| ▲ | krackers 16 hours ago | |
I thought the whole point of turnstile was that it detects headless browsers and it's supposed to be "difficult" to bypass. Apparently this just simulates clicking on the checkmark. Is it really that easy? | ||
| ▲ | inigyou 7 hours ago | parent | next [-] | |
The point of Turnstile is to sell a warm fuzzy feeling of security to website owners, block Tor users who don't enable JavaScript, and convince website owners to give a copy of all their traffic to the NSA for free. Actual security is barely relevant except to the extent that if it doesn't add any security, the NSA might get worried that people will stop using Cloudflare. Fake security - number of blocked users, which Cloudflare calls "bots" regardless of whether they're people or bots - is used in Cloudflare marketing. | ||
| ▲ | jeroenhd 9 hours ago | parent | prev | next [-] | |
With the right simulated events, a headless browser becomes indistinguishable from a real browser without platform detection. It's not hard to figure out that these headless browsers are running a software renderer on Linux. In time, they're just going to have to detect Linux users and force them to fill out one or multiple challenges if workarounds like these keep getting used. The checkbox is just a small part of what the checks are doing. It's monitoring everything the browser is doing and how the browser is responding to certain events up until you tick the checkbox, at which point it determines if you need one of those "are you human" challenges or if you can pass without interruption, based on how bot-like you are. | ||
| ▲ | KomoD 16 hours ago | parent | prev | next [-] | |
> was that it detects headless browsers > Apparently this just simulates clicking on the checkmark Not just that. It also spoofs a bunch of browser stuff. A standard headless browser will probably get flagged. | ||
| ▲ | bob1029 9 hours ago | parent | prev | next [-] | |
People have been automating WoW for a generation using things like peripherals duct taped to oscillating fans despite multi-million dollar budgets designed to defeat things far more sophisticated than this. I would think of headless browser automation in exactly the same way you would about cheating in FPS video games. The red team always has the initiative and can win if they want to spend enough time and money. | ||
| ▲ | Saris 16 hours ago | parent | prev | next [-] | |
If you can make the browser pass all the other checks going on in the background, clicking the checkmark is all that's left. | ||
| ▲ | xonery 16 hours ago | parent | prev [-] | |
Yes, kindof… | ||