Skip to main content

Why Do Google & Other Websites Ask You to Prove You're Not a Robot?

Alessio has an experience as a Google Product Expert and as a bug hunter, having reported security vulnerabilities to Google and Apple.

A typical situation that often happens while surfing the internet is that of being prompted to prove you are not a robot. This especially happens when performing specific activities, including:

  • signing up or logging in to an account;
  • posting a comment on a blog article (especially if anonymously);
  • visiting a website having DDOS protection enabled, in case you are browsing it at an unusually high speed.

This prompt, the so-called captcha, usually involves typing some characters and letters shown in an image. Alternatives may include:

  • listening to a vocal and transcribing what you have heard;
  • swiping an arrow from left to right;
  • completing a mini-puzzle by choosing the correct piece from among some proposals;
  • solving a simple mathematical operation.
A row of computers

A row of computers

Why Do Some Sites Want To Verify That You Are Not a Robot?

When surfing the web, you tend to take many things for granted. We are often led to think that our browsing activity is normal and is the only one that takes place on the internet. The reality is not like that: just think of how search engines work. Google, for example, to update search results, uses an automatic program, Googlebot, which visits websites and collects the information necessary to index them. There are, in general, automatic programs, the so-called bots, which automatically visit websites for different purposes. Some, like those belonging to search engines, are legitimate, but many others are illegitimate.

What Do Illegitimate Bots Do?

Illegitimate bots are mainly run by spammers who use these automated programs to post a large amount of advertising or deceptive material on websites. Spamming with these programs allows them to automate and extend this illegal activity to a wide range of websites. In addition, hackers also use bots to search for security vulnerabilities within websites to carry out these two kinds of attacks:

Scroll to Continue
  • Brute force attacks (attempting different combinations of username and password to crack accounts);
  • DDOS attacks (trying to put down a website by overloading the server, often with the employment of multiple powerful machines).

What Are Captchas on Websites For?

Captchas, the verification procedures adopted by websites to check that whoever is making a request is a natural person and not a bot, serve precisely to minimize the risk of spam or hacker attacks characterized by the use of bots, such as the DDOS attacks. For example, a captcha applied to a comment form greatly reduces the risk of a spam bot posting advertising or deceptive content. For example, a captcha applied to a comment form greatly reduces the risk of a spam bot posting advertising or deceptive content. Similarly, services such as Google and Cloudflare (which provides a CDN and anti-DDOS protection to the websites that use it) can block a user who makes too many close requests and prompt him the insertion of a captcha to continue browsing. This allows nipping any DDOS attacks perpetrated through automatic bots in the bud.

Are Captchas Really Useful?

As time goes by, bots become more complex and smart, so mechanisms are being studied to evade captchas and appear as humans in the eyes of verification systems. Despite this, captchas also evolve and Google, for example, through its ReCaptcha service, has implemented an intelligent checking system that analyzes the typical behaviors of a human being and that is not based only on the mere typing of some characters shown in an image. Adopting a captcha within your website can be good to minimize the risks of a spamming attack, as well as the use of anti-DDOS services such as the one offered by CloudFlare, which in turn integrates captcha verification systems to be used in the event of a suspicious traffic peak. Obviously, no protection system is perfect, and given the evolution of bots, it is unlikely to be able to 100% block any spam attack. Of course, a captcha still helps to reduce the risk, but it is always important to constantly check your website and moderate any comments or spam accounts that may have been created by bypassing the captcha verification system.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Alessio Ganci

Related Articles