Dear Perchance Administrator(s),

I’ve been trying to reach you over admin(at)perchance.org, which is listed as your contact email in your privacy policy, but the mail was eventually undelivered. I couldn’t find any other contact information on the site, so I’m going to post this complaint here. But yes, I have a complaint against the usage of browser fingerprinting on your website. I noticed someone (hopefully an official account) posting under the name @perchance on this “sublemmy”, so I am addressing this to you directly, because I believe that you are the person responsible for this situation. If you are not that person, then please have this message forwarded to whoever is.

The complaint is against Cloudflare (or more specifically, its bot detection mechanism) that is being used by perchance.org and causing access problems on some pages. Since I like my online privacy very much, I tend to modify the browser settings to harden it for improved security, configure it against online tracking, and protect it against malware. Unfortunately, Cloudflare often has a problem with this and croaks. It’s often the case that when someone tries to change or customize their browser (i.e. by messing with some security settings or by installing a security addon), then they will likely get flagged as an anomaly. It is wrongful to expect visitors to keep their web browsers in vanilla state in order to appease some online bot detection scripts. I will thus put some of the blame on Cloudflare for providing these faulty services, but that is only half of the story. I realize that Cloudflare is by itself just a service, so it cannot take the full blame here. While it does offer these functions, it does not automatically apply them to random websites. No, the websites don’t automatically pop up behind Cloudflare, there is another factor present here. Someone has to decide to put their website behind Cloudflare in the first place. Someone like you. Therefore, the other half of the blame lies with you or whoever decided to use Cloudflare on perchance.org.

Up until now you may still be wondering what exactly am I talking about. Well, I did some poking around the website javascript source code to try and identify the problem, and I managed to come up with a name. Does the name “Turnstile” ring a bell? Yes, it is the main problem here. It is a script that is using a technique called Browser Fingerprinting to uniquely identify users of your image generation service. These fingerprinting scripts often use some heavy-duty and extremely invasive probing to collect sensitive information about your visitor’s devices including, but not limited to: device operating system, screen resolution, color depth, timezone, language/locale, installed fonts, list of browser plugins, device CPU and memory, audio card fingerprint, canvas fingerprint, WebGL (graphics card) fingerprint, list of connected devices like cameras and microphones, etc. Browser fingerprinting is a form of tracking far worse than cookies because it does not need to store any information on the user device, and it can even work cross-website. Clearing cookies or browser history won’t help at all. It’s like a DNA fingerprint of your device that is extremely difficult, if not impossible to change.

In case of Perchance, I found out that some AI generator pages like https://perchance.org/pretty-ai will attempt to load several iframe’s after the “generate” button is clicked. These will then link to https://image-generation.perchance.org/embed, which then initiates the image generation process. But, before that happens, the iframe tries to contact https://challenges.cloudflare.com to fetch this javascript:

https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_api/v1?ray=8c26a3a49b285b4e&lang=auto

This is a heavily obfuscated javascript that does some very shady things. Script obfuscation like this is often employed by malware to hide what the code is doing from reverse-engineering and anti-virus programs. Fortunatly, my browser detects this and blocks the script as potentially malicious. The result is that the iframe complains about challenges.cloudflare.com being blocked or that verification failed, and then enters an endless verification loop while never displaying the requested AI-generated content. Yes, I tried to bypass the verifiation process by modifying the page javascript code to skip the verification process and go directly to the image generation step. Unfortunately, the image generator server will not accept any requests without a proper user key, which is generated by that obfuscated turnstile script bloat. I do not condone having such scripts run in my browser, so I will not unblock the script. And since there is no obvious way to opt out of this invasive fingerprinting, I am thus reduced to begging website administrators to remove these scripts from their websites. Thus…

Please remove Cloudflare Turnstile browser fingerprinter from your website and make it accessible again to users that wish to protect their online privacy.

Thank you.

  • perchance@lemmy.worldM
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    2 months ago

    Nope, it’s not malware or “shady” - it’s a very widely used bot-prevention service by Cloudflare, a reputable company, and it’s specifically designed to be privacy-preserving: https://blog.cloudflare.com/turnstile-private-captcha-alternative/

    An example of the (scary sounding) “fingerprinting” you mention is checking whether the browser viewport is actually being rendered into pixels (as opposed to it being a “headless” machine with no actual rendering, which is a sign of a bot). These sorts of checks are harmless, and they make things like Perchance’s AI plugins possible when they otherwise wouldn’t be.

    The modern internet is built upon bot and fraud prevention mechanisms. The economics of the internet wouldn’t work at all without them. You’re free to block scripts on your machine of course, but “begging website administrators to remove these scripts from their websites” is plainly naive, and wastes the time of said admins. (Edit: This sentence came out a bit harsh in hindsight, sorry about that. I’ll leave it here for accountability.)

    I’m not adding paid features to Perchance. It’ll always be completely free. This means bot prevention checks are required for generators that import ad supported plugins (i.e. AI plugins). You have very specific requirements, so you should use a paid service instead of Perchance. (Though note, to get through the checkout of said paid service, Stripe will run a bot/fraud check against your browser and your IP, let alone getting your credit card number which is obviously tied directly to you. Maybe find one that accepts crypto - or even better, support open source by joining the local ML community: reddit.com/r/LocalLLaMA)

    • Cocell@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      I have a question. 🙋‍♂️

      If I use Puppeteer even in non-headless mode, why does Perchance’s UI… How do I say, well, the best way I can describe it is “they retract,” well sort of.

      Well let’s run node perchance.js and open it using Puppeteer.

      Now it opens this.

      -# !!! Light mod warning

      As you can see there is no default UI, but they are still there.

      That is when I run app.goToEditMode().

      Which opens the normal edit menu.

      And then even if I close the edit menu, the default UI is still present.

      So this has been bugging me a while, why must it be that way? Is it because because of the Perchance screenshot API?

      • perchance@lemmy.worldM
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        Yep you guessed right - it’s for the screenshot API. I’m sure there is a smarter way (maybe load with param in URL or something), but it was a quick solution

        • Cocell@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          What about checking for user agent? I am sure something silly like Perchance screenshot agent would do the trick. :)