this post was submitted on 13 Jul 2026
108 points (98.2% liked)

Privacy

4809 readers
392 users here now

Icon base by Lorc under CC BY 3.0 with modifications to add a gradient

founded 3 years ago
MODERATORS
top 30 comments
sorted by: hot top controversial new old
[–] IphtashuFitz@lemmy.world 5 points 12 hours ago (1 children)

Akamai has been doing this for years now. Cloudflare is just playing catch-up. I first saw an Akamai demonstration of this at one of their developer conferences about 10 years ago.

[–] VitoRobles@lemmy.today 2 points 5 hours ago

Yeah I thought that was common knowledge?

[–] massacre@lemmy.world 21 points 22 hours ago* (last edited 20 hours ago)
  1. There's no way this can be abused. Ever.

  2. There's no way a bot (AI or human built) could be used to simulate a human.

This is a perfect solution!

[–] Maerman@lemmy.world 8 points 18 hours ago

Well, that's terrifying.

[–] DarkCloud@lemmy.world 18 points 23 hours ago* (last edited 20 hours ago) (1 children)

This has always been the way captchas work, I guess they're expanding it to be always-on.

[–] GreenCrunch@piefed.blahaj.zone 15 points 21 hours ago (1 children)

my understanding is Google's recaptcha has been doing this sort of thing forever, tracking mouse movements (as well as browser fingerprinting, IP address, and probably a million other tracking methods) to score a client as more or less likely to be human, and it's only when it's suspicious that it escalates to "pick the images that contain x"

[–] ToiletFlushShowerScream@piefed.world 19 points 20 hours ago (3 children)

I always thought the pick the images was just an excuse to get training data because it’s never “choose images that contain a bear frolicking in a meadow” it’s always “choose images of motorcycles, busses” or “locate the Abram’s tank hidden in the tree line”.

[–] NotMyOldRedditName@lemmy.world 1 points 5 hours ago

They do that as well, but its so annoying they probably just hold it back unless extra verification is needed.

[–] Redkey@programming.dev 10 points 12 hours ago (1 children)

This made me laugh out loud.

"Click or tap on all pictures of ARMED INSURGENTS TAKING COVER IN RUINED BUILDINGS until no more are left."

[–] SavinDWhales@lemmy.world 1 points 5 hours ago

"follow the man with your mouse cursor until the light flashes" will be the next step in crowd sourcing for the army...

[–] Beacon@fedia.io 3 points 20 hours ago

Por que no los dos?

[–] pelespirit@sh.itjust.works 16 points 1 day ago (1 children)

...and probably can tell what you're typing.

[–] Deebster@infosec.pub 16 points 23 hours ago (2 children)

It does not capture the actual keys being pressed, according to the company. It studies the timing and rhythm instead.

That is addressed in the article. Because it's JavaScript, we can verify this, and I'm sure that people will be scrutinising every revision of the code to check.

[–] treadful@lemmy.zip 17 points 22 hours ago (1 children)

Because it’s JavaScript, we can verify this, and I’m sure that people will be scrutinising every revision of the code to check.

Have you ever seen obfuscated JS? I'm not saying it's impossible, but de-transpiling it into something for a human then analyzing it is not trivial work.

Don't bet on something not being terrible just because someone with the skill could maybe spend a lot of time doing the work.

[–] canihasaccount@lemmy.world 5 points 18 hours ago (1 children)

Deobfuscators are fairly good IME. I haven't checked this code in particular, but I've never seen obfuscated JavaScript that was uninterpretable following deobfuscation

[–] treadful@lemmy.zip 2 points 18 hours ago

Congrats on being awesome at code analysis. Have at it for everyone, then.

[–] pelespirit@sh.itjust.works 10 points 23 hours ago (1 children)

But you can tell what a person is typing by their timing and rhythm. I don't have time right now, but there are articles on that.

[–] Deebster@infosec.pub 10 points 22 hours ago* (last edited 22 hours ago)

True, people should search for "keystroke timing attacks". It's more effective if you include things like accelerometer data and audio.

We can see what Cloudflare's code is measuring and reporting to find out if those attacks would be possible.

[–] Deebster@infosec.pub 8 points 21 hours ago (1 children)

Cloudflare's blog post about it has more information about how it works.

[–] who@feddit.org 5 points 15 hours ago

Indeed. It's linked in the third sentence of the article.

[–] BloodMuffin@lemmy.ca 8 points 1 day ago (2 children)

mixed feelings.

i want bots to be suppressed, but I also value my privacy.

has no one come up with a new decentralized internet yet?

[–] bridgeenjoyer@sh.itjust.works 4 points 19 hours ago (1 children)

Gopher, Gemini protocol, Usenet. Get on it!

[–] BloodMuffin@lemmy.ca 2 points 6 hours ago (1 children)

thank you! Gemini seems to be similar to what I'm looking for.

[–] bridgeenjoyer@sh.itjust.works 1 points 1 hour ago

Buran is a good browser for mobile. Theres a bunch for Linux, Lagrange works well.

[–] AntiBullyRanger@ani.social 6 points 21 hours ago

new decentralized internet yet?

Several. Good luck enforcing your bank, doctor, rail operator, canteen, etc. to use it.

[–] Maeve@kbin.earth 7 points 23 hours ago (1 children)

That may sound preferable to clicking every square containing a traffic light, but it also means Cloudflare is gathering a much broader picture of how visitors behave on a website.

Traditional bot protection tends to focus on specific moments. A visitor may face a challenge while logging in, creating an account, or completing a purchase. Once that challenge is passed, the rest of the browsing session may receive less attention.

Edit: a lot of popular Lemmy instances use cloudflare instead of annubis. I'm not sure what this specific instance uses.

[–] YoSoySnekBoi@kbin.earth 5 points 21 hours ago (1 children)

The product in this article (Precursor) is not the same as what Lemmy instances use (Turnstile). Turnstile uses the same cryptographic proof-of-work puzzle as Anubis and does not track any of these other metrics. If you see a CAPTCHA-style "Verified" message with Cloudflare's logo, you're seeing Turnstile, not Precursor.

[–] Maeve@kbin.earth 5 points 21 hours ago

It's an enterprise product, for now. I suppose that depends on how deep pockets are.

[–] damnthefilibuster@lemmy.world 4 points 21 hours ago

Great! Can it work over VPN?

[–] AntiBullyRanger@ani.social -4 points 1 day ago