What are those "verifying your device" pages for?: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| Line 15: | Line 15: | ||
...where a [[DDoS]] is lot of computers requesting a single resource so that it becomes hard to reach. | |||
{{comment|Frankly, with increasing broadband speeds, even a single user can drive up someone's hosting | |||
traffic to go to over a monthly quota (which is sometimes priced a bit scammy),}} | |||
Frankly, with increasing broadband speeds, even a single user can drive up someone's hosting | |||
traffic to go to over a monthly quota (which is sometimes priced a bit scammy), | |||
You can do that from a script that just fetches it over and over and does nothing. | You can do that from a script that just fetches it over and over and does nothing. | ||
That script usually reports | That script usually reports being a script, but can be made to lie to say it's a browser. | ||
| Line 36: | Line 33: | ||
in that it probably does nothing other than tell the site's owner it's working, | in that it probably does nothing other than tell the site's owner it's working, | ||
(and be a little ad space for the CDN itself). | (and be a little ad space for the CDN itself). | ||
...although they may also be doing [[browser fingerprinting]] | |||
so they can remember who they approved and not do this on every visit. | |||
...although they seem to be too dumb to realize being behind VPNs is valid, | |||
and trigger way more easily presumably based on IP address. | |||
...and there are variants that fail on slower computers | |||
(apparently because they seem to be doing some kind of [[proof of work]]). | |||
...and there are variants that will rate limit you. | |||
Which when you are browsing documentation is... almost unusable. | |||
Revision as of 00:56, 23 March 2024
There is a newish trend of CDNs
inserting an intermediate page before they actually show you the content.
That intermediate page says it is verifying your device.
Sometimes you need to interact - e.g check a checkmark - with it to be shown the actual page.
tl;dr:
- There is nothing unverified about your device, there is nothing much it's checking.
- This seems to mostly be the "I only want people, not scripts, to see my site" kind of DDoS protection
...where a DDoS is lot of computers requesting a single resource so that it becomes hard to reach.
Frankly, with increasing broadband speeds, even a single user can drive up someone's hosting
traffic to go to over a monthly quota (which is sometimes priced a bit scammy),
You can do that from a script that just fetches it over and over and does nothing. That script usually reports being a script, but can be made to lie to say it's a browser.
What CloudFlare calls Browser Integrity Check
is, they say, looking at "common HTTP headers abused most commonly by spammers"
but that header seems to primarily be the browser you are using.
Presumably they do the "go to actual site" step in scripting, in a somewhat unusual way, so that it blocks most dumb scraping scripts.
The second or two of pause and the animated checkmark seem to primarily be security theater, in that it probably does nothing other than tell the site's owner it's working, (and be a little ad space for the CDN itself).
...although they may also be doing browser fingerprinting so they can remember who they approved and not do this on every visit.
...although they seem to be too dumb to realize being behind VPNs is valid, and trigger way more easily presumably based on IP address.
...and there are variants that fail on slower computers (apparently because they seem to be doing some kind of proof of work).
...and there are variants that will rate limit you. Which when you are browsing documentation is... almost unusable.
Hopefully it does not block more than a few real users.
One problem is that specific non-standard browsers also trigger this.
Another problem is that it may interfere with privacy protection plugins.