Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Internet

Cloudflare Wants To Kill the CAPTCHA (zdnet.com) 106

An anonymous reader quotes a report from ZDNet: Cloudflare is testing out the possibility of security keys replacing one of the most irritating aspects of web browsing: the CAPTCHA. CAPTCHAs are used to catch out bots that are trawling websites and are often implemented to prevent online services from being abused. "CAPTCHAs are effectively businesses putting friction in front of their users, and as anyone who has managed a high-performing online business will tell you, it's not something you want to do unless you have no choice," Cloudflare says.

To highlight the amount of time lost to these tests, Cloudflare said that based on calculations of an average of 32 seconds to complete a CAPTCHA, one test being performed every 10 days, and 4.6 billion internet users worldwide, roughly "500 human years [are] wasted every single day -- just for us to prove our humanity." On Thursday, Cloudflare research engineer Thibault Meunier said in a blog post that the company was "launching an experiment to end this madness" and get rid of CAPTCHAs completely. The means to do so? Using security keys as a way to prove we are human.

According to Meunier, Cloudflare is going to start with trusted security keys -- such as the YubiKey range, HyperFIDO keys, and Thetis FIDO U2F keys -- and use these physical authentication devices as a "cryptographic attestation of personhood." This is how it works: A user is challenged on a website, the user clicks a button along the lines of "I am human," and is then prompted to use a security device to prove themselves. A hardware security key is then plugged into their PC or tapped on a mobile device to provide a signature -- using wireless NFC in the latter example -- and a cryptographic attestation is then sent to the challenging website. Cloudflare says the test takes no more than three clicks and an average of five seconds -- potentially a vast improvement on the CAPTCHA's average of 32 seconds.
You can access cloudflarechallenge.com to try out the system.
This discussion has been archived. No new comments can be posted.

Cloudflare Wants To Kill the CAPTCHA

Comments Filter:
  • Absolutely Fuck No (Score:5, Insightful)

    by lessSockMorePuppet ( 6778792 ) on Saturday May 15, 2021 @08:06AM (#61387078) Homepage

    These will have to be tied to a *known* physical human in order to work. That means tracking everyone, everywhere, at all times.

    • Well put.
    • by Entrope ( 68843 )

      It could be -- and should be -- done independently for each entity that wants to confirm personhood. Then the pseudo-randomly generated FIDO key is unique to that entity's web site, and it only confirms that the user is a repeat visitor.

      If the personhood testing is done by a central authority, it does have the privacy flaw you mention.

      • That's what we call a Hard Problem.

        We've tried to solve this a lot of ways:

        a) Interrogative tests: CAPTCHAs
        b) Economic: Bitcoin is literally the offshoot of HashCash, an anti-spam/anti-bot solution predicated on the idea that a real human could afford to pay a few pennies of electricity to prove their humanity, but it would be too expensive en-masse.
        c) Humans: Use humans backed by lethal force to enforce the distribution and validation of ID documents

        So far, CAPTCHAs are the least damaging solution environm

        • by Entrope ( 68843 )

          If the key is used as a shortcut to prove that "you" passed a CAPTCHA, what makes it a hard problem? The obvious attack on this protocol is to spend more resources so that bots can pass a CAPTCHA, by having either real people or better AIs to answer the CAPTCHA with a bot in the middle presenting its private key instead of an actual security key. Then the attacker could have bots use that key until they need to pass a CAPTCHA again.

          That kind of attack can be mitigated by checking that the key being used i

          • The hard problem is "cryptographic attestation of personhood."

            Your solutions all boil down to falling back on either the options A or C that I listed, making this essentially just another layer of shit to click through, as well as being highly-invasive.

            • by Entrope ( 68843 )

              None of your options provide "cryptographic attestation of personhood". And you still haven't addressed the fact that an inherent part of FIDO's design is the non-associativity between different keys generated by the same source token. Your only basis for saying this is "highly invasive" is if someone uses a centralized agent to tell PCs and humans apart -- as I pointed out in my earlier comment, there is no really good reason for that.

              • Cryptographic attestation is the part that follows. You need a mechanism to determine personhood.

                Are you really so dense? Do you even KNOW what "attestation" means? Have you ever met with a notary public? A human, endowed by the government, backed with lethal force, to attest that you are who you say you are (or some other thing that needs notarizing, but that's the common case).

