Telling computers and humans apart is a wrong goal. Every request comes from a computer that is commanded by some human. And why shouldn't users be allowed to use automated user agents when they don't do it for spamming or anything malicious?
CAPTCHA is essentially a proof-of-work variant where challenges are designed to be solved by humans rather than computers, and same as any PoW it works by means of consuming some limited resource (human time, processor time, energy).
A lot of times the purpose is more on rate limiting than disallowing bot access. The goal to tell apart is on the premise that humans are a lot slower than bots.
For anonymous/free users we have very strict usage limits and the functionality is more limited to only operations that cost us less money. So a very targeted attack would do damage but that is true of basically any system and we could flip on bot blocking in Cloudflare if needed and if that would help
Again, we have rate limits and usage limits in place. You know that you can pay to have Captchas automatically solved, right? It's not the solution to all problems. Obviously if a targeted DDOS happens then some changes would be required.
Also, that is no longer the case that Cloudflare uses Captchas for bot blocking. That's the legacy mode
The fact that you can pay for both doesn't make them equivalent. To have a similar cost for spammers, you would need to request a challenge that takes many minutes to solve, which you just can't do. There is a strict limit on how long a user will wait for your security check and you can't pretend otherwise.
Let's stop pretending that all things are in the same bucket because "you can pay to have it solved". That's such a weird claim. For the right price you can have someone rob a bank for you, that doesn't mean it's as safe as your $2 padlock.
I always figured that CAPTCHAs worked because they limited on a resource that was harder to steal - human attention.
Rate limit by IP, and you get attacked by a botnet that "steals" IP addresses with malware.
Rate limit by PoW and you get people stealing AWS accounts, or using aforementioned botnet. See bitcoin mining.
Rate limit by CAPTCHA and you have to get a lot more clever (see things like setting up porn sites and proxying CAPTCHAs there)
So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
> So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
None of these things you listed above are available for free. They all require either effort to obtain or paying someone to do the work.
I see you don’t understand why people make websites or systems. Or why people make bread.
I don’t make application so that users benefit or to make them happy. I make applications so that I can earn money.
Earning money requires having human on the other side. Just like you are not making bread to make bread and throw it into a shredder.
If someone has scheme where automation is beneficial they will create API for their system. You should use API if I provide one. But when I create UI then I create it for people to use it.
You always have to do software in a way that people will benefit because otherwise they will not pay.
Read again my down voted post and think about the sentence in context of post where "Fice" wrote: "Telling computers and humans apart is a wrong goal.".
Then add to that topic of CAPTCHA and that CAPTCHA is annoying for users so adding CAPTCHA is not beneficial for users so it specific case and discussed in context.
CAPTCHA is essentially a proof-of-work variant where challenges are designed to be solved by humans rather than computers, and same as any PoW it works by means of consuming some limited resource (human time, processor time, energy).