Is there any need for verification code? --On the identification of non-man-made operation

From the first time the verification code is applied to the network, the early verification code is a series of very simple shape standard figures, after a long period of development, forms more and more diversified, people seem to have been accustomed to, no one to question its problems, and no one to think about whether it is necessary to exist. Although the complex verification code plays an important role in preventing non-human operation, the loss of time and efficiency is enormous. Indeed, it is not a mistake, but it is a liability that we consider in terms of efficiency. It is necessary for us to liberate people from the heavy time-consuming labor of identifying, entering, and losing the wrong weight.

I've been thinking a long while ago: is there a need for a verification code to exist in theory?

The difference between man-made and machine-operated (non-human) may be a bit cryptic, and we can imagine that in a high-tech building you need to pass an electronic door that has a recognition program that can be opened if the person who passed it is human, and if it is a robot, it will not open. And you stand in front of this door as a living human being, but you need to answer a ridiculous question: "Excuse me, 8+2=?" "When you're ready to enter 10, you press the wrong button and the door is locked." At this time a robot, it entered the same accuracy 10, this time the door opened. Is this a seemingly stupid electronic door? I think most people will naturally question this: do you have to use this seemingly ridiculous question to differentiate between humans and machines? Why not differ from the nature of human and machine, such as human vital signs, human body's heat radiation and so on.

In fact, now the verification code is doing the same thing with this electronic door-in the railway booking website painstakingly made a set of strange-looking verification code, the human eye is difficult to identify, the machine is not recognized also doubt. The result of both the machine and the man-made operation is to send the request to the server, and the traces of the human operation are completely gone when sending the network request, in other words, it is impossible to verify whether the request operation is from a person or a machine. Then we consider the page as a human user to enter the text when it is a process: the cursor from elsewhere into the input box, the cursor into an "I-shaped" can be input, click the left mouse button, the cursor again into a flashing input prompt, repeat (press the keyboard key, press the key to lift), complete the input . This process is not done by the machine, all the automatic login software is sent directly to the server, the machine does not impersonate the user's actions, because there is no meaning (at least before this article is issued). And this human action is the key to our verification of the source of the operation. We verify in the script code of the page that the mouse has changed state when it is moved into the specified input box. If the mouse becomes an input character, continue to verify: whether after this click on the left mouse button, if there is, then enter the state, continue to verify: in the input state if there is a button pressed and lifted? In the key press and lift can record which key is pressed, and then when the key is lifted up with the characters in the real input box is consistent (fortunately, the password is no Chinese characters), if the same is considered a manual input, and then the last click on the button can be re-integrated verification. The idea is that, of course, smart programmers can make this verification process perfect, I believe that can be done without the need for verification code to fully identify the effective human operation. I'll give you an example later.

Well, let's give an example to illustrate. We search the Internet for "automatic message", this is a very appropriate example, so as to demonstrate whether the automatic message can be implemented without human action. Look at this page:

As of the current version of the page, we take note of the input box below (a box with the character "Jason" in the middle), view its ID as Editarea via Google Chrome, and then notice the Send button in the lower right corner:

Look at the class that gets it. btn. btn_send, OK, then we'll do a series of experiments on the two controls.

We searched the network for the key code to send the message automatically:

document.getElementById (' TextInput '). value= ' What you want to say ';d ocument.getelementsbyclassname (' chatsend ') [0].click ();

The control ID in the original code is no longer applicable, and we'll change it to the jquery version based on the ID of the few controls we just got:

$ (' #editArea '). Append ("Jason"); $ ('. Btn_send '). Trigger ("click");

The above code is simulated in the input box to append the text "Jason", and then analog click "Send" button, you can in Google Chrome or Firefox browser console input the code, test to see if you can automatically send messages?

Well, after my experiment, the result was not sent out. What is this for? So confused! is the page used in any particular way to determine the operation of the non-human? Here I am as confused as everyone, do not hurry, we continue to explore. After reviewing the page source code and the script and so on, I found that this is because the page uses the angular library to do some encapsulation of information processing, we can directly manipulate the DOM element in a way that is invalid. I went online to search the angular library tutorial, for the page on the previous script made some changes, the revised code is as follows:

var appelement = document.queryselector ("#editArea");  var $scope = angular.element (appelement). scope ();
$scope. $apply (function () {$scope. editareactn = "Jason"   

The above code after the browser console execution, the page automatically sent the message "Jason", so far we have successfully implemented unmanned automatic message delivery.

We have proved by a counter-example that our ideas have not been fulfilled, but this is only the beginning. Please look forward to the following ...

Is there any need for verification code? --On the identification of non-man-made operation