Comment by me551ah
3 years ago
Without a unique identifier, it would be easy for an attacker to clear one challenge and use the result for all nodes in a botnet.
3 years ago
Without a unique identifier, it would be easy for an attacker to clear one challenge and use the result for all nodes in a botnet.
Why can't the identifier be merely yet another bit of data whose existence and properties can be proven by cryptography without transmitting the data itself? It's done all the time with other data.
He's saying that won't work, because the goal is not actually to fingerprint or mark users. It's to ensure that the thing connecting to their servers at that moment is a web browser and not something pretending to be a browser. Give away tokens that say "i'm a browser honest" and they'll just get cloned all the bots.
Rate-limit the number of different source IPs that the token can be used from within a given period of time, or the number of requests per second that can use that token without having to re-verify?
1 reply →