What are those "verifying your device" pages for?: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
mNo edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
There is a newish trend of CDNs | There is a newish trend of CDNs | ||
inserting an [https://en.wikipedia.org/wiki/Interstitial_webpage intermediate page] before they actually show you the content. | inserting an [https://en.wikipedia.org/wiki/Interstitial_webpage intermediate page] (a.k.a. interstitial page) before they actually show you the content. | ||
That intermediate page says | |||
That intermediate page says often says something like "verifying your device". | |||
Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page. | Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page. | ||
| Line 10: | Line 11: | ||
tl;dr: | tl;dr: | ||
: There is nothing unverified about your device, | : There is nothing unverified about your device, | ||
: This seems to mostly be the "I only | : it's not actually checking a whole lot, | ||
: and '''none''' of the possible checks are necessary for the user. | |||
: This seems to mostly be the "I want only people, not scripts, to see my site" kind of DDoS protection | |||
...where a [[DDoS]] is lot of computers requesting a single resource so that it becomes hard to reach. | |||
{{comment|Frankly, with increasing broadband speeds, even a single user can drive up someone's hosting | |||
traffic to go to over a monthly quota (which is sometimes priced a bit scammy).}} | |||
What CloudFlare calls [https://developers.cloudflare.com/waf/tools/browser-integrity-check/ Browser Integrity Check] | |||
is, they say, looking at "common HTTP headers abused most commonly by spammers" | |||
but that header seems to primarily be 'the browser you are using'. | |||
While bots and scripts usually reports being a bot / script, | |||
they can be made to lie to say it's a browser, so they are probably doing some ''slightly'' | |||
unusual things just to throw off most dumb scraping scripts. | |||
The second or two of pause and the animated checkmark seem to primarily be [[security theater]], | |||
in that it probably does nothing | |||
: other than tell the site owner this feature is working, | |||
: and be a little ad space for the CDN itself. | |||
Presumably they | Notes: | ||
so | * ''Presumably'' they may also be doing some form of [[browser fingerprinting]] | ||
:: so they can remember who they approved and not do this on every visit. | |||
* they seem to be too dumb to realize being behind VPNs is valid, | |||
:: as they trigger way more easily, presumably based on IP address. | |||
* specific non-standard browsers seem to also trigger this. | |||
* it may interfere with privacy protection plugins. | |||
* there are variants that fail on slower computers | |||
:: (possibly because they seem to be doing some kind of [[proof of work]]). | |||
* ...and there are variants that will rate-limit the speed you browse a site | |||
:: you better hope you're not reading documentation, because that will be made ''almost unusable'' | |||
Revision as of 00:51, 24 April 2024
There is a newish trend of CDNs
inserting an intermediate page (a.k.a. interstitial page) before they actually show you the content.
That intermediate page says often says something like "verifying your device".
Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page.
tl;dr:
- There is nothing unverified about your device,
- it's not actually checking a whole lot,
- and none of the possible checks are necessary for the user.
- This seems to mostly be the "I want only people, not scripts, to see my site" kind of DDoS protection
...where a DDoS is lot of computers requesting a single resource so that it becomes hard to reach. Frankly, with increasing broadband speeds, even a single user can drive up someone's hosting traffic to go to over a monthly quota (which is sometimes priced a bit scammy).
What CloudFlare calls Browser Integrity Check
is, they say, looking at "common HTTP headers abused most commonly by spammers"
but that header seems to primarily be 'the browser you are using'.
While bots and scripts usually reports being a bot / script, they can be made to lie to say it's a browser, so they are probably doing some slightly unusual things just to throw off most dumb scraping scripts.
The second or two of pause and the animated checkmark seem to primarily be security theater,
in that it probably does nothing
- other than tell the site owner this feature is working,
- and be a little ad space for the CDN itself.
Notes:
- Presumably they may also be doing some form of browser fingerprinting
- so they can remember who they approved and not do this on every visit.
- they seem to be too dumb to realize being behind VPNs is valid,
- as they trigger way more easily, presumably based on IP address.
- specific non-standard browsers seem to also trigger this.
- it may interfere with privacy protection plugins.
- there are variants that fail on slower computers
- (possibly because they seem to be doing some kind of proof of work).
- ...and there are variants that will rate-limit the speed you browse a site
- you better hope you're not reading documentation, because that will be made almost unusable