Google reCAPTCHA v2在后台如何工作? [英] How does Google reCAPTCHA v2 work behind the scenes?
问题描述
这篇文章指的是Google ReCaptcha v2(不是最新版本)
最近Google引入了简化的验证码验证系统(<一个href = https://www.youtube.com/watch?v=jwslDn3ImM0 rel = noreferrer>视频),使用户只需单击即可通过验证码。
Recently Google introduced a simplified "captcha" verification system (video) that enables users to pass the "captcha" just by clicking on it.
但是如何通过单击将机器人与人区分开?
But how can it differentiate a bot from a person just by a click?
根据此答案(假设实现类似),首先 recaptcha会生成一个隐藏键,并将其附加到隐藏的输入元素上,并懒惰地呈现一个复选框(不是实际的复选框 input ,而是 div ),具有相同的键,在单击时会发送异步向Google后端服务器请求(XHR)以将其标记为有效的验证密钥(即,提交表单时必须验证的密钥)。
As per this answer, (assuming a similar implementation), at first "recaptcha" generates a hidden key and attaches it to a hidden input element and also lazily renders a check box (not an actual check box input but a div) with the same key which when clicked, sends an asynchronous request (XHR) to the Google backend servers to mark it as a valid verification key (i.e. a key that has to be validated when the form is submitted).
但是为什么机器人无法自动执行该点击(东部,基于浏览器的机器人)?
But why can't bots automate that click (at least, browser-based bots)?
这如何工作?
推荐答案
这是推测,但基于Google对他们使用的风险分析引擎的引用( http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html )
This is speculation, but based on Google's reference to the "risk analysis engine" they use (http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html)
我假设它查看的是您单击之前的行为,光标向支票的移动方式(有机路径/加速度),复选框的哪一部分被单击(随机放置或每次居中居中) ),浏览器指纹,Google cookie和内容,单击与您的指纹或帐户绑定的位置历史记录(如果它检测到一个指纹等)。
I would assume it looks at how you behaved prior to clicking, how your cursor moved on its way to the check (organic path/acceleration), which part of the checkbox was clicked (random places, or dead on center every time), browser fingerprint, Google cookies & contents, click location history tied to your fingerprint or account if it detects one etc.
以愚蠢的方式伪造有机行为相当困难不断学习模式检测引擎。在不确定的情况下,它仍会提示您匹配实际的验证码字符串。
It's fairly difficult to fake "organic" behavior in such a way that it would fool a continuously learning pattern detection engine. In the cases where it's not sure, it still prompts you to match an actual CAPTCHA string.
这篇关于Google reCAPTCHA v2在后台如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
