At least you don't have to play the silly matching game...

 

I get those a lot -- I'm guessing it's a Cloudfare thing. Frequently, they don't ask me to even click anything. It pops up saying that it is verifying that I'm human and then a couple seconds later proceeds to load the site. So... just what kind of "verification" did it do?

 

I asked Claude ai if it knew how to complete them and it replied "not yet".

 

Hello,

@jrap , what is going on here?
I have seen this also.

Bertus

 

Hi,
I also get those 'human?' pop ups.
E

 

That is one appearance of the Cloudflare human verification process. It is a layered, progressive scheme to eliminate bots from accessing websites.

What you actually see depends on how your browser scores as the process steps through. In a nutshell, this is what happens:

1. Initial Request Inspection (Server-Side)
Cloudflare evaluates the request before anything loads:

• IP reputation & ASN threat history
• Geo-risk & TOR/VPN/proxy indicators
• Rate-limiting / WAF rules
• Domain-specific security settings (Managed Challenge, JS Challenge, CAPTCHA)

If risk is low, the user passes immediately without seeing anything.

2. Browser / Device Fingerprinting (Passive)
If the risk score is borderline, Cloudflare asks the browser to run a lightweight check:

• User-agent consistency
• TLS handshake & JA3 fingerprint
• Cookie presence/consistency (cf_clearance, _cf_bm)
• Screen, timezone, platform coherence
• Accelerator/hardware concurrency
• Headless/browser automation indicators

No interaction is required. If values look human/benign → pass.

3. JavaScript Execution Test
If uncertainty remains:

• Cloudflare embeds a short JavaScript snippet (“Managed Challenge”).
  It runs micro-tasks:
  
  • Compute tiny cryptographic or timing puzzles
  • Measure JS execution timing jitter
  • Confirm real event loop & rendering engine
  • Validate local storage/cookie write capability

Bots failing JS → blocked
Humans → pass within ~1–3 seconds.

4. Cryptographic Proof-of-Work (Invisible to Humans)
When configured, the browser performs:

• A small, low-latency proof-of-work (hash-based)
• Cloudflare checks the solution signature and timestamp

If solved → clearance cookie issued.

5. Interactive Challenge (Only if Needed)
Only after passive and JS checks fail:

• Turnstile (Cloudflare’s CAPTCHA-less system)
  • Uses behavioral signals + device data
  • Typically solved with no interaction
    
• hCaptcha (legacy mode)
  • Presents image-recognition tasks
  • Used only on high-security settings or when Turnstile can’t verify

Users solve → clearance cookie issued.

6. Clearance & Session Continuation
Once verified:

• Cloudflare sets cf_clearance and/or _cf_bm
• Future requests bypass challenges for a set duration
• Revalidation occurs if:
  • Cookies expire
  • IP/network changes
  • Suspicious behavior reappears

Optional: Higher-Security Protections
Depending on zone settings:

• Browser Isolation for unknown clients
• Bot Management behavioral scoring
• Device posture checks (enterprise)

 

There is no proper icon/smilie/emoji choice. Had to find one.

 

This is what keeps the spam in the forums to a minimum. Without it, the moderators would be deleting spam all day and still not keep up.

 

At work due to the layers of network security we have in place, EVERY time we try to use Google we have to play "find the buses." I had a colleague spend 15 minutes doing Captcha after Captcha once. So...it could be worse.