                • Let us pretend you are a liquorice lover who wants to use a service called Lacebook. The TOS says you have to use your real name, address, phone number and email address. So, Lacebook sends you a postcard to your address with a code, an SMS code to verify your number, an email confirmation link and checks the contact name on other Lacebook users phones to make sure your name roughly matches (they call this AI). Lacebook is huge so this is easy for them to do.

                  Now, for smaller concerns (which make up the
                  • The goal is only to verify that you have access to a physical address, telephone number, email

                    The problem comes when not only a telephone number but a unique telephone number offering a particular service on top of voice. A lot of households don't have a separate number for each person; instead, they have a single telephone that more than one person in the household shares. Several websites are programmed under the assumption that sharing a number implies that that one person is impersonating another person in the same household. In addition, I've found carriers that charge more per month for servic

          • That kind of attack can be mitigated by checking that the key being used is associated with a "similar enough" browser and IP address to ones that are linked with the actual user, and independently by rate limits and other reputation scoring approaches. If key X gets re-used within a second, it almost certainly isn't because a real person is in charge. If key X gets repeatedly used to post spammy content, it doesn't matter if that is posted by a person or a bot -- block them.

            This scheme is completely unworkable no matter how you slice it. The FIDO batch sizes are 100k keys. A single IP for all anyone knows can be a thousand clients behind a corporate firewall all using keys from a single company wide bulk purchase.

            Spammers have an infinite supply of IP addresses at their disposal and the industry has summarily failed to get anywhere on the IP / browser characteristics front.

            It does not seem reasonable to believe adding yet another identifier anyone who wants one can purchase

    • by Kisai ( 213879 )

      Yep. Considering how many piracy and CP sites cloudflare protects, only an idiot would use this.

      Or you know, Cloudflare could start vetting using humans the sites they accept and take reports seriously instead of handing victims contact information to criminals.

    • by Applehu Akbar ( 2968043 ) on Saturday May 15, 2021 @09:33AM (#61387280)

      Tracking is perceived as a threat much more by some people than by others.

      In my area we have a large cohort of the high-end retired, who have money to spend on the latest tech that they have difficulty keeping up with. Their biggest single problem in computer interaction is handling authentication. It's not easy to get people to do something as simple as keeping track of passwords. Everybody has a messy list of logons, but hardly anyone can keep straight which logons apply to which services, so when a commonly-accessed site locks them out because they have entered their Apple ID password too many times instead of their Gmail password, they are tossed into the even more chaotic mess of password recovery. This is where CAPTCHAs come in. Which fuzzy blobs can old eyes interpret as boats? Is that a 7 or an intentionally extraneous line in the picture? As bots get smarter, the CAPTCHAs keep getting worse.

      A physical key, to be inserted into a USB port, would be salvation to these unfortunates. It doesn't have to be a replacement for passwords, but a way of simplifying the process of personal identification for password recovery. People in this demographic are used to keeping track of keys, and at their age they don't care about it being a personal identifier that facilitates tracking. The would treat it as a plug-in driver license.

      • by lessSockMorePuppet ( 6778792 ) on Saturday May 15, 2021 @09:42AM (#61387304) Homepage

        Your argument is essentially correct. I have no disagreements whatever at all. What follows is my opinion, and not any sort of factual information:

        However, for those of us who want to protect our privacy because of the long-term consequences, having our neighbors roll over for convenience in the short-term is a problem. Your hypothetical person is gonna be dead in a year and doesn't care anyway.

        It's more "Fuck You, Got Mine". It's the same thinking that, as long as all the consequences land on someone else, it's OK.

        • Which is another way of saying that when computers became mainstream, the tech pros all got screwed.

          People can call me a dinosaur all they want, but I long for the days when computers were tools... and the users weren't.

      • A physical key, to be inserted into a USB port

        I see someone trying to create a market for USB keys. How much will they cost, and will they provide a USB pass-through for people who don't have an infinite number of USB ports? This does not seem valuable enough for me to want to remove my keyboard, mouse, printer, scanner, phone, et al to access it.

        • Agreed that, given that the battle between safecrackers and locksmiths is eternal, an NFC secure enclave would be safer than a USB key right now. But because not a large number of people have devices with this feature yet, a USB key is a decent massmarket starting point.

