% of users running tons of blockers and JS off are in reality just easier to track, in comparison to hiding in the mass of regular users who might be running an ad blocker (or nothing).
As long as your browser is making requests, you’ll never be invisible.
The change needs to come from regulation level imho.
It’s great you can do it and you’re free to, but not using javascript often means revamping the whole codebase and making everything 5x more complicated.
For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser.
But…. Lots of bots are made with RPAs …. With actual browsers , interface emulating human interaction. Sounds like a response to proton.me/blog/proton-captcha
Add comment