reCaptcha
Last updated
Was this helpful?
Last updated
Was this helpful?
reCaptcha company has been aquired by Google and today it is not an open source project, so Google is not charing information how the Callenge algorithm work, which parameters are monitored on the user side and how the reCaptcha API Script is interacting with Google Back-End.
Captcha means: A CAPTCHA ( for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used in computing to determine whether or not the user is human.
"No Captcha re-captcha" was proposed by Google in 2014
Some relevant materials found to better understand reCaptcha:
Official Site of Google: https://www.google.com/recaptcha/about/
The original author article of 2008 on science Mage: https://www.site.uottawa.ca/~stan/csi2911/reCaptcha_Science.pdf
Understanding reCaptcha good article: https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf
ReCaptcha is driven by an “advanced risk analysis system” that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or solve a challenge by identifying images with similar content.
How does it work?
The user visits a Web Page and click on the reCaptcha button, saying I'm not a Robot.
When clicking on that buton this will trigger a Javascript from Google that will collect user information and browser information and send it to Google Back-end that will analyse it to see if i'm a Robot (so Google perfom an advanced risk analysis).
If google think I'm a human, then they will say ok
If not, they will send a captcha that I need to solve (like image)
Then I solve it (you have maxi 55 sec to solve that challenge, being it image or text captcha) and send a reponse to Google Back-end
If good, Google back-end will send back a Reponse
Then FE app, send the Captcha user Token to back-end App that will request Google Service to validate that captcha that will give an answer on how confident (score) the user is not a Robot
Analysis of the Google Advanced Risk Analysis System:
the Google Widget is highly obfuscating the javascript that is encrypted
What checks google do?
Check the browser environment
Check cookies (any request to google.com sent over HTTP(s) include google cookie that is collecting on user side information (so user tracking, user history), even if you are not logged on google
Mouse Mouvement (not found that it matter)
A Captcha algorithm is consider broken if there is an automation algorithm that can solve it at least 1% of the time