What are those "verifying your device" pages for?: Difference between revisions
(Created page with " There is a new trend of CDNs inserting an [https://en.wikipedia.org/wiki/Interstitial_webpage intermediate page] before they actually show you the content. That intermediate page says it is verifying your device. Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page. tl;dr: : There is nothing unverified about your device, there is nothing much it's checking. : This seems to mostly be the "I only want people, not scripts, t...") |
mNo edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
There is a | There is a newish trend of CDNs | ||
inserting an [https://en.wikipedia.org/wiki/Interstitial_webpage intermediate page] before they actually show you the content. | inserting an [https://en.wikipedia.org/wiki/Interstitial_webpage intermediate page] (a.k.a. interstitial page) before they actually show you the content. | ||
That intermediate page says | |||
That intermediate page says often says something like "verifying your device". | |||
Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page. | Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page. | ||
Line 10: | Line 11: | ||
tl;dr: | tl;dr: | ||
* There is nothing unverified about your device, | |||
* it's not actually checking a whole lot, | |||
* and '''none''' of the possible checks are necessary for the user. | |||
This seems to mostly be the "I want only people, not scripts, to see my site" kind of protection | |||
...which they may call DDoS protection, a.k.a. a lot of computers requesting a single resource so that it becomes hard to reach, | |||
and/or makes the person providing the site get charged for a lot of traffic (because they cross over some somewhat-scappy monthly quota). | |||
{{comment|Frankly, with increasing broadband speeds, even a single user can manage to do that}} | |||
What CloudFlare calls [https://developers.cloudflare.com/waf/tools/browser-integrity-check/ Browser Integrity Check] | |||
is, they say, looking at "common HTTP headers abused most commonly by spammers" but that header presumably is 'the browser you are using' and 'some others that make lying about the first one harder'. | |||
Because while well behaved bots and scripts usually reports being a bot / script, | |||
they can be made to lie to say it's a browser, so they are probably doing some ''slightly'' | |||
unusual things just to throw off most dumb scraping scripts. | |||
The second-or-two of pause, and the animated checkmark seem to primarily be [[security theater]], | |||
in that it probably does nothing | |||
: other than tell the site owner this feature is working, | |||
: and be a little ad space for the CDN itself. | |||
Presumably they do | Notes: | ||
* ''Presumably'' they may also be doing some form of [[browser fingerprinting]] | |||
:: so they can remember who they approved and not do this on every visit without ''also'' having to ask for cookies on this interstitial | |||
* they seem to be too dumb to realize being behind VPNs is valid, | |||
:: as they trigger way more easily, presumably based on IP address. | |||
* specific non-standard browsers seem to also trigger this. | |||
* it may interfere with privacy protection plugins. | |||
* there are variants that fail on slower computers | |||
:: (possibly because they seem to be doing some kind of [[proof of work]]). | |||
* ...and there are variants that will rate-limit the speed you browse a site | |||
:: you better hope you're not reading documentation, because that will be made ''almost unusable'' |
Latest revision as of 13:52, 29 April 2024
There is a newish trend of CDNs
inserting an intermediate page (a.k.a. interstitial page) before they actually show you the content.
That intermediate page says often says something like "verifying your device".
Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page.
tl;dr:
- There is nothing unverified about your device,
- it's not actually checking a whole lot,
- and none of the possible checks are necessary for the user.
This seems to mostly be the "I want only people, not scripts, to see my site" kind of protection
...which they may call DDoS protection, a.k.a. a lot of computers requesting a single resource so that it becomes hard to reach, and/or makes the person providing the site get charged for a lot of traffic (because they cross over some somewhat-scappy monthly quota). Frankly, with increasing broadband speeds, even a single user can manage to do that
What CloudFlare calls Browser Integrity Check
is, they say, looking at "common HTTP headers abused most commonly by spammers" but that header presumably is 'the browser you are using' and 'some others that make lying about the first one harder'.
Because while well behaved bots and scripts usually reports being a bot / script, they can be made to lie to say it's a browser, so they are probably doing some slightly unusual things just to throw off most dumb scraping scripts.
The second-or-two of pause, and the animated checkmark seem to primarily be security theater,
in that it probably does nothing
- other than tell the site owner this feature is working,
- and be a little ad space for the CDN itself.
Notes:
- Presumably they may also be doing some form of browser fingerprinting
- so they can remember who they approved and not do this on every visit without also having to ask for cookies on this interstitial
- they seem to be too dumb to realize being behind VPNs is valid,
- as they trigger way more easily, presumably based on IP address.
- specific non-standard browsers seem to also trigger this.
- it may interfere with privacy protection plugins.
- there are variants that fail on slower computers
- (possibly because they seem to be doing some kind of proof of work).
- ...and there are variants that will rate-limit the speed you browse a site
- you better hope you're not reading documentation, because that will be made almost unusable