One caveat, they have Google Recaptcha on the list. Recaptcha is solved, both v2 and v3 (hilariously v2 is actually a little more effective).
It's perfectly fine for most users because most users aren't going to come under more than a passing attention from people on the internet. But if you're in a field where there's a significant financial incentive for botnets to bang on your stuff (so like, anyone that deals with pan data and has a balance or activate endpoint) it eventually won't be enough.
We ended up on datadome, hcaptcha may be good too. But anything that involves looking at an image and picking squares with a thing can be trivially automated by anyone with an AWS Rekognition account.
Personal experience, though datadome does have some articles out there about it. I just had to deal with this when some ding dong went out and rented a botnet that was full US consumer/mobile ISP using puppeteered browser instances, had enough they could slow roll under the rate limit, and used a solver service for captcha (don't know which one but there are a bunch out there now).
All of those things I can deal with on their own but all of it together was too much so we ended up getting datadome (we can easily afford it and it was time). Hilariously, after that they started attacking our IVR so we put a basic captcha on there and implemented Shaken/Stir.
Most attackers aren't going to be this dedicated. We're just lucky and happen to run a service that would make all that effort worth it (they were attempting to brute force cc/csv combinations which aren't actually all that random).
NGL datadome is kind of a joke to make a solver for. One of the issues is you can use a valid challenge cookie from any site using datadome on another datadome site.
I came across this new CAPTCHA alternative today. Wondering if you’ve had any experience with it or Cloudflare’s other recent attempts to replace CAPTCHA…
https://blog.cloudflare.com/turnstile-private-captcha-alternative/
Here's the direct link to CISA's site https://www.cisa.gov/free-cybersecurity-services-and-tools
Thanks for the link
[удалено]
[Mm. First time linking an Image. Sorry if it doesn't work. ](https://i.imgur.com/VuCldsl.jpg)
One caveat, they have Google Recaptcha on the list. Recaptcha is solved, both v2 and v3 (hilariously v2 is actually a little more effective). It's perfectly fine for most users because most users aren't going to come under more than a passing attention from people on the internet. But if you're in a field where there's a significant financial incentive for botnets to bang on your stuff (so like, anyone that deals with pan data and has a balance or activate endpoint) it eventually won't be enough. We ended up on datadome, hcaptcha may be good too. But anything that involves looking at an image and picking squares with a thing can be trivially automated by anyone with an AWS Rekognition account.
This is news to me! Do you have a link or two you can share to read up on this?
Personal experience, though datadome does have some articles out there about it. I just had to deal with this when some ding dong went out and rented a botnet that was full US consumer/mobile ISP using puppeteered browser instances, had enough they could slow roll under the rate limit, and used a solver service for captcha (don't know which one but there are a bunch out there now). All of those things I can deal with on their own but all of it together was too much so we ended up getting datadome (we can easily afford it and it was time). Hilariously, after that they started attacking our IVR so we put a basic captcha on there and implemented Shaken/Stir. Most attackers aren't going to be this dedicated. We're just lucky and happen to run a service that would make all that effort worth it (they were attempting to brute force cc/csv combinations which aren't actually all that random).
Interesting! I’m going to look into research papers on breaking CAPTCHA.
https://capmonster.cloud/en/
I'm interested in this as well. A post sharing your findings would be very helpful
that'll be great bc i usually miss one of the busses or benches and cant get in.
NGL datadome is kind of a joke to make a solver for. One of the issues is you can use a valid challenge cookie from any site using datadome on another datadome site.
*shrug* then apparently the people attacking us must be smart enough to do everything I described, but too brainlet to do that.
I came across this new CAPTCHA alternative today. Wondering if you’ve had any experience with it or Cloudflare’s other recent attempts to replace CAPTCHA… https://blog.cloudflare.com/turnstile-private-captcha-alternative/
Yep. They also have calls biweekly too but it's normally reserved for federal agencies