OK Computer: the web browser that knows if you are human

J

here are a few more annoying things online than constantly having to prove your own humanity by clicking images of mailboxes, buses or (in the case of TfL’s more playful implementation) fat cats.

This process is known as CAPTCHA and is a necessary evil. Without it, websites are vulnerable to fake traffic which is a waste of resources at best and can become a structural weakness for them. It is a vital layer of protection against Distributed Denial of Service (DDoS) attacks – where malicious hackers send massive amounts of bogus traffic to a website – which can take down large online sites with bots.

The good news is that Cloudflare, the internet infrastructure company responsible for millions of websites worldwide, said it has created a new solution that will allow your computer or phone to automatically vouch for your humanity. Yes, the irony here is delightful.

In other words, you won’t have to lift a finger to prove you’re a real person unless your computer’s automated responses leave doubt in Cloudflare’s mind or, rather, in its software.

Cloudflare’s potential CAPTCHA killer is called Turnstile. The company says it will reduce the time it takes for a human to recognize, say, phone booths or buses, from an average of 32 seconds to just one second, all invisible to the user.

The new system works by giving your web browser a “rotating suite of non-intrusive browser challenges based on telemetry and client behavior.”

In plain English, that means it’s looking for signs of behavior that suggest your device isn’t what it claims to be when it identifies itself. This is basically a hygiene check indicating that a real person is trying to access the website rather than an automated robot.

An example of CAPTCHA in action.

/ TfL

For example, if the device you’re using identifies itself to the web browser as an iPhone 12, but then completes a behind-the-scenes tech challenge in significantly less time than Cloudflare would expect from this 2020-era Apple handset, that’s that is to say suspicious.

In short, it looks for signs that something is wrong with the visitor. “If a person were walking down the street next to a robot, even without asking the person or the robot questions, you would be able to observe the differences between them just by watching them pass,” the CFO explained. from Cloudflare, John Graham-Cumming. Wired. Simply put, it’s a sniff test.

“In the case of a machine trying to impersonate a human user, they often don’t understand all of these details correctly – there’s usually something ‘off’ in the request.”

Importantly, Cloudflare claims it can do this without invading users’ privacy, and it won’t track advertising or login cookies that could be used to identify a user. This in itself is different from Google’s reCAPTCHA – the dominant market presence – which looks for a Google login cookie as a human user or identifier.

Google denies that this data is used for targeted advertising campaigns, but it could be done – and Turnstile should rule out even the possibility of that happening. And if so, that bodes well for online privacy.

So why has this solution taken so long to arrive?

“The process of verifying its ‘humanity’ behind the scenes would have taken several attempts to be successful enough to make it functional and foolproof,” Jake Moore, global cybersecurity advisor at ESET told The Standard. “Releasing this app too soon would have rendered the tool unsuccessful, as it needs to work the vast majority of the time to make users happy.”

Of course, Cloudflare’s new system will now likely be a target for those who want to send fake traffic to websites.

“Inevitably, the next challenge will be to ensure that it cannot be imitated in any way, but there is no doubt that threat actors will attempt to break the application and pursue malicious entries,” Moore continued. .

Turnstile is now available in beta and free, even if you don’t use Cloudflare’s other services. Details on how to implement the change on a website – by pasting JavaScript over your existing CAPTCHA code – can be found on the Cloud Flare Blog.

Comments are closed.