this post was submitted on 07 Oct 2023
230 points (97.1% liked)

Technology

59299 readers
5449 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I've actually noticed this in some websites the past ~two months. It's neat to have a captcha that finally doesn't need slowly clicking images to pass through.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 50 points 1 year ago* (last edited 1 year ago) (4 children)

I'm not actually sure it's particularly effective at stopping bots, considering how easy it is to spin up a docker container that can bypass it. Ironically FlareSolverr wasn't able to solve CAPTCHA so now with them gone it works even better.

[–] [email protected] 26 points 1 year ago (1 children)

Yeah, I'm pretty skeptical of the premise... it's looking for browser "abnormalities"? I mean... there wasn't a strong motivation to correct those abnormalities for bots when it didn't matter. Now that it does, I just suspect they'll correct those abnormalities.

Just because the abnormalities were present in the past doesn't imply that it's intrinsically more difficult to emulate browser behaviour than it is to defeat captchas. There just hasn't been a reason to do so up until now.

[–] [email protected] 2 points 1 year ago

Ok so bypass it

[–] [email protected] 12 points 1 year ago

Nothing can stop 100% of bots. The goal with captchas like Turnstile is to use a significant portion of your resources to the point it's expensive and slow to perform an attack.

Turnstile runs many background checks on your browser, so headless browsers automatically become futile.

JavaScript PoW challenges are performed that take up multiple seconds of execution time, memory and CPU. This alone is a deterrent because sequential attacks become extremely long to execute.

Concurrent attacks are still unfeasible because Turnstile ups the difficulty if it detects something is up, and receiving requests from thousands of botnet IPs is bound to trip an alarm.

[–] [email protected] 11 points 1 year ago

I'm curious how easy it would be to bypass with significant volume though?

Like a few requests might get through but it would get fairly easy to detect dozens of requests from the same bot i think?

It's also doing some "light" proof of work - this would be a PITA if you were trying a bot net attack or something.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

I mean it's always going to be an uphill battle, but I'd rather it stop some bots and be easier for me than them making me do a million captchas, that dont even work half the time, that still don't stop many bots.