Because bots never run JavaScript, obviously
-
Because it's obviously impossible to build a bot that can execute JavaScript in websites, right?
And it's clearly against the laws of physics to write a bot in JavaScript too.
-
@raceprouk Defense in depth?
-
Yeah... that assumption pisses me off every time I see it. I attended one presentation of a DARPA-funded project that aimed to protect against DDOS attacks by Mirai and the like by having an "entry site" that then redirects via JavaScript to the "real" sites located on different hosts. The premise was that Mirai couldn't execute the JavaScript redirect and DDOS the hosts of the "real" content.
Me: "But if Mirai DDOSes the entry site... don't you still lose availability because new users can't get the redirect to the real sites?"
Researcher: "No sir, the human users are on the real sites."
Me: "What? Sure, existing users are, but I mean that new users have to use the entry site and that site can be DDOSed."
Researcher: "You only need to worry about the real sites getting DDOSed, and Mirai can't find them."
Me: ""And then discussion of their results suggested they might have had a flaw in their premise because when they monitored Mirai hitting their entry site, they saw that Mirai downloaded the JavaScript file.
Me: "... but that doesn't mean it executed it. Did it execute it? Did you see the real site get hit?"
Researcher: "We didn't monitor the real site, just the entry site; we'll be doing that in continuing research."
Me: "HOW DID YOU EXPECT TO TELL WHETHER THE APPROACH WORKED IF YOU DIDN'T MONITOR-- never mind. "
-
CloudFlare has also never heard of PhantomJS.
-
@heterodox said in Because bots never run JavaScript, obviously:
Researcher: "We didn't monitor the real site, just the entry site; we'll be doing that in continuing research."
Me: "HOW DID YOU EXPECT TO TELL WHETHER THE APPROACH WORKED IF YOU DIDN'T MONITOR-- never mind. "See... You're not thinking about the continued funding stream like they were.
-
@masonwheeler said in Because bots never run JavaScript, obviously:
@raceprouk Defense in depth?
Adding padlocks to an open door?
-
@createdtodislikethis more like calling the empty screw holes on the open door where a lock hasp once was "padlock"
-
@raceprouk said in Because bots never run JavaScript, obviously:
Because it's obviously impossible to build a bot that can execute JavaScript in websites, right?
And it's clearly against the laws of physics to write a bot in JavaScript too.
I'd be willing to bet it still knocks out a fair number of cheapo bots for almost no cost to them - I don't really see a WTF here
-
@boomzilla said in Because bots never run JavaScript, obviously:
See... You're not thinking about the continued funding stream like they were.
Apparently. Look at silly me, thinking of the taxpayers.
-
@raceprouk it might be doing some sneaky heuristics in JS to decide whhether or not a user is a bot