Website log-ins that don’t work with VPN’s • Robot questions • Etc.

Topic

New Reply

This isn’t about “browsers” as such, but this appears to be the forum that’s most relevant to my questions, so here goes. (I don’t see how it’s relevant, but for what it’s worth, I have Win 10 Pro Version 22H2, and use Firefox, but the issue also has arisen the very few times that I’ve been forced to use MS Edge because, for whatever reason, a webpage doesn’t work with FF.)

I use a VPN for whatever security it provides, and whenever one of my online accounts provides for two factor authorization, I use it.

What I’ve encountered often enough to make me wonder is this. On some log-in pages, if my VPN is enabled, the log-in doesn’t work after I try to enter my user name and password. The page may simply not be responsive, or it may say that there’s a “technical issue,” or something else.

Other pages, after I’ve entered the requisite information, apparently accept that info, but then ask whether I’m a robot. Most of the time, all I have to do is check the box that I’m not, without having to take the extra step of figuring out whether a nanometer of handlebar constitutes a motorcycle. It’s only on rare occasions that I have to assume the position and go through the entire rigmarole of clicking on a series of images to confirm that I’m in fact not a robot.

My questions are these. Are the owners of such websites actively trying to discourage the use of VPNs? They want me to use two-factor authorization for security purposes, but then they discourage my use of an additional security step for no reason that I can see. Why?

And aside from VPNs (because the robot issue occasionally arises even if I don’t have the VPN enabled), if I’m capable of entering my user name and password, and then employing two-factor authorization, why on earth would they suspect me of being a robot? That is, why isn’t the use of log-in info plus 2fa enough? Finally, what’s the point of asking whether I’m a robot in that great majority of cases where the question is resolved by simply checking a box, something that any robot that’s capable of entering a user name and password certainly also should be able to do?

Thanks in advance for any enlightenment.

Reply | Quote

Replies

BobStr wrote:

That is, why isn’t the use of log-in info plus 2fa enough?

By todays standards, user name and password even with 2fa is not as secure as “passkeys”, so “no”, it’s technically not enough.

VPNs:  While using a VPN shows you a different location your ISP still knows what websites you are using. The real benefit of a VPN is a totally encrypted data tunnel end to end and is essential on public wifi like airports, retail stores etc.  Using a VPN on your home password protected wifi is, IMHO discretionary unless you want to show as located in another state or country.

Search the forums for “passkeys” and “VPN”.  You’ll find a lot of helpful info on this subject and probably things I’ve forgotten about.

 

Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

I was already familiar with what you said, but you couldn’t know that. So thanks for the advice.

My concern, though, isn’t what might be safer for me, but why the owners of various websites consider it appropriate to essentially dump on people who use VPNs, by either making the log-in unusable when a VPN is enabled or by requiring extra steps by bringing robots into the picture? Or, why, quite aside from whether or not a VPN is in use, some websites deem it appropriate to harass a user — one who has already entered his user name and password — by asking whether he’s a robot. If the user were required to check all windows depicting motorcycles, that might be one thing. But in my experience, most sites that ask the question are satisfied by my merely checking a box, something that I’m sure robots can do quite easily. So I don’t see how such harassment makes anyone — the user or the website — more secure. There may well be an obvious, or at least a technical reason for such stuff, but I’ve never seen it, and I’m having trouble even speculating about a possible reason.

1 user thanked author for this post.

TechTango

Reply | Quote

BobStr wrote:

But in my experience, most sites that ask the question are satisfied by my merely checking a box, something that I’m sure robots can do quite easily. So I don’t see how such harassment makes anyone — the user or the website — more secure. There may well be an obvious, or at least a technical reason for such stuff, but I’ve never seen it, and I’m having trouble even speculating about a possible reason.

In 2013, reCAPTCHA began implementing behavioral analysis of the browser’s interactions to predict whether the user was a human or a bot. The following year, Google began to deploy a new reCAPTCHA API, featuring the “no CAPTCHA reCAPTCHA” — where users deemed to be of low risk only need to click a single checkbox to verify their identity.

No CAPTCHA reCAPTCHA (v2+)

Are you a robot? Introducing “No CAPTCHA reCAPTCHA” [December 3, 2014]

Some reCAPTCHA tests simply prompt the user to check a box next to the statement, “I’m not a robot.” However, the test is not the actual action of clicking the checkbox – it’s everything leading up to the checkbox click.

This reCAPTCHA test takes into account the movement of the user’s cursor as it approaches the checkbox. Even the most direct motion by a human has some amount of randomness on the microscopic level: tiny unconscious movements that bots can’t easily mimic. If the cursor’s movement contains some of this unpredictability, then the test decides that the user is probably legitimate. The reCAPTCHA also may assess the cookies stored by the browser on a user device and the device’s history in order to tell if the user is likely to be a bot.

If the test is still unable to determine whether or not the user is a human, it may present an additional challenge, such as the image recognition test described above. However, most of the time the user’s cursor movements, cookies, and device history are conclusive enough.

How do reCAPTCHA tests with a single checkbox work?

1 user thanked author for this post.

