Comment by ajross

Comment by ajross 19 hours ago

That can be done already based on User-Agent, though. Other browsers don't spoof their agent strings to look like Chrome, and never have (or, they do, but only in the sense that everyone still claims to be Mozilla). And browsers have always (for obvious reasons) been very happy to identify themselves correctly to backend sites.

The purpose here is surely to detect sophisticated spoofing by non-user-browser software, like crawlers and robots. Robots are in fact required by the net's Geneva Convention equivalent to identify themselves and respect limitations, but obviously many don't.

I have a hard time understanding robot detection as an issue of "user freedom" or "browser competition".

jml7c5 19 hours ago

>I have a hard time understanding robot detection as an issue of "user freedom" or "browser competition".

The big one is that running a browser other than Chrome (or Safari) could come to mean endless captchas, degrading the experience. "Chrome doesn't have as many captchas" is a pretty good hook.

Reply View 15 replies

hedora 16 hours ago

Concretely: Google meet blocks all sorts of browsers / private tabs with a vague: “you cannot join this meeting” error. They let mainstream ones in though.

Reply View | 0 replies
BolexNOLA 18 hours ago

Not to mention how often you can get stuck in an infinite loop where it just will not accept your captcha results and keeps making you do it over and over. Especially if you’re using a VPN. It’s maddening sometimes. Can’t even do a basic search

Reply View | 8 replies
- ajross 17 hours ago
  
  So the market isn't allowed to detect robots because some sites have bad captcha implementations? I'm not following. Captchas aren't implement by the browser.
  
  Reply View | 7 replies
  
  motorest 17 hours ago
  
  > So the market isn't allowed to detect robots (...)
  I don't know what you mean by "the market".
  What I do know is that if I try to go to a site with my favourite browser and a site blocks me because it's so poorly engineered it thinks I am a bot just because I'm not using Chrome, then it's pretty obvious that it's not detecting bots.
  Also worth noting: it might surprise you that there browser automation frameworks. Some of them, such as Selenium, support Chrome.
  
  Reply View | 2 replies
  
  BolexNOLA 16 hours ago
  
  I’m not sure who “the market” is in this case, but reCAPTCHA is owned and implemented by Google and clearly favors their browser. Any attempts to use other browsers or obfuscate your digital footprint in the slightest leads to all kinds of headaches. It’s a very convenient side effect of their “anti-bot” efforts that they have every incentive to steer in to.
  
  Reply View | 3 replies
jherskovic 16 hours ago

I use Safari (admittedly, with Private Cloud and a few tracking-blocking extensions) and get bombarded with Cloudflare's 'prove you are human' checkbox several times an hour.
It's already a pretty degraded experience.

Reply View | 4 replies
- randomjoe2 15 hours ago
  
  I mean you're using a VPN, they can't tell the diff between you and a bunch of bots
  
  Reply View | 3 replies
  
  Diti 15 hours ago
  
  Requests per second?
  
  Reply View | 1 reply
  
  JeffMcCune 14 hours ago
  
  Harder to scale, stateful.
  
  Reply View | 0 replies
  
  fireflash38 14 hours ago
  
  I think you mean they can't profit from selling data from a bunch of bots.
  
  Reply View | 0 replies

Sayrus 19 hours ago

> I have a hard time understanding robot detection as an issue of "user freedom" or "browser competition".

In the name of robot detection, you can lock down device, require device attestation, prevent users from running non-standard devices/OS/software, prevent them from accessing websites (CloudFlare dislikes non-chrome browser and hates non-standard browsers, ReCaptcha blocks you out if you're not on Chrome-like/Safari/Firefox). Web Environment Integrity[1] is also a good example of where robot detection ends up affecting the end user.

[1] https://en.wikipedia.org/wiki/Web_Environment_Integrity

Reply View 2 replies

ajross 17 hours ago

Aren't all those solutions even more impactful on the user experience though? Someone who cares about user freedom would think they're even worse, no?

Reply View | 0 replies
baybal2 17 hours ago

[dead]

Reply View | 0 replies

jsnell 17 hours ago

The purpose here isn't to deal with sophisticated spoofing. This is setting a couple of headers to fixed and easily discoverable values. It wouldn't stop a teenager with Curl, let along a sophisticated adversary. There's no counter-abuse value here at all.

It's quite hard to figure out what this is for, because the mechanism is so incredibly weak. Either it was implemented by some total idiots who did not bother talking at all to the thousands of people with counter-abuse experience that work at Google, or it is meant for some incredibly specific case where they think the copyright string actually provides a deterrent.

(If I had to guess, it's about protecting server APIs only meant for use by the Chrome browser, not about protecting any kind of interactive services used directly by end-users.)

Reply View 1 reply

Sophira 13 hours ago

I would imagine that this serves the same purpose as the way that early home consoles would check the inserted cartridge to see that it had a specific copyright message in it, because then you can't reproduce that message without violating the copyright.
In this case, you would need to reproduce a message that explicitly states that it's Google's copyright, and that you don't have the right to copy it ("All rights reserved."). Doing that might then give Google the legal evidence it needs to sue you.
In other words, a legal deterrence rather than a technical one.

Reply View | 0 replies

soulofmischief 16 hours ago

It's easy to change the User Agent and we cannot handwave this fact away for the sake of argument.

Reply View 0 replies