> At the moment, it seems Basic mode is so basic that it allows everything to pass as human. That’ll likely change as they gather more telemetry to better identify what a bot signal looks like.
So they are basically collecting telemetry in the name of "free basic anti-bot" solution.
Note that the bot detection script uses WebGL to obtain GPU name. I assume this (fingerprinting) is the most popular use of WebGL. Sad that independent browsers like Firefox do not supply fake values.
Sadly, spoofing GPU vendor & renderer can be an even larger flag since they can hash the resulting image of the canvas to compare it with a database of collected fingerprints[0]
IMO the use of <canvas> needs to be behind a permission prompt, the same as e.g. geolocation or WebRTC. Few websites actually need canvas/WebGL for legitimate purposes.
why is bot detection even happening at render time instead of request time. why can't tell you’re a bot from your headers, UA, IP, TLS fingerprint. imo making it a surveillance. 'you're a bot, ok not just go away, let’s fingerprint your GPU and assign you a behavioral risk score anyway'
ATechGuy|8 months ago
So they are basically collecting telemetry in the name of "free basic anti-bot" solution.
cchance|8 months ago
codedokode|8 months ago
nullpt_rs|8 months ago
[0]: https://research.google/pubs/picasso-lightweight-device-clas...
grishka|8 months ago
b0a04gl|8 months ago
n2d4|8 months ago