          • But because not a large number of people have devices with this feature

            And hopefully never will. We need more sandin the gears of a smoothly operating security state, not less.

            Isn't Secure Enclave an Apple trademark?

          • by Bengie ( 1121981 )
            My $10 yubikey Blue Security Key is both USB and NFC. And it is a secure enclave, do I don't quite get what you mean by that.
    • by Entrope ( 68843 )

      These will have to be tied to a *known* physical human in order to work.

      This isn't what the article is about. This isn't what CloudFlare is doing. Please stop muddying this.

      • It's funny that people think there is the money to do identity verification broadly, especially when captcha is for sites that you're not giving payment details to.

    • by rnturn ( 11092 )

      Plus, the bit of hardware that you have to carry everywhere you go. Oh, did you lose it? No web for you. All it'll cost you is the low, low price of having to jump through an intricate set of hoops to re-establish your identity. Plus the cost of the replacement hardware. Someone has plans to make money selling us the hardware keys (one for my desktop/laptop and another that I'll need for my phone) that this scheme will require. I'd just as soon revert back to a flip phone than be forced to carry one of thes

      • by Entrope ( 68843 )

        Cloudflare's mechanism doesn't care about your identity. It cares about the provenance of a physical security key that requires touch for activation. They ask for a public key with a certificate chain tracing back to trusted manufacturers. They could in theory track re-use of that public key, although they claim they don't track it. But all they really need is a security key that cryptographically says it was made by certain manufacturers, who Cloudflare trusts to implement the human interaction bit rel

        • Cloudflare's mechanism doesn't care about your identity. It cares about the provenance of a physical security key that requires touch for activation. They ask for a public key with a certificate chain tracing back to trusted manufacturers. They could in theory track re-use of that public key, although they claim they don't track it. But all they really need is a security key that cryptographically says it was made by certain manufacturers, who Cloudflare trusts to implement the human interaction bit reliably.

          Cloudflares mechanism doesn't care about anything useful given anyone with a few dollars can buy a key.

          If kids are smart enough to place heavy things on top of game controllers to farm xp while they sleep it's safe to assume spammers are smart enough to find a way to automate pushing a button.

    • Hear, hear, THIS. It'll be just an ironclad way for people to have all their activity tracked on the internet. Screw that! CAPTCHAs are fine the way they are, screw you Cloudflare.
    • by ceoyoyo ( 59147 )

      They would be, but don't have to be. You could associate a key with a human by doing some kind of captcha once, then just use the key. It would still be great for tracking though.

      I don't see how either version works any better than some kind of sign on.

    • by Bengie ( 1121981 )
      The /. summary is missing some key information. /pun This process is done only using the attestation API. The fingerprint of your private device is not sent, only the batch key. In the case of yubico, a batch is 100,000 keys in size. Your identifier will be shared with 100,000 other devices. Couples with your IP location, I'm sure they can track you quite well, but there are plenty of other ways to track a person. Anti-tracking addons are a great way to track someone. The irony.
    • Firefox has an option to anonymize the WebAuthn/U2F information that it sends to the remote server. I tried doing that, and my anonymized key failed the Cloudflare Challenge. From reading the article, I think it's because I didn't disclose my device attestation. Can anyone explain to someone who's only halfway-decent at understanding crypto?
  • Better Description (Score:2, Insightful)

    by Anonymous Coward

    Cloudflare works with US intelligence agencies to establish world-wide warrantless tracking that you can't effectively opt out of.

  • If anything, people who manage to bypass captcha will be fine with having to simulate random cryptographic keys (which, btw, will be a nice thing for actual humans too, to avoid being identified through their actual physical key).
    • by ceoyoyo ( 59147 )

      I don't think there's anything special about a FIDO key. It's just a bit of code that does challenge-response authentication using regular old public key cryptography. It's an open standard too.

      Looks like there are a few emulators available:
      https://github.com/bodik/soft-... [github.com]

      • by Bengie ( 1121981 )
        This is what the "attestation" is about. Part of FIDO2 is that companies can put a signing key on the device. My yubikey has a secret key from yubikey that is signed by a root key from yubikey. Because this key is kept in a secure location of the device, you can't access it. This means your public key is effectively signed by yubico even though yubico does not have access to your secret.