TechTango

Reply | Quote

Thanks. That’s very enlightening.

I have to say, though, that finding out that websites in which I’ve already entered my user name and password consider that license to track my cursor movements certainly gives me pause. What’s the next thing for which they’re going to assume that they have permission to track on my computer, simply because I have an account with them?

But I still also wonder why websites for which I have accounts are worried about robots after I’ve entered my user name and password. I suppose the answer must be that robots are now equipped to deal with two factor authorization and then vacuum up all of my financial data without any human intervention whatever. After all, if there were any human intervention, the thief would be there to simply check the box himself. Right?

I also still wonder why so many sites for which I have accounts are hostile to my use of a VPN. Some sites, whatever the site-owner’s reasons, don’t even let the initial page load if a VPN is being used. I sorta get that: they don’t want bad people coming to their sites at all (???). What doesn’t make sense to me is why such sites are be designed to stop functioning after someone who has an account has entered his user name and password.

Reply | Quote

What doesn’t make sense to me is why such sites are be designed to stop functioning after someone who has an account has entered his user name and password.

Many times after you login you are redirected to a different server. Had this recently with a client accessing his banking site. Seems the 2nd server blocked his whole ISP’s IP range. After they whitelisted his IP he was back in. BTW he wasn’t using a VPN.

As far as why sites block vpn addresses. If you would view the logs on our website servers you would understand. Idiots and bots!

2 users thanked author for this post.

BobStr, TechTango

Reply | Quote

VPNs are designed to hide your location (TCP/IP address). Each time you use the VPN, you are issued a different IP address so your location is hidden. That’s why you use one.
But, because they hide the location, they are frequently used by bots, hackers, spammers, and other nefarious persons/organizations that don’t want to be identified/found.

Consequently, databases of the ill-used IP addresses are available on the Internet for those that want to protect their websites. It’s like a Firewall to block blacklisted IP addresses.

It appears you were using your VPN for your original post in this thread. To see why some websites might reject your connection or require CAPTHCA, take a look at one of the websites that maintains a database used for protecting others on the Internet. The IP address on the end was the one you were using. Scroll down to see the history of how it has been misused.

We use a Firewall and anti-spam software to protect this site for our Users’ safe use. Other websites do likewise.

1 user thanked author for this post.

TechTango

Reply | Quote

OK, I get it to a certain extent.

But if a website for which I am a paying customer wants to discourage whatever-the-heck by preventing the effective use of VPNs, you’d think that they’d consider the customer’s convenience, and post a warning. Instead, what the great majority of such websites do — at least in my experience — is let the initial page load as though everything is copacetic. That is, I’ll go to the log-in page, and it always loads, presenting me with boxes waiting for my user name and password to be filled in. Then, after I enter the requisite information, a little circle appears, spinning round and round. Then, often after a minute or more of my time has been wasted, a pop-up announces that there’s been a “technical problem.”

This has happened many times, and I never had any idea what the problem was. I always assumed that the the message was an honest one, and that the website actually had a technical problem. (What would be so difficult about the message saying, instead, “your IP address stinks” or “if you’re using a VPN, you have to disable it in order to use this website”?) It was only after several occasions when I successfully logged into a site when my VPN wasn’t enabled that light finally dawned.

For cripes sake people: if you don’t want account holders to use VPNs, then say so. How hard is that? Why tell the paying customer that the website is experiencing a “technical problem,” leading the him to believe that the problem is on the website’s end and that there’s nothing that the he can do about it?

This is, perhaps, a minor thing, but I’m constantly encountering situations online where it’s as though the owner of a website where I’m a paying customer is looking for ways to make life more difficult. Let me mention just two recent examples (there are more). Although not specifically on the topic of this thread, they definitely are related to the more general problem of unnecessary inconvenience, which is what led me to post my questions here.

Safeway, the grocery chain. Earlier this year, without warning, Safeway decided to institute mandatory 2fa for its website, and gave customers no choice regarding how to employ that method. Customers were not given the option of using their phone numbers as the second step in the process, even though phone numbers generally serve as Safeway account numbers (meaning that it’s information that Safeway already has). Instead, a code was sent to the customer’s email. Of course, many customers use 2fa for their email accounts. So, what it came down to was that Safeway was making everybody go through 2fa twice (“2fa squared” !!) in order to use its website. Safeway wanted there to be wheels within wheels.

That stupidity lasted about two weeks, and then disappeared, again unannounced. I have to guess that so many customers promptly shared their displeasure with Safeway that the latter simply decided to back off. If only Microsoft were so responsive.

Second example, Backblaze, the online backup people. I recently had a backup issue. I logged into my account, found nothing relevant in the FAQ, so I hit the help button (or “support” button — whatever it was called; I don’t recall). So did it give me a way to contact support? Yes and no. It punted me over to a page where I had to log in a second time, either by entering log-in information for a gmail account (even though I registered my Backblaze account using one of my disposable Yahoo addresses), or by going through a social media account, such as Facebook, which I never have had nor ever will have.

(Having registered my account at Backblaze with a Yahoo address, I’m not inclined to give them my gmail address as well. I reserve the latter, for the most part, for correspondence with friends, not organizations with whom I do business. By using disposable addresses I’ve received virtually no spam for maybe 20 years, and I want to keep it that way.)

