@julian ah, sorry I didn't make it clear. I am looking to integrate with a self-hosted SSO solution, thus the mention of Keycloak and Ory stack.
spam be gone
I'm confused how does this prevent bots from checking the checkbox
Google probably uses all the information it knows about you to see if you are a bot or not.
Pretty neat. From an isolated POV, they could examine user behaviour on the page, look at mouse movement, speed at which a forum is filled out, time on page...
But if you think outside the box, Google could be using cookies to build an online profile based on your behaviour. That same cookie hits the noCAPTCHA, the server will respond with an aggregate result of that behaviour...
At another job, I thought about this sort of thing (albeit it did not go much further than that). Even if a user clears their cookies, you can still piece it back together:
abcdefaccesses site, logs in to uid 123, builds some profile data based on behaviour
- User clears cookie
foobaraccesses the site, logs in to uid 123, builds more profile data, aggregated with the behaviour data gathered earlier from
Carter Gale last edited by
@julian That what I as thinking, sadly Google decides to keep us in the dark about the specifics of how it works. Although, I believe that is how it works, by analyzing your mouse movements and such, and I am VERY happy to see reCaptcha's going away -- hate those things :C
This makes me happy - but leaves me with so many questions. Honestly not sure what to make of it.
Another reason recaptcha is going away is because literally every single book has been dignified, so there is no need for it. They were using it for addresses and stuff, but they have created such a good text recognition platform that they don't even need it for that anymore.
Someone partially reverse engineered it.
The original repo was deleted, but Google still has a cache.
it comes down to:
- Screen resolution
- Execution time, timezone
- Number of click/keyboard/touch actions in the <iframe> of the captcha
- It tests the behavior of many browser-specific functions and CSS rules
- It checks the rendering of canvas elements
- Likely cookies server-side (it's executed on the www.google.com domain)
- And likely other stuff...
[email protected] now uses the new Google NoCAPTACHA thing, compatible with NodeBB 0.6.0-dev
Thanks to @wzrdtales
Your old CAPTCHA keys won't work, generate new ones
The new ReCaptcha is way more comfortable and works great, unfortunately if you fill out about 5 captchas the same day you will be treated to type in the words, pictures again
At least it feels like