        Cloudflare is saying that they can create an allow list so that only yubikey security keys will work. Or in this case, a
  • How convenient. (Score:4, Insightful)

    by h33t l4x0r ( 4107715 ) on Saturday May 15, 2021 @08:17AM (#61387094)
    So Cloudflare wants to be the ultimate arbiter of who is a bot or not. Sounds cool. Oh wait, I also notice that they like giving out free ssl certs. Which encrypt traffic halfway (from client to coudflare edge) but not edge to origin. This is traditionally referred to as a man-in-the-middle attack. Also cool, I guess?

    Now let's just consider the endgame where cloudflare can not only read all encrypted traffic for any website that uses them (for DNS), but also can identify every individual client by their key. I hope I'm not the only one who thinks this is fucked up.
    • Re: How convenient. (Score:5, Informative)

      by AcidFnTonic ( 791034 ) on Saturday May 15, 2021 @08:37AM (#61387132) Homepage

      Wait until you figure out that pretty much everybody big does this. Hell I helped set it up in 2007 when doing a data center migration. It's called SSL termination, and it basically lets the network manage the traffic better. Load balancers are able to see stateful identifiers so that they can send your traffic back to the right server on the inside of the data center. If it was an encrypted blob there would be no way to do that.

      Traffic is also able to be logged sure, nothing really is different than if they terminate SSL on the actual server or if they terminate it at a router so a load balancer can effectively route traffic, either way they can terminate it which means they have the damn key, they could have just saved the encrypted stream off of a span port along with the keys and you'd still be none the wiser using the Cisco lawful intercept MIB.

      I miss on this site was for actual nerds that knew actual things.

      • I'm talking about every jerk-off with a wordpress website. People who clearly do not understand the security implication.
      • by mvdwege ( 243851 )

        Passthrough SSL exists. And although it is harder to do, it can be load-balanced. So it's not as black-and-white as you assert.

    • Re:How convenient. (Score:4, Informative)

      by cascadingstylesheet ( 140919 ) on Saturday May 15, 2021 @09:19AM (#61387230) Journal

      Oh wait, I also notice that they like giving out free ssl certs. Which encrypt traffic halfway (from client to coudflare edge) but not edge to origin. This is traditionally referred to as a man-in-the-middle attack. Also cool, I guess?

      Um, what? If the origin server has an SSL, and if traffic is forced to SSL (trivial, and everyone should set it up that way), then edge to origin is indeed encrypted.

      Whatever other issues there may be, that ain't one.

      • Um, what? If the origin server has an SSL, and if traffic is forced to SSL (trivial, and everyone should set it up that way), then edge to origin is indeed encrypted.

        Whatever other issues there may be, that ain't one.

        The general problem with the proxy schemes as they tend to be implemented is insufficient authentication of the proxy providers to web servers. Without sufficient authentication a number of issues arise such as additional opportunities to spoof source address and bypass client authentication.

      • by lsllll ( 830002 )

        Um, what? If the origin server has an SSL, and if traffic is forced to SSL (trivial, and everyone should set it up that way), then edge to origin is indeed encrypted.

        Except the part of their server sitting in the middle, decrypting your "SSL" connection (since they gave you the certificate), inspecting it or forwarding it to government agencies and advertisers, and then establishing an SSL connection to the origin and forwarding your packet to them, too.

        • Um, what? If the origin server has an SSL, and if traffic is forced to SSL (trivial, and everyone should set it up that way), then edge to origin is indeed encrypted.

          Except the part of their server sitting in the middle, decrypting your "SSL" connection (since they gave you the certificate), inspecting it or forwarding it to government agencies and advertisers, and then establishing an SSL connection to the origin and forwarding your packet to them, too.

          They could hardly cache your content without doing this (having acess to it, that is). You have agreed to let them do it. Presumably you trust them, or trust them enough, to have agreed.

    • So Cloudflare wants to be the ultimate arbiter of who is a bot or not. Sounds cool. Oh wait, I also notice that they like giving out free ssl certs. Which encrypt traffic halfway (from client to coudflare edge) but not edge to origin. This is traditionally referred to as a man-in-the-middle attack. Also cool, I guess? Now let's just consider the endgame where cloudflare can not only read all encrypted traffic for any website that uses them (for DNS), but also can identify every individual client by their key. I hope I'm not the only one who thinks this is fucked up.