What I did then was click Backblaze’s chat button. No one was available to chat, but I could type my question, and they’d get back to me. So I did, explaining why I didn’t want to use my gmail address, so please give me a way to get support using the Yahoo address that Backblaze has already considered perfectly acceptable for the purpose of registering my account and taking my money. (I didn’t state the question that aggressively, although I almost felt like it.)

So how did Backblaze respond? They sent an email message to my Yahoo account, saying that I could see the answer to my question by clicking on the link in their message. I clicked on the link, and I’ll bet that anyone reading this can see it coming. Yeah, that’s right. The link took me to a page where I had to log in, using either my gmail account or a social media account.

I’m not losing sleep over this. But I am annoyed by the cavalier attitude that so many websites constantly display toward their customers. Easy things to remedy, but remedies don’t occur (although hooray for you, Safeway!!). And I’m referring to websites that charge their users money for the experience.

Reply | Quote

BobStr wrote:

But if a website for which I am a paying customer wants to discourage whatever-the-heck by preventing the effective use of VPNs, you’d think that they’d consider the customer’s convenience, and post a warning.

It’s not that websites want to “prevent the effective use of VPNs.” It’s that they want to protect themselves from blacklisted IP addresses. They have no way to know that a VPN is being used, but they do have a way to know that the IP that the VPN issued has been associated with frequent nefarious purposes.

The best way around that is to use a VPN service that issues clean IP addresses. Or maybe turn off the VPN when accessing sites you know are safe.

2 users thanked author for this post.

TechTango, satrow

Reply | Quote

Thanks for the reply. I do appreciate advice on technical issues. However, you misread my comment. I didn’t say that websites “want” to prevent… etc. I said that, whatever their reasons, some of them do in fact prevent…

Before I posted my initial message, I had already figured out that some websites post a bogus “there is a technical problem” message when a VPN is used. So I had already stopped using my VPN on those sites. But it took me a while to arrive at that point, because I was being misled by the message.

The reason I posted my initial message here was to find out, among other things, the reason that using a VPN can prevent access to a site. I now have my answer to that particular question. That there is a legitimate reason is fine with me. But my additional point was that since paying customers are likely to include people who aren’t perfectly computer-savvy, and therefore don’t necessarily know why their attempted log-ins are being rejected supposedly because of “technical problems,” and since a virtually effortless way of preventing such a situation from occurring would be to post a simple warning not to use a VPN, due regard for the paying customer should entail posting such a warning.

The additional, albeit only implied, question in my concluding rant was why do such websites consider it expedient not only to prevent the log-in, but to actively mislead the paying customer who is also a VPN user into believing that the website itself is experiencing a “technical problem”? It’s too cute an answer to say that the use of the VPN is itself the “technical problem.” That’s just playing a misleading word game.

So one of the points of my rant remains: it’s stupid and discourteous for a website, after a user name and password have been entered, to issue a misleading “technical problem” message, when the site hasn’t also issued a simple warning on the initial log-in page that the site doesn’t work with VPNs. I can’t believe that adding just a few words to a web page is all that difficult.

Reply | Quote

The site does work with VPNs. The problem is not the use of VPNs. There is no reason to post a warning against using VPNs. VPNs are fine.

It’s just that sites don’t always work with blacklisted IP addresses.

2 users thanked author for this post.

cyberSAR, TechTango

Reply | Quote

With due respect, you appear to be parsing words simply because you don’t like my opinions. It doesn’t advance the discussion for you to claim that my words don’t mean what they obviously do mean in in every day language.

If the ignition key to my car worked only sporadically — whatever the reason — it would be a perfectly legitimate use of the language for me to say that I had to get a new key because the old one “didn’t work.” If I said that to someone, and he replied “but you’re wrong: it does work. It only doesn’t work sometimes, and the reason is < etc. >”, most people would say that he was either missing or avoiding the point.

Same with my comments regarding websites and VPNs. Disagree with my opinions as you will, arguing about what words to use is pointless. Nor does it even begin to address my point that that a warning is in order, for it’s misleading for a website, after a paying customer has entered a user name and password, to tell the customer that there has been a “technical problem,” when that’s not at all the case. (If anyone wants to claim that there actually has been a “technical problem” in such a case, I can only throw up my hands in despair.)

I meant it when I said that I appreciate your advice. I’m not intending to get into a quarrel, so this is my last comment in this thread.

Thank you.

Reply | Quote

@BobStr I certainly understand your frustration and aggravation. In the example I gave above with my client’s issue, he wasn’t using a VPN and actually has a static IP . After the user and pass was entered the site redirected to a cdn. The cdn is what blocked his AT&T IP range. Possibly someone in that range had been abusing resources. Automatic firewall blocking isn’t always perfect.

His bank support was able to login from a different IP so told him it was his problem. I had to create screen shots to prove to them what was happening. They finally bumped it up to a higher level of support who understood what I was stating and was able to take care of it.

1 user thanked author for this post.

BobStr

Reply | Quote