      You're hypothetically correct. I think you underestimate how much traffic CloudFlare handles. They "could" save your info and track you. However, that is mega-fucking-expensive. Relax, your divorce attorney won't have access to your search history. That's so much data and costs so much money, it is prohibitively expensive. They would fill up a data center's worth of hard drives in an hour or so.

      I've done similar work in the past. You break every known database very quickly, even with sampling an

  • by Baron_Yam ( 643147 ) on Saturday May 15, 2021 @08:18AM (#61387096)

    I'm going to carry around a hardware security token just so I can surf the web?

    Sure I am. And I live on a mega-yaght surrounded by hot young co-eds who are constantly fellating me.

    Far more likely is that I will skip any website that has this new barrier in my way, and people who want to get site visits will migrate away from hosts who require it.

    • > Sure I am. And I live on a mega-yaght surrounded by hot young co-eds who are constantly fellating me

      Is that you Bezos?? Just heard you got yourself a mega-yacht

      • by Luckyo ( 1726890 )

        Bezos isn't getting fellated by co-eds but by young promising actresses, and not just on his mega-yacht but anywhere he wants. It's an open secret in the relevant circles that he purchased a major talent company or some such specifically so he could have his pick whenever he wanted.

        Co-eds on a mega-yacht is more of a "top level executive" stuff, not richest man in the world.

    • You don't need a fancy Yubico device to take advantage of this anymore. I bought a cheap U2F key on Amazon for less than $25. Heck, I can even unlock my Linux desktop with it.
  • by wakeboarder ( 2695839 ) on Saturday May 15, 2021 @08:18AM (#61387098)

    A security device? What no software solution?

    A hardware solution! You can do better than that cloud flare.

    How do you plan on handing out billions of NFC devices for existing PCs?

    And what about "oh wait, you can't access this website yet... Wait to we mail you your key"

    Not to mention there will be significant time wasted
    distributing keys

    Oh you want to download that security update on your remote server? To bad we couldn't verify that you are a person

    • by Bengie ( 1121981 )
      They do have a software solution. People hate it and no one can think of a better one that actually works.
  • by xack ( 5304745 ) on Saturday May 15, 2021 @08:24AM (#61387110)
    Just as spammers buy hundreds of cheap phones to get past phone verification on sites i can see farms of security keys being set up. USB hubs combined with raspberry pis or nucs will be easy to farm.
  • by Roadmaster ( 96317 ) on Saturday May 15, 2021 @08:41AM (#61387142) Homepage Journal

    Fido2 and webauthn are protocols, nothing in them dictates the device has to be a physical key. Itâ(TM)s possible to implement the entire thing in software which totally nullifies the concept behind this. Iâ(TM)m actually surprised the idiots as cloud flare havenâ(TM)t foreseen this possibility.

    I mean, of course the webauthn request can specify it requires a hardware key (which translates to biometrics-unlocked TPM if youâ(TM)re using a mobile device that supports that) but this is enforced by the browser, and given enough motivation someone could modify the browsers code so it ignores that requirement and just returns a signed reply automatically. No human involved

    This is a terrible idea but it probably doesnâ(TM)t matter because itâ(TM)s technically wrong so will probably fail on its own.

    • by Bengie ( 1121981 )
      Good luck getting yubico's private key to sign those. You missed the attestation part. Each yubikey contains a private key that is signed by yubico back at the factory, and this key signed your randomly generated key. Since you can't access any of the keys on the device, yubico's private key won't get leaked, and your random private key can be signed by yubico without them ever having access to your secret.

      Cloudflare is saying that will will check the signature of your key to make sure that it is from a c
      • The only way past this is to buy a bunch of yubikeys or of the other brands that they've allowed.

        What sort of antitrust issues might the selection of brands raise?

  • by Anonymous Coward

    Most browsing is done on mobile phones and tablets now.

    Where are you going to plug in this alleged "identify you as a human but not a specific human" device?

    And who's going to buy this explanation on their blog post that says the security key identifiers are batch-specific and not person-specifc?

    • Modern keys support nfc for contactless verification. Also, the phone itself can be used as an authentication device, with the private key residing in the phoneâs TPM and unlocked by biometrics (fingerprint or face scan).

      The solution is technically unsound for other reasons but the authentication bits of it actually work almost anywhere nowadays.

  • by thegarbz ( 1787294 ) on Saturday May 15, 2021 @09:15AM (#61387220)

    We've been solving CAPTCHAs for years, yet somehow Cloudflare decides to abandon Google and roll their own in the most complicated and outright broken fashion.

    Google example (Pick the image with a car):
    - 3 pictures with cars in it.
    - 6 pictures of random stuff like store fronts, or empty streets and nothing ever resembling a car. It's always 3 and 6 so you know when you got them all.

    Cloudflare example (Pick the image with a car):
    - 1 picture with a car
    - 1 picture with the bonnet of what may be a car. How much car did it want?
    - 2 pictures of a dashboard, are they a car, could be a bus?
    - 2 pictures of pickups, wait are they cars? They are here, but I think Americans call those trucks.
    - 1 picture of a tail light. Does it belong to a car? Does it belong to a frigging train? Who the f*** knows.
    - 1 picture with a wheel. How big is the wheel? Can someone get a ruler? I want to know if that wheel is on an actual car or a gokart!
    - 3 pictures of random shit that are to break the mold, definitely not cars.

    Oh and there's never a consistent number of right answers.

    My personal favourite however are the ones where they show you rooms and ask, is this:
    - a photograph of a room
    - a 3d rendering of a room
    - a drawing of a room
    - not a room at all.

    And they are my favourite because Cloudflare doesn't have the answer in their database. Just pick anything and move one. They are also about the only damn Cloudflare CAPTCHAs that are beatable on the first go, and only because they are broken.

    Cloudflare, how did you screw this up!

    • by lessSockMorePuppet ( 6778792 ) on Saturday May 15, 2021 @09:19AM (#61387232) Homepage

      CAPTCHAs using the "click all the boxes containing" are fundamentally broken. If you show me three traffic lights, but spread them across 6 boxes, and then reject my answer, your CAPTCHA is actually wrong.. so instead, I only click boxes that are mostly occupied, even is 1/3 of the object is in another box.

      Since we have to pretend to be as stupid as computers to prove our humanity... my brain hurts now.

      • My guess as to why Google’s captchas are so terrible is that the correct answers are created by a “Family Feud”-style algorithm. So, if the majority of people are clicking on the 1/60th of a stop sign that is in one of the boxes, you have to as well, or you will fail the test.

        Personally, I think Google should allow users to flag individual captchas for poor quality and ambiguous images.

      • And that isn't actually a problem since Google accepts both as the correct answer. That doesn't make them fundamentally broken.

        • by lessSockMorePuppet ( 6778792 ) on Saturday May 15, 2021 @10:38AM (#61387502) Homepage

          I said rejected.

          I've had so many frigging CAPTCHAs rejected for clicking two boxes, where a traffic light was split between them, roughly evenly in many cases, and it was rejected.

          You said it accepted them but I continue to experience this issue with CAPTCHAs.

          • by trawg ( 308495 )

            When you say rejected, you mean you were cast out at that point? Or that it showed you another CAPTCHA?

            I have had problems similar to what you've described where it is completely ambiguous about what they want and I've hesitated before submitting. But (at least with Google reCAPTCHA and hCAPTCHA) I don't recall every being denied access - what /does/ happen regularly though is I just get a second CAPTCHA to complete.

            I have interpreted this as I got the first one mostly right, but maybe not right enough, so

    • And they are my favourite because Cloudflare doesn't have the answer in their database. Just pick anything and move one. They are also about the only damn Cloudflare CAPTCHAs that are beatable on the first go, and only because they are broken.

      Those aren't broken, they're "crowdsourcing" their ML database. Everyone's input is recorded and used to determine what the picture actually "is." Which is what leads to results such as motorcycles and bicycles being considered the same thing, or mailboxes and traffic lights, or crosswalks and stairs, etc.

      • Which means for the purpose of a CAPTCHA they are broken.

        You can't say they aren't broken, and then list precisely the way in which it is broken.

    • by Reziac ( 43301 ) *

      Effing reCAPTCHA (isn't that Google's?) always shows me something like your Cloudflare example, and most of the time will not pass me through UNLESS I'm using Chrome, then it may skip the test altogether and just let me check the box. It almost never lets SeaMonkey pass. This happens even with the non-obscure ones and obviously-correct choices. (Not just 3 boxes, either.)

      Friend has a video showing the damn thing rejecting him and Firefox almost 30 times before he finally gave up. I'm told it sometimes just

  • The same people "trusted" with records of most Firefox users browsing history either don't seem to understand spammers are just as capable of getting their hands on keys available to billions as they are IP addresses to spam from or they are not being honest.

    If privacy claims are true any attempt to block keys belonging to spammers blocks some 100k other users. Without even getting into the obvious issues the scheme itself is idiotic.

  • by QuietLagoon ( 813062 ) on Saturday May 15, 2021 @09:28AM (#61387266)
    ... to analyze the characteristics of an unknown browser for tracking purposes. Why else might google be so heavily involved in them? How much data about the user does a site turn over to google when the google CAPTCHA is used?
  • Do you want to value my time?
    Do you really think my time is important?
    Then remove/kill completely CAPTCHAs and DO NOT replace it with nothing.

    This security key compromises my security.

    TFA even acknowledges it:

    Designing a challenge asking users to prove they are in control of a key from a certain manufacturer comes with a privacy and security challenge.

    Associate a unique ID to your key: YES**

    **This would require that we set a separate and distinct cookie to track your key. This is antithetical to privacy on the Internet, and to the goals of this project.

    In other words, not only I will still wasting my time, because it takes according to them 5 seconds to go through authentication, but now I have to have a device and compromise my own security.

    Bottom line, this is bullshit.

    I really like the rational explanation to as why to kill CAPTCHAs

    • by tepples ( 727027 )

      I'm interested in what you'd prefer to replace CAPTCHA as a way for website operators to deter mass registration on websites for the purpose of high-frequency off-topic posting.

  • Sorry you missed one! It pisses me off when the pictures are fuzzy and it might be a streetlight, but it's more the arm that holds out the streetlight.... Just let me in!
  • A hardware device, which I'm sure won't be sold at a profit by Cloudfare and a few "trusted associates" whose board members just happen to play golf (er, sorry, this is Silicon Valley - make that "frolf") with the board members on Cloudfare.

    A hardware device, which is almost certainly going to be a unique identifier. Who needs cookie-tracking or Google's FLoC when you get a free unique identifier for every visitor from your friends at Cloudfare?

    A hardware device, which can get lost, stolen, or just plain br

    • by Bengie ( 1121981 )

      Can I leave the device in a USB slot?

      Yes. I leave my yubikey nano in 24/7. Used to decrypt my harddrive and passwordless login to my computer.

      Then what's keeping me in the same room as I send these "human" requests?

      They require physical interaction with the hardware device. Do you even know what a yubikey is?

      A hardware device, which can get lost, stolen, or just plain broken

      I have it on my keychain, I can't get into my house or car if lost of stolen. Very difficult to break. Why you have a backup. I don't think you noticed that they're talking about using this as a CAPTCHA replacement, not actual authentication. They're effective abusing the fact that this form of authentication c

      • They require physical interaction with the hardware device. Do you even know what a yubikey is?

        Do you even know what a microswitch is? Ten minutes with a Raspberry Pi and a soldering iron and I'll be shorting that switch from console commands like your weird yuppie uncle clapping in the evening to turn the bedroom lights on.

        They don't care about anything other than the response is signed by a manufacturer that has proper security keys that can't be easily hacked.

        Yeah, and the NIST just wanted to make sure everyone was using the bestest and coolest Q number for FIPS 140-2 compliance.

        • by Bengie ( 1121981 )
          Now that I got to sleep on it, I realized a few things.

          1. If you can automate touch, you can also reset the key and make a identifier
          2. You can just place it on an NFC reader. The key assumes physical interaction with NFC.

          The only saving grace is probably how slow these are. Compared to a fully software setup, the only way to scale up is purchasing more keys.
  • I don't see how this would be any easier, or any less annoying than a CAPTCHA. Indeed it seems worse, and more intrusive.

  • I just have them send me stuff on paper in the mail, and I return it on paper in the mail. It takes less time to scan and ocr the paper than it does to deal with the websites.

  • All of the keys have a contact pad which detects being touched. It's trivial to wire that to something like a Raspberry Pi Zero (or even a FTDI USB-to-serial/GPIO chip) with a resistor, and touch it whenever you want.

    Some of the software I use requires key touches periodically. I can confirm this works well. And if my high school kid can set up a Pi to blink LEDs for his physics class, anyone with a profit motive can set up a bank of them which pretend to be human.

    The only way this would work is if you'r

    • Even if the touch part is automated, there's still the biggest hurdle: you can identify which responses came from the same hardware key even if you can't identify the user that key belongs to. As soon as Cloudflare identifies a hardware key as belonging to a bot, it can blacklist that key and that bot instance becomes useless. That forces the botters to keep buying new hardware keys on a regular basis, Their business model depends on high volume and trivial cost, that added cost will destroy their profit ma

      • Even if the touch part is automated, there's still the biggest hurdle: you can identify which responses came from the same hardware key even if you can't identify the user that key belongs to.

        Is the cloudflare blog wrong and these USB keys are effectively uniquely identifiable tracking cookies or are you wrong?

        • They're all based on public-key crypto, so at the bottom it's always a unique identifiable key. Cloudflare is taking the position that a unique key that's specific to the hardware but isn't tied to any identification isn't a tracking cookie so it's OK. We know the flaws in that argument. But in terms of an individual it's feasible to generate a new unique key every so often to break up the tracking trail, where at the volume the botters need you'd use up a single fob's capacity in a few hours.

          • by Bengie ( 1121981 )
            You can reset the device to generate a new random key with a new fingerprint. Not sure how fast that is. Whenever I initialize a key for the first time, there is a many second pause. This only happens once at setup, I never really timed it.
  • For example, Cloudflare Website Access Delay (misrepresented as DDoS protection)

  • by RotateLeftByte ( 797477 ) on Saturday May 15, 2021 @12:33PM (#61387872)

    Cloudfare must know that Google IS the Internet. If they (google that is) don't want it then it won't happen.
    Unless this can somehow increase the amount of tracking information they can get from each and every one of us.

    Don't get me wrong... I hate the effing things.
    Captcha's are the only reason that Google.com is not blocked at my firewall.

  • A captcha is nothing compared to the 27-pages of supposedly-binding legalese the companies all claim in good-faith that consumers should read. How many person-hours per day would be lost to that?

  • There's very many situations where it would be a great benefit to distinguish between those who desperately want or need something, and those that don't care all that much about it.

    An underrated method to distinguish between those, is to require a larger number of captchas to be completed.

    Slashdot has a problem with anonymous spam comments? How about just requiring 20 captchas to post one?

    Those who are desperate to post and probably have something strongly on their mind, would probably do that. Those who do

  • I switched banks to avoid this kind of crap.

    I do NOT WANT to have to figure out where my " physical authentication device" is, every time I do anything online that requires verification.

    I don't even want to have to use an existing device, say, my mobile phone to do it.

    Heck, my phone may be upstairs in my bedroom or in my office. I resist the urge to weld a physical device to my being just to be able to login to some poxy web service!

    I HATE Captcha's - but I'd rather than pain barrier, than having to be marr

    • ... and I contradicted myself there, "I switched banks to avoid this kinda crap" / " I'm all over the idea of having multiple sources of authentication if I want to transfer money."

      So, the story is my bank wanted me to have a physical keypad I'd need to keep whenever I did an online transaction.
      They offered no alternative.
      The bank I switched to uses a form of 2FA, so I can use my mobile phone.

      That's what I meant... derp.

  • The convenience of gluing my front door key to my hand combined with the astuteness of throwing a punch at the little Chinese guy at the bar calmly continuing to drink as a brawl rages around him.

  • Is anyone else confused about the intrinsic conflict of interest behind centralized CAPTCHAs that effectively train an AI to defeat all CAPTCHAs?

  • This sounds worse than just doing the captcha
  • I usually can't even see where a [re]captcha is with FF, although Chrome has no problem -- other than the difficulty of actually recognizing the objects demanded, of course. A total crash is obviously much